standardize workflows for build-resources v4

[kernelsam]

Summary

• Rename reusable workflow secret keys for build-resources v4
• Replace .outputs.job-status with .result
• Add SLACK_CHANNEL secret to slack notification callers
• Bump all build-resources workflow refs to @v4
• Standardize dependabot config (cooldown, groups, assignