Skip to content

Comments

standardize workflows for build-resources v4#545

Merged
docktermj merged 2 commits intomainfrom
skern-workflow-standardize
Feb 17, 2026
Merged

standardize workflows for build-resources v4#545
docktermj merged 2 commits intomainfrom
skern-workflow-standardize

Conversation

@kernelsam
Copy link
Contributor

Summary

  • Rename reusable workflow secret keys for build-resources v4
  • Replace .outputs.job-status with .result
  • Add SLACK_CHANNEL secret to slack notification callers
  • Bump all build-resources workflow refs to @v4
  • Standardize dependabot config (cooldown, groups, assignees)
  • Add kernelsam and cooldown to cspell dictionary

@kernelsam kernelsam requested review from a team as code owners February 16, 2026 22:11
@kernelsam kernelsam self-assigned this Feb 16, 2026
@github-actions
Copy link

🤖 Claude Code Review

I'll proceed with the code review based on the checklist and the diff provided.


Code Review Results

Code Quality

  • Code follows style guide: The changes follow YAML best practices with consistent indentation and structure. The formatting is clean and readable.

  • No commented-out code: All removed code has been cleanly deleted. The comment at the top of .github/dependabot.yml:1-2 was appropriately removed as it's redundant.

  • Meaningful variable names: All variable and key names are clear and descriptive (e.g., MEMBERS, PROJECT_RW_TOKEN, CODEOWNER_PR_RW_TOKEN).

  • DRY principle followed: The changes standardize workflow patterns across multiple files, improving consistency and maintainability by using v4 of shared workflows.

  • No defects identified:

    • All workflow references correctly updated from v3 to v4
    • Secret name changes are consistent throughout (e.g., SENZING_MEMBERSMEMBERS)
    • The change from needs.*.outputs.job-status to needs.*.result is correct - result is the proper GitHub Actions context property
    • Added proper SLACK_CHANNEL secret where needed
  • Project memory configuration: No .claude/CLAUDE.md file exists, so no conflicts to check.

Testing

  • ⚠️ Unit tests for new functions: N/A - This PR only updates configuration files (YAML, JSON), which don't have traditional unit tests.

  • ⚠️ Integration tests for new endpoints: N/A - No endpoints modified.

  • ⚠️ Edge cases covered: N/A - Configuration changes.

  • ⚠️ Test coverage > 80%: N/A - Configuration files don't have test coverage metrics.

Note: For GitHub workflow updates, the proper validation is through GitHub Actions workflow linting (which is tested by .github/workflows/lint-workflows.yaml:18).

Documentation

  • README updated if needed: No README changes needed - these are internal workflow configurations.

  • API docs updated: N/A - No API changes.

  • Inline comments for complex logic: The Dependabot configuration is self-documenting. The removed comment was redundant since it just pointed to GitHub docs.

  • CHANGELOG.md updated: No CHANGELOG.md update detected. This PR should document the workflow standardization update.

  • Markdown files follow CommonMark: The .vscode/cspell.json:43-46 changes compress the ignorePaths array to a single line. While this is valid JSON, the formatting is inconsistent with the rest of the file which uses multi-line arrays. This should use prettier formatting with proper line breaks:

    "ignorePaths": [
      ".git/**",
      ".gitignore"
    ]

    File: .vscode/cspell.json:43-46

Security

  • No hardcoded credentials: All sensitive values properly use GitHub secrets.

  • Input validation implemented: N/A - Configuration files.

  • Proper error handling: The workflows properly check job status with needs.*.result and trigger notifications on failures.

  • No sensitive data in logs: No logging of sensitive information.

  • No license files checked in: No .lic files or strings starting with AQAAAD detected in the diff.


Summary

Critical Issues

None.

Issues Requiring Fixes

  1. CHANGELOG.md missing (.github/workflows/*.yaml): Document this standardization update to build-resources v4.

  2. JSON formatting inconsistency (.vscode/cspell.json:43-46): The ignorePaths array should maintain multi-line formatting consistent with the rest of the file.

