standardize workflows for build-resources v4

[kernelsam]

Summary

• Rename reusable workflow secret keys for build-resources v4
• Replace .outputs.job-status with .result
• Add SLACK_CHANNEL secret to slack notification callers
• Bump all build-resources workflow refs to @v4
• Standardize dependabot config (cooldown, groups, assignees)
• Add kernelsam and cooldown to cspell dictionary

[github-actions]

🤖 Claude Code Review

Code Review: Standardize workflows for build-resources v4

Summary

This PR upgrades workflow references from v3 to v4 and standardizes YAML formatting and secret naming conventions. The changes are primarily configuration updates to GitHub Actions workflows.

---

Review Checklist Results

Code Quality

✅ Code follows style guide

• All YAML files follow proper YAML formatting conventions
• Consistent use of quotes for string values
• Proper indentation throughout
• The .github/dependabot.yml file now includes proper YAML document marker (---) at the top, which is a best practice

✅ No commented-out code

• No commented-out code found in the changes
• Old comment in .github/dependabot.yml was properly removed

✅ Meaningful variable names

• Secret names have been standardized for better clarity:
  • SENZING_GITHUB_PROJECT_RW_TOKEN → PROJECT_RW_TOKEN (used with standardized name)
  • SENZING_GITHUB_CODEOWNER_PR_RW_TOKEN → CODEOWNER_PR_RW_TOKEN (used with standardized name)
  • SENZING_MEMBERS → MEMBERS (used with standardized name)
• All workflow references are consistent and meaningful

✅ DRY principle followed

• Changes are systematic and follow the same pattern across all workflow files
• Reusable workflows are properly referenced

✅ Identify Defects

• Minor issue in .github/dependabot.yml:9-10: The exclude configuration is placed under cooldown, but according to Dependabot documentation, there is no exclude option under cooldown. This configuration will likely be ignored. If the intention is to exclude certain dependencies, this should be configured differently (e.g., using ignore at the package level).

✅ Project memory configuration (./.claude/CLAUDE.md)

• Reviewed the CLAUDE.md file - it contains general project guidance suitable for any developer
• No local environment-specific configurations detected
• Appropriate for version control

Testing

✅ Unit tests for new functions

• N/A - No new functions added (configuration changes only)

✅ Integration tests for new endpoints

• N/A - No new endpoints added

✅ Edge cases covered

• N/A - Configuration changes only

✅ Test coverage > 80%

• N/A - No code changes affecting coverage

Documentation

✅ Readme updated if needed

• N/A - Changes are internal workflow updates, no README update needed

✅ API docs updated

• N/A - No API changes

✅ Inline comments for complex logic

• N/A - YAML workflow files are self-documenting

❌ CHANGELOG.md updated

• CHANGELOG.md does not appear to be updated with these workflow changes
• Location: Root of repository
• Recommendation: Add entry documenting the upgrade to build-resources v4 and secret naming standardization

✅ Markdown files follow CommonMark specification

• No markdown files were modified in this PR
• Existing YAML files are properly formatted with no extra whitespace

Security

✅ No hardcoded credentials

• All secrets are properly referenced using GitHub Actions secret syntax
• No hardcoded values detected

✅ Input validation implemented

• N/A - Workflow configuration changes only

✅ Proper error handling

• Workflow conditional logic properly handles job failures
• Slack notifications correctly trigger on failure/cancellation states
• Fixed inconsistency: Changed from needs.*.outputs.job-status to needs.*.result which is the correct GitHub Actions syntax

✅ No sensitive data in logs

• Secrets are properly masked by GitHub Actions

✅ No license files (.lic) or license keys

• No .lic files or strings starting with AQAAAD detected in the changes

---

Detailed Findings

Improvements in this PR:

1. Consistent workflow versioning (.github/workflows/*.yaml): All workflow references upgraded from @v3 to @v4 consistently across 13 workflow files

2. Standardized secret naming (.github/workflows/*.yaml):

   • More concise secret names in reusable workflow calls
   • Added SLACK_CHANNEL secret where missing

3. Improved job status checking (.github/workflows/*.yaml):

   • Changed from needs.*.outputs.job-status to needs.*.result (lines vary by file)
   • This is the correct GitHub Actions syntax for checking job results

4. Enhanced dependabot configuration (.github/dependabot.yml:5-15):

   • Added assignee (kernelsam)
   • Added grouping for senzing-factory/* dependencies
   • Improved YAML formatting with consistent quoting

5. Proper YAML formatting (.github/dependabot.yml:1):

   • Added YAML document marker (---)
   • Consistent string quoting throughout

6. Updated permissions (.github/workflows/lint-workflows.yaml:18):

   • Changed pull-requests: read to pull-requests: write
   • Likely required by v4 of the workflow

Issues to Address:

1. ❌ CRITICAL - Invalid Dependabot configuration (.github/dependabot.yml:9-10):

   cooldown:
     default-days: 21
     exclude:                    # ← This is not a valid option under cooldown
       - "senzing-factory/*"

   The exclude key is not a valid option under cooldown in Dependabot configuration. This needs to be corrected.

2. ❌ Missing CHANGELOG.md update:

   • No entry added documenting these workflow changes

3. Potential question (.github/dependabot.yml:12-15):

   • The grouping configuration creates a senzing-factory group, but the cooldown has an exclude (invalid) that references the same pattern
   • The intent may be to group these updates together, which is what the groups section does
   • The invalid exclude should likely be removed

---

Recommendations

1. Fix the Dependabot configuration: Remove the invalid exclude under cooldown at .github/dependabot.yml:9-10

2. Update CHANGELOG.md: Add an entry documenting:

   • Upgrade to build-resources v4
   • Standardization of secret naming
   • Enhanced dependabot configuration with grouping

3. Verify workflow functionality: After merging, monitor the first few workflow runs to ensure the v4 workflows and new secret names work as expected

---

Overall Assessment

Status: ✅ Approved with minor fixes recommended

This is a solid infrastructure upgrade that standardizes the workflow configuration and upgrades to newer reusable workflow versions. The changes are systematic and consistent across all files. The main issue is the invalid exclude configuration in the Dependabot file, which should be removed since it will be ignored anyway. The missing CHANGELOG update should also be addressed.

Automated code review analyzing defects and coding standards

[github-actions]

Super-linter summary

Language	Validation result
CHECKOV	Pass ✅
GITHUB_ACTIONS	Pass ✅
GITHUB_ACTIONS_ZIZMOR	Pass ✅
GITLEAKS	Pass ✅
GIT_MERGE_CONFLICT_MARKERS	Pass ✅
JSCPD	Pass ✅
PRE_COMMIT	Pass ✅
SPELL_CODESPELL	Pass ✅
TRIVY	Pass ✅
YAML	Pass ✅
YAML_PRETTIER	Pass ✅

All files and directories linted successfully

For more information, see the GitHub Actions workflow run

Powered by Super-linter