Skip to content

Comments

standardize workflows for build-resources v4#545

Merged
docktermj merged 2 commits intomainfrom
skern-workflow-standardize
Feb 17, 2026
Merged

standardize workflows for build-resources v4#545
docktermj merged 2 commits intomainfrom
skern-workflow-standardize

Conversation

@kernelsam
Copy link
Contributor

@kernelsam kernelsam commented Feb 16, 2026

Summary

  • Rename reusable workflow secret keys for build-resources v4
  • Replace .outputs.job-status with .result
  • Add SLACK_CHANNEL secret to slack notification callers
  • Bump all build-resources workflow refs to @v4
  • Standardize dependabot config (cooldown, groups, assignees)
  • Add kernelsam and cooldown to cspell dictionary

@kernelsam kernelsam requested review from a team as code owners February 16, 2026 22:11
@kernelsam kernelsam self-assigned this Feb 16, 2026
@github-actions
Copy link

github-actions bot commented Feb 16, 2026

🤖 Claude Code Review

I'll proceed with the code review based on the checklist and the diff provided.

Code Review Results

Code Quality

  • Code follows style guide: The changes follow YAML best practices with consistent indentation and structure. The formatting is clean and readable.

  • No commented-out code: All removed code has been cleanly deleted. The comment at the top of .github/dependabot.yml:1-2 was appropriately removed as it's redundant.

  • Meaningful variable names: All variable and key names are clear and descriptive (e.g., MEMBERS, PROJECT_RW_TOKEN, CODEOWNER_PR_RW_TOKEN).

  • DRY principle followed: The changes standardize workflow patterns across multiple files, improving consistency and maintainability by using v4 of shared workflows.

  • No defects identified:

    • All workflow references correctly updated from v3 to v4
    • Secret name changes are consistent throughout (e.g., SENZING_MEMBERSMEMBERS)
    • The change from needs.*.outputs.job-status to needs.*.result is correct - result is the proper GitHub Actions context property
    • Added proper SLACK_CHANNEL secret where needed

  • Project memory configuration: No .claude/CLAUDE.md file exists, so no conflicts to check.

Testing

  • ⚠️ Unit tests for new functions: N/A - This PR only updates configuration files (YAML, JSON), which don't have traditional unit tests.

  • ⚠️ Integration tests for new endpoints: N/A - No endpoints modified.

  • ⚠️ Edge cases covered: N/A - Configuration changes.

  • ⚠️ Test coverage > 80%: N/A - Configuration files don't have test coverage metrics.

Note: For GitHub workflow updates, the proper validation is through GitHub Actions workflow linting (which is tested by .github/workflows/lint-workflows.yaml:18).

Documentation

  • README updated if needed: No README changes needed - these are internal workflow configurations.

  • API docs updated: N/A - No API changes.

  • Inline comments for complex logic: The Dependabot configuration is self-documenting. The removed comment was redundant since it just pointed to GitHub docs.

  • CHANGELOG.md updated: No CHANGELOG.md update detected. This PR should document the workflow standardization update.

  • Markdown files follow CommonMark: The .vscode/cspell.json:43-46 changes compress the ignorePaths array to a single line. While this is valid JSON, the formatting is inconsistent with the rest of the file which uses multi-line arrays. This should use prettier formatting with proper line breaks:

    "ignorePaths": [
  ".git/**",
  ".gitignore"
]

    File: .vscode/cspell.json:43-46

Security

  • No hardcoded credentials: All sensitive values properly use GitHub secrets.

  • Input validation implemented: N/A - Configuration files.

  • Proper error handling: The workflows properly check job status with needs.*.result and trigger notifications on failures.

  • No sensitive data in logs: No logging of sensitive information.

  • No license files checked in: No .lic files or strings starting with AQAAAD detected in the diff.

Summary

Critical Issues

None.

Issues Requiring Fixes

  1. CHANGELOG.md missing (.github/workflows/*.yaml): Document this standardization update to build-resources v4.

  2. JSON formatting inconsistency (.vscode/cspell.json:43-46): The ignorePaths array should maintain multi-line formatting consistent with the rest of the file.