Specific Recommendations

.github/dependabot.yml:

  • ✅ Good addition of grouping for senzing-factory dependencies
  • ✅ Proper exclusion from cooldown for senzing-factory/*
  • ✅ Quoting of assignees is correct YAML style

All workflow files:

  • ✅ Consistent update from v3 to v4 of senzing-factory/build-resources workflows
  • ✅ Secret names properly updated to match new workflow requirements
  • ✅ Correct change from outputs.job-status to result (built-in GitHub Actions context)

.vscode/cspell.json:

  • ❌ Format should match project conventions (multi-line arrays)

Overall Assessment

This is a well-executed standardization PR that updates all workflows to use build-resources v4. The changes are consistent, follow best practices, and improve maintainability. The only issues are missing CHANGELOG documentation and a minor JSON formatting inconsistency.

Automated code review analyzing defects and coding standards

@kernelsam kernelsam force-pushed the skern-workflow-standardize branch from e6ef682 to 05dd5f8 Compare February 16, 2026 22:33
@kernelsam kernelsam force-pushed the skern-workflow-standardize branch from 05dd5f8 to b92c498 Compare February 16, 2026 22:44
@github-actions
Copy link

🤖 Claude Code Review

Now let me proceed with the code review based on the diff provided.


Code Review Summary

Overall Assessment

This PR updates GitHub Actions workflows from senzing-factory/build-resources@v3 to @v4 and standardizes secret parameter names. The changes are primarily configuration updates with improved consistency.

Detailed Review

✅ Code Quality

Style Guide Compliance: ✅

  • YAML formatting is consistent and follows standard conventions
  • The addition of --- document separator in .github/dependabot.yml:1 follows YAML best practices

No Commented-Out Code: ✅

  • No commented code found

Meaningful Variable Names: ✅

  • Secret parameter renames improve clarity:
    • SENZING_MEMBERSMEMBERS (more generic)
    • SENZING_GITHUB_PROJECT_RW_TOKENPROJECT_RW_TOKEN (clearer)
    • SENZING_GITHUB_CODEOWNER_PR_RW_TOKENCODEOWNER_PR_RW_TOKEN (clearer)

DRY Principle: ✅

  • Reusable workflows are properly utilized
  • No code duplication introduced

Defects/Logic Errors: ✅

  • IMPORTANT FIX in .github/workflows/add-labels-standardized.yaml:22: Changed from needs.add-issue-labels.outputs.job-status to needs.add-issue-labels.result - this is correct as GitHub Actions uses .result not .outputs.job-status for job status
  • Same fix applied consistently across multiple workflow files (lines 22, 24 in various files)

Project Memory: N/A

  • No .claude/CLAUDE.md file exists in this project

✅ Testing

Unit Tests: N/A

  • This PR only modifies workflow configuration files, not application code

Integration Tests: N/A

  • Workflow changes will be tested when they run

Edge Cases: ✅

  • Cooldown exclusions added in .github/dependabot.yml:9-10 properly handle senzing-factory/* updates

Test Coverage: N/A

  • Not applicable to workflow configuration changes

⚠️ Documentation

Readme Updated: ❓

  • Cannot verify if README needs updates without seeing it, but workflow changes typically don't require README updates

API Docs: N/A

  • Not applicable to workflow changes

Inline Comments: ✅

  • The removed comment in .github/dependabot.yml:1-2 was redundant (just a link to docs)

CHANGELOG.md: ❌

  • No CHANGELOG.md update detected. This PR should document:
    • Migration from v3 to v4 workflows
    • Updated secret parameter names
    • New dependabot grouping for senzing-factory/*

Markdown Formatting: ✅

  • .vscode/cspell.json:43-44: Reformatted to single line - follows Prettier conventions ✅

✅ Security

No Hardcoded Credentials: ✅

  • All secrets properly referenced via ${{ secrets.* }}

Input Validation: N/A

  • Not applicable to workflow configuration

Proper Error Handling: ✅

  • Failure notifications properly configured with conditions checking for failure or cancelled states