Specific Recommendations

.github/dependabot.yml:

  • ✅ Good addition of grouping for senzing-factory dependencies
  • ✅ Proper exclusion from cooldown for senzing-factory/*
  • ✅ Quoting of assignees is correct YAML style

All workflow files:

  • ✅ Consistent update from v3 to v4 of senzing-factory/build-resources workflows
  • ✅ Secret names properly updated to match new workflow requirements
  • ✅ Correct change from outputs.job-status to result (built-in GitHub Actions context)

.vscode/cspell.json:

  • ❌ Format should match project conventions (multi-line arrays)

Overall Assessment

This is a well-executed standardization PR that updates all workflows to use build-resources v4. The changes are consistent, follow best practices, and improve maintainability. The only issues are missing CHANGELOG documentation and a minor JSON formatting inconsistency.

Automated code review analyzing defects and coding standards

@kernelsam kernelsam force-pushed the skern-workflow-standardize branch from e6ef682 to 05dd5f8 Compare February 16, 2026 22:33
@kernelsam kernelsam force-pushed the skern-workflow-standardize branch from 05dd5f8 to b92c498 Compare February 16, 2026 22:44
@github-actions
Copy link

github-actions bot commented Feb 16, 2026

🤖 Claude Code Review

Now let me proceed with the code review based on the diff provided.

Code Review Summary

Overall Assessment

This PR updates GitHub Actions workflows from senzing-factory/build-resources@v3 to @v4 and standardizes secret parameter names. The changes are primarily configuration updates with improved consistency.

Detailed Review

✅ Code Quality

Style Guide Compliance: ✅

  • YAML formatting is consistent and follows standard conventions
  • The addition of --- document separator in .github/dependabot.yml:1 follows YAML best practices

No Commented-Out Code: ✅

  • No commented code found

Meaningful Variable Names: ✅

  • Secret parameter renames improve clarity:
    • SENZING_MEMBERSMEMBERS (more generic)
    • SENZING_GITHUB_PROJECT_RW_TOKENPROJECT_RW_TOKEN (clearer)
    • SENZING_GITHUB_CODEOWNER_PR_RW_TOKENCODEOWNER_PR_RW_TOKEN (clearer)

DRY Principle: ✅

  • Reusable workflows are properly utilized
  • No code duplication introduced

Defects/Logic Errors: ✅

  • IMPORTANT FIX in .github/workflows/add-labels-standardized.yaml:22: Changed from needs.add-issue-labels.outputs.job-status to needs.add-issue-labels.result - this is correct as GitHub Actions uses .result not .outputs.job-status for job status
  • Same fix applied consistently across multiple workflow files (lines 22, 24 in various files)

Project Memory: N/A

  • No .claude/CLAUDE.md file exists in this project

✅ Testing

Unit Tests: N/A

  • This PR only modifies workflow configuration files, not application code

Integration Tests: N/A

  • Workflow changes will be tested when they run

Edge Cases: ✅

  • Cooldown exclusions added in .github/dependabot.yml:9-10 properly handle senzing-factory/* updates

Test Coverage: N/A

  • Not applicable to workflow configuration changes

⚠️ Documentation

Readme Updated: ❓

  • Cannot verify if README needs updates without seeing it, but workflow changes typically don't require README updates

API Docs: N/A

  • Not applicable to workflow changes

Inline Comments: ✅

  • The removed comment in .github/dependabot.yml:1-2 was redundant (just a link to docs)

CHANGELOG.md: ❌

  • No CHANGELOG.md update detected. This PR should document:
    • Migration from v3 to v4 workflows
    • Updated secret parameter names
    • New dependabot grouping for senzing-factory/*

Markdown Formatting: ✅

  • .vscode/cspell.json:43-44: Reformatted to single line - follows Prettier conventions ✅

✅ Security

No Hardcoded Credentials: ✅

  • All secrets properly referenced via ${{ secrets.* }}

Input Validation: N/A

  • Not applicable to workflow configuration

Proper Error Handling: ✅

  • Failure notifications properly configured with conditions checking for failure or cancelled states