No Sensitive Data in Logs: ✅

  • Secrets are masked by GitHub Actions automatically

License Files: ✅

  • No .lic files or AQAAAD strings detected in diff

Additional Observations

Improvements Found:

  1. .github/dependabot.yml:8-14: Added dependency grouping for senzing-factory/* with cooldown exclusion - this will batch related updates together ✅
  2. .github/workflows/lint-workflows.yaml:16: Changed pull-requests: readpull-requests: write - likely required for v4 workflow to post comments ✅
  3. .github/workflows/add-labels-standardized.yaml:24: Added SLACK_CHANNEL secret parameter - better configuration flexibility ✅

Consistency: ✅

  • All workflow files updated consistently from v3 to v4
  • Secret parameter name changes applied uniformly

Required Actions Before Merge

  1. Update CHANGELOG.md with:
    • Workflow version migration (v3 → v4)
    • Secret parameter renames
    • New dependabot grouping feature

Recommendations

  1. Verify that all referenced secrets exist in the repository/organization settings:

    • SENZING_MEMBERS (referenced as MEMBERS in v4)
    • SENZING_GITHUB_PROJECT_RW_TOKEN (referenced as PROJECT_RW_TOKEN in v4)
    • SENZING_GITHUB_CODEOWNER_PR_RW_TOKEN (referenced as CODEOWNER_PR_RW_TOKEN in v4)
    • SLACK_CHANNEL (newly added parameter)
  2. Consider adding a migration note if other repositories need to follow this v3→v4 upgrade pattern


Final Verdict

Status: Conditional approval pending CHANGELOG.md update

The code changes are high quality and fix actual bugs (.result vs .outputs.job-status). The only missing piece is documentation in CHANGELOG.md.

Automated code review analyzing defects and coding standards

@github-actions
Copy link

Super-linter summary

Language Validation result
CHECKOV Pass ✅
GITHUB_ACTIONS Pass ✅
GITHUB_ACTIONS_ZIZMOR Pass ✅
GITLEAKS Pass ✅
GIT_MERGE_CONFLICT_MARKERS Pass ✅
JSCPD Pass ✅
PRE_COMMIT Pass ✅
SPELL_CODESPELL Pass ✅
TRIVY Pass ✅
YAML Fail ❌
YAML_PRETTIER Fail ❌

Super-linter detected linting errors

For more information, see the GitHub Actions workflow run

Powered by Super-linter

YAML
/github/workspace/.github/dependabot.yml:1:1: [warning] missing document start "---" (document-start)
/github/workspace/.github/dependabot.yml:25:1: [error] too many blank lines (1 > 0) (empty-lines)
/github/workspace/.github/workflows/spellcheck.yaml:1:1: [warning] missing document start "---" (document-start)
/github/workspace/.github/workflows/add-labels-standardized.yaml:1:1: [warning] missing document start "---" (document-start)
/github/workspace/.github/workflows/add-labels-standardized.yaml:22:81: [warning] line too long (104 > 80 characters) (line-length)
/github/workspace/.github/workflows/verify-dockerfile-refreshed-at-updated.yaml:1:1: [warning] missing document start "---" (document-start)
/github/workspace/.github/workflows/add-to-project-garage-dependabot.yaml:1:1: [warning] missing document start "---" (document-start)
/github/workspace/.github/workflows/add-to-project-garage-dependabot.yaml:21:81: [warning] line too long (113 > 80 characters) (line-length)
/github/workspace/.github/workflows/add-to-project-garage.yaml:1:1: [warning] missing document start "---" (document-start)
/github/workspace/.github/workflows/add-to-project-garage.yaml:24:81: [warning] line too long (102 > 80 characters) (line-length)
/github/workspace/.github/workflows/claude-pr-review.yaml:1:1: [warning] missing document start "---" (document-start)
/github/workspace/.github/workflows/dependabot-approve-and-merge.yaml:1:1: [warning] missing document start "---" (document-start)
/github/workspace/.github/workflows/link-issues-to-pr-post-merge.yaml:1:1: [warning] missing document start "---" (document-start)
/github/workspace/.github/workflows/lint-workflows.yaml:1:1: [warning] missing document start "---" (document-start)
/github/workspace/.github/workflows/move-pr-to-done-dependabot.yaml:1:1: [warning] missing document start "---" (document-start)
/github/workspace/.github/workflows/pylint.yaml:1:1: [warning] missing document start "---" (document-start)
/github/workspace/.github/workflows/pylint.yaml:40:81: [warning] line too long (164 > 80 characters) (line-length)
YAML_PRETTIER
Checking formatting...[�[33mwarn�[39m] .github/dependabot.yml
[�[33mwarn�[39m] Code style issues found in the above file. Run Prettier with --write to fix.