No Sensitive Data in Logs: ✅

  • Secrets are masked by GitHub Actions automatically

License Files: ✅

  • No .lic files or AQAAAD strings detected in diff

Additional Observations

Improvements Found:

  1. .github/dependabot.yml:8-14: Added dependency grouping for senzing-factory/* with cooldown exclusion - this will batch related updates together ✅
  2. .github/workflows/lint-workflows.yaml:16: Changed pull-requests: readpull-requests: write - likely required for v4 workflow to post comments ✅
  3. .github/workflows/add-labels-standardized.yaml:24: Added SLACK_CHANNEL secret parameter - better configuration flexibility ✅

Consistency: ✅

  • All workflow files updated consistently from v3 to v4
  • Secret parameter name changes applied uniformly

Required Actions Before Merge

  1. Update CHANGELOG.md with:
    • Workflow version migration (v3 → v4)
    • Secret parameter renames
    • New dependabot grouping feature

Recommendations

  1. Verify that all referenced secrets exist in the repository/organization settings:

    • SENZING_MEMBERS (referenced as MEMBERS in v4)
    • SENZING_GITHUB_PROJECT_RW_TOKEN (referenced as PROJECT_RW_TOKEN in v4)
    • SENZING_GITHUB_CODEOWNER_PR_RW_TOKEN (referenced as CODEOWNER_PR_RW_TOKEN in v4)
    • SLACK_CHANNEL (newly added parameter)

  2. Consider adding a migration note if other repositories need to follow this v3→v4 upgrade pattern

Final Verdict

Status: Conditional approval pending CHANGELOG.md update

The code changes are high quality and fix actual bugs (.result vs .outputs.job-status). The only missing piece is documentation in CHANGELOG.md.

Automated code review analyzing defects and coding standards

@github-actions
Copy link

github-actions bot commented Feb 17, 2026

Super-linter summary

Language Validation result
CHECKOV Pass ✅
GITHUB_ACTIONS Pass ✅
GITHUB_ACTIONS_ZIZMOR Pass ✅
GITLEAKS Pass ✅
GIT_MERGE_CONFLICT_MARKERS Pass ✅
JSCPD Pass ✅
PRE_COMMIT Pass ✅
SPELL_CODESPELL Pass ✅
TRIVY Pass ✅
YAML Fail ❌
YAML_PRETTIER Fail ❌

Super-linter detected linting errors

For more information, see the GitHub Actions workflow run

Powered by Super-linter

YAML 
/github/workspace/.github/dependabot.yml:1:1: [warning] missing document start "---" (document-start)
/github/workspace/.github/dependabot.yml:25:1: [error] too many blank lines (1 > 0) (empty-lines)
/github/workspace/.github/workflows/spellcheck.yaml:1:1: [warning] missing document start "---" (document-start)
/github/workspace/.github/workflows/add-labels-standardized.yaml:1:1: [warning] missing document start "---" (document-start)
/github/workspace/.github/workflows/add-labels-standardized.yaml:22:81: [warning] line too long (104 > 80 characters) (line-length)
/github/workspace/.github/workflows/verify-dockerfile-refreshed-at-updated.yaml:1:1: [warning] missing document start "---" (document-start)
/github/workspace/.github/workflows/add-to-project-garage-dependabot.yaml:1:1: [warning] missing document start "---" (document-start)
/github/workspace/.github/workflows/add-to-project-garage-dependabot.yaml:21:81: [warning] line too long (113 > 80 characters) (line-length)
/github/workspace/.github/workflows/add-to-project-garage.yaml:1:1: [warning] missing document start "---" (document-start)
/github/workspace/.github/workflows/add-to-project-garage.yaml:24:81: [warning] line too long (102 > 80 characters) (line-length)
/github/workspace/.github/workflows/claude-pr-review.yaml:1:1: [warning] missing document start "---" (document-start)
/github/workspace/.github/workflows/dependabot-approve-and-merge.yaml:1:1: [warning] missing document start "---" (document-start)
/github/workspace/.github/workflows/link-issues-to-pr-post-merge.yaml:1:1: [warning] missing document start "---" (document-start)
/github/workspace/.github/workflows/lint-workflows.yaml:1:1: [warning] missing document start "---" (document-start)
/github/workspace/.github/workflows/move-pr-to-done-dependabot.yaml:1:1: [warning] missing document start "---" (document-start)
/github/workspace/.github/workflows/pylint.yaml:1:1: [warning] missing document start "---" (document-start)
/github/workspace/.github/workflows/pylint.yaml:40:81: [warning] line too long (164 > 80 characters) (line-length)
YAML_PRETTIER 
Checking formatting...[�[33mwarn�[39m] .github/dependabot.yml
[�[33mwarn�[39m] Code style issues found in the above file. Run Prettier with --write to fix.

@github-actions
Copy link

github-actions bot commented Feb 17, 2026

Super-linter summary

Language Validation result
CHECKOV Pass ✅
GITHUB_ACTIONS Pass ✅
GITHUB_ACTIONS_ZIZMOR Pass ✅
GITLEAKS Pass ✅
GIT_MERGE_CONFLICT_MARKERS Pass ✅
JSCPD Pass ✅
PRE_COMMIT Pass ✅
SPELL_CODESPELL Pass ✅
TRIVY Pass ✅
YAML Pass ✅
YAML_PRETTIER Pass ✅

All files and directories linted successfully

For more information, see the GitHub Actions workflow run

Powered by Super-linter

@docktermj docktermj enabled auto-merge (squash) February 17, 2026 13:17
@docktermj docktermj self-assigned this Feb 17, 2026
@github-actions
Copy link

github-actions bot commented Feb 17, 2026

🤖 Claude Code Review

Now I'll provide the code review based on my analysis of the diff:

Code Review Analysis

Summary

This PR updates GitHub Actions workflows from v3 to v4 of senzing-factory/build-resources and standardizes secret naming conventions. This appears to be a maintenance update to align with updated shared workflow configurations.

✅ Code Quality

✅ Code follows style guide

  • The changes are primarily YAML configuration updates
  • YAML formatting is consistent with proper indentation
  • String values are properly quoted where needed

✅ No commented-out code

  • All previous commented lines have been removed (e.g., documentation URL in .github/dependabot.yml:1-2)

✅ Meaningful variable names

  • Secret name changes improve clarity:
    • SENZING_MEMBERSMEMBERS (more generic)
    • SENZING_GITHUB_PROJECT_RW_TOKENPROJECT_RW_TOKEN (clearer)
    • SENZING_GITHUB_CODEOWNER_PR_RW_TOKENCODEOWNER_PR_RW_TOKEN (clearer)

✅ DRY principle followed

  • Changes reuse standardized workflows from senzing-factory/build-resources@v4
  • No code duplication introduced

✅ No defects identified

However, note the following considerations:

  1. Breaking changes potential: .github/dependabot.yml:6-14

    • New cooldown.exclude and groups configuration added
    • Ensure these v4 workflow features are properly documented and the repository secrets/variables are updated accordingly

  2. Secret migration required: Multiple files

    • All workflow files reference renamed secrets
    • Action Required: Verify that GitHub repository secrets have been renamed to match:
      • MEMBERS (was SENZING_MEMBERS)
      • PROJECT_RW_TOKEN (was SENZING_GITHUB_PROJECT_RW_TOKEN)
      • CODEOWNER_PR_RW_TOKEN (was SENZING_GITHUB_CODEOWNER_PR_RW_TOKEN)
      • SLACK_CHANNEL (new required secret)

  3. Output vs result change: .github/workflows/add-labels-standardized.yaml:22, and similar files

    • Changed from needs.*.outputs.job-statusneeds.*.result
    • This is likely a v4 API change - ensure this is the correct property name

✅ Testing

⚠️ Unit tests for new functions

  • N/A - This PR only modifies workflow configurations, no code functions changed

⚠️ Integration tests for new endpoints

  • N/A - No endpoints modified

⚠️ Edge cases covered

  • N/A - No testable logic added

❌ Test coverage > 80%

  • Not verifiable from diff - No test files modified or added
  • The workflow changes themselves would be tested when GitHub Actions run

Recommendation: Ensure all modified workflows are tested by triggering them after merge.

⚠️ Documentation

⚠️ Readme updated if needed

  • Not visible in diff - Would need to check if README exists and documents workflow usage
  • If workflows are documented, update to reflect v4 changes

⚠️ API docs updated

  • N/A - No API changes

✅ Inline comments for complex logic

  • Appropriate for YAML configuration - no complex logic requiring comments

❌ CHANGELOG.md updated

  • Not present in diff - CHANGELOG should document:
    • Migration from build-resources v3 → v4
    • Secret naming changes
    • New dependabot grouping features

✅ Markdown files follow CommonMark

  • .vscode/cspell.json:43-44 - Not markdown, but JSON formatting improved (array condensed to single line)

✅ Security

✅ No hardcoded credentials

  • All secrets properly referenced via ${{ secrets.* }}

✅ Input validation implemented

  • Workflows use typed inputs and proper GitHub Actions syntax

✅ Proper error handling

  • Slack notifications added for failure cases with proper conditional checks

✅ No sensitive data in logs

  • No logging of secrets or sensitive information

✅ No license files with AQAAAD strings

  • No .lic files or license strings in diff

Critical Issues

🔴 BLOCKING: Secret Migration Required

Before merging, verify these secrets exist in the repository with the NEW names:

  • MEMBERS
  • PROJECT_RW_TOKEN
  • CODEOWNER_PR_RW_TOKEN
  • SLACK_CHANNEL (new requirement)

Location: All workflow files in .github/workflows/

🟡 WARNING: Permission Changes

.github/workflows/lint-workflows.yaml:16 - Permission changed from pull-requests: readpull-requests: write

Verification needed: Confirm this permission elevation is intentional and required by v4 workflows.

Additional Observations

Positive Changes:

  1. ✅ Consistent workflow standardization across all files
  2. ✅ Better error handling with Slack notifications including SLACK_CHANNEL
  3. ✅ Improved dependabot configuration with grouping for senzing-factory/* dependencies
  4. ✅ More explicit string quoting in YAML (.github/dependabot.yml:6-7,20)

Questions for Review:

  1. Have the repository secrets been updated to match the new naming convention?
  2. Is the needs.*.result property correctly referenced in v4 workflows (vs needs.*.outputs.job-status)?
  3. Has the v4 workflow upgrade been tested in a staging environment?
  4. Are there migration notes from senzing-factory/build-resources documenting the v3→v4 changes?

Recommendation

Status: ⚠️ CONDITIONAL APPROVAL

The code quality is good, but DO NOT MERGE until:

  1. ✅ Repository secrets are migrated to new names
  2. ✅ CHANGELOG.md is updated
  3. ✅ Confirm pull-requests: write permission change is intentional
  4. ✅ Test workflows after merge to verify v4 compatibility

Automated code review analyzing defects and coding standards

@github-actions
Copy link

github-actions bot commented Feb 17, 2026

Super-linter summary

Language Validation result
CHECKOV Pass ✅
GITHUB_ACTIONS Pass ✅
GITHUB_ACTIONS_ZIZMOR Pass ✅
GITLEAKS Pass ✅
GIT_MERGE_CONFLICT_MARKERS Pass ✅
JSCPD Pass ✅
PRE_COMMIT Pass ✅
SPELL_CODESPELL Pass ✅
TRIVY Pass ✅
YAML Pass ✅
YAML_PRETTIER Pass ✅

All files and directories linted successfully

For more information, see the GitHub Actions workflow run

Powered by Super-linter

@docktermj docktermj merged commit c0a26e5 into main Feb 17, 2026
32 checks passed
@docktermj docktermj deleted the skern-workflow-standardize branch February 17, 2026 13:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@docktermj docktermj docktermj approved these changes

Assignees

@docktermj docktermj

@kernelsam kernelsam

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@kernelsam @docktermj