@github-actions
Copy link

Super-linter summary

Language Validation result
CHECKOV Pass ✅
GITHUB_ACTIONS Pass ✅
GITHUB_ACTIONS_ZIZMOR Pass ✅
GITLEAKS Pass ✅
GIT_MERGE_CONFLICT_MARKERS Pass ✅
JSCPD Pass ✅
PRE_COMMIT Pass ✅
SPELL_CODESPELL Pass ✅
TRIVY Pass ✅
YAML Pass ✅
YAML_PRETTIER Pass ✅

All files and directories linted successfully

For more information, see the GitHub Actions workflow run

Powered by Super-linter

@docktermj docktermj enabled auto-merge (squash) February 17, 2026 13:17
@docktermj docktermj self-assigned this Feb 17, 2026
@github-actions
Copy link

🤖 Claude Code Review

Now I'll provide the code review based on my analysis of the diff:


Code Review Analysis

Summary

This PR updates GitHub Actions workflows from v3 to v4 of senzing-factory/build-resources and standardizes secret naming conventions. This appears to be a maintenance update to align with updated shared workflow configurations.


✅ Code Quality

✅ Code follows style guide

  • The changes are primarily YAML configuration updates
  • YAML formatting is consistent with proper indentation
  • String values are properly quoted where needed

✅ No commented-out code

  • All previous commented lines have been removed (e.g., documentation URL in .github/dependabot.yml:1-2)

✅ Meaningful variable names

  • Secret name changes improve clarity:
    • SENZING_MEMBERSMEMBERS (more generic)
    • SENZING_GITHUB_PROJECT_RW_TOKENPROJECT_RW_TOKEN (clearer)
    • SENZING_GITHUB_CODEOWNER_PR_RW_TOKENCODEOWNER_PR_RW_TOKEN (clearer)

✅ DRY principle followed

  • Changes reuse standardized workflows from senzing-factory/build-resources@v4
  • No code duplication introduced

✅ No defects identified

However, note the following considerations:

  1. Breaking changes potential: .github/dependabot.yml:6-14

    • New cooldown.exclude and groups configuration added
    • Ensure these v4 workflow features are properly documented and the repository secrets/variables are updated accordingly
  2. Secret migration required: Multiple files

    • All workflow files reference renamed secrets
    • Action Required: Verify that GitHub repository secrets have been renamed to match:
      • MEMBERS (was SENZING_MEMBERS)
      • PROJECT_RW_TOKEN (was SENZING_GITHUB_PROJECT_RW_TOKEN)
      • CODEOWNER_PR_RW_TOKEN (was SENZING_GITHUB_CODEOWNER_PR_RW_TOKEN)
      • SLACK_CHANNEL (new required secret)
  3. Output vs result change: .github/workflows/add-labels-standardized.yaml:22, and similar files

    • Changed from needs.*.outputs.job-statusneeds.*.result
    • This is likely a v4 API change - ensure this is the correct property name

✅ Testing

⚠️ Unit tests for new functions

  • N/A - This PR only modifies workflow configurations, no code functions changed

⚠️ Integration tests for new endpoints

  • N/A - No endpoints modified

⚠️ Edge cases covered

  • N/A - No testable logic added

❌ Test coverage > 80%

  • Not verifiable from diff - No test files modified or added
  • The workflow changes themselves would be tested when GitHub Actions run

Recommendation: Ensure all modified workflows are tested by triggering them after merge.


⚠️ Documentation

⚠️ Readme updated if needed

  • Not visible in diff - Would need to check if README exists and documents workflow usage
  • If workflows are documented, update to reflect v4 changes

⚠️ API docs updated

  • N/A - No API changes

✅ Inline comments for complex logic

  • Appropriate for YAML configuration - no complex logic requiring comments

❌ CHANGELOG.md updated

  • Not present in diff - CHANGELOG should document:
    • Migration from build-resources v3 → v4
    • Secret naming changes
    • New dependabot grouping features

✅ Markdown files follow CommonMark

  • .vscode/cspell.json:43-44 - Not markdown, but JSON formatting improved (array condensed to single line)

✅ Security

✅ No hardcoded credentials

  • All secrets properly referenced via ${{ secrets.* }}

✅ Input validation implemented

  • Workflows use typed inputs and proper GitHub Actions syntax

✅ Proper error handling

  • Slack notifications added for failure cases with proper conditional checks

✅ No sensitive data in logs

  • No logging of secrets or sensitive information

✅ No license files with AQAAAD strings

  • No .lic files or license strings in diff

Critical Issues

🔴 BLOCKING: Secret Migration Required

Before merging, verify these secrets exist in the repository with the NEW names:

  • MEMBERS
  • PROJECT_RW_TOKEN
  • CODEOWNER_PR_RW_TOKEN
  • SLACK_CHANNEL (new requirement)

Location: All workflow files in .github/workflows/

🟡 WARNING: Permission Changes

.github/workflows/lint-workflows.yaml:16 - Permission changed from pull-requests: readpull-requests: write

Verification needed: Confirm this permission elevation is intentional and required by v4 workflows.


Additional Observations

Positive Changes:

  1. ✅ Consistent workflow standardization across all files
  2. ✅ Better error handling with Slack notifications including SLACK_CHANNEL
  3. ✅ Improved dependabot configuration with grouping for senzing-factory/* dependencies
  4. ✅ More explicit string quoting in YAML (.github/dependabot.yml:6-7,20)

Questions for Review:

  1. Have the repository secrets been updated to match the new naming convention?
  2. Is the needs.*.result property correctly referenced in v4 workflows (vs needs.*.outputs.job-status)?
  3. Has the v4 workflow upgrade been tested in a staging environment?
  4. Are there migration notes from senzing-factory/build-resources documenting the v3→v4 changes?

Recommendation

Status: ⚠️ CONDITIONAL APPROVAL

The code quality is good, but DO NOT MERGE until:

  1. ✅ Repository secrets are migrated to new names
  2. ✅ CHANGELOG.md is updated
  3. ✅ Confirm pull-requests: write permission change is intentional
  4. ✅ Test workflows after merge to verify v4 compatibility

Automated code review analyzing defects and coding standards

@github-actions
Copy link

Super-linter summary

Language Validation result
CHECKOV Pass ✅
GITHUB_ACTIONS Pass ✅
GITHUB_ACTIONS_ZIZMOR Pass ✅
GITLEAKS Pass ✅
GIT_MERGE_CONFLICT_MARKERS Pass ✅
JSCPD Pass ✅
PRE_COMMIT Pass ✅
SPELL_CODESPELL Pass ✅
TRIVY Pass ✅
YAML Pass ✅
YAML_PRETTIER Pass ✅

All files and directories linted successfully

For more information, see the GitHub Actions workflow run

Powered by Super-linter

@docktermj docktermj merged commit c0a26e5 into main Feb 17, 2026
32 checks passed
@docktermj docktermj deleted the skern-workflow-standardize branch February 17, 2026 13:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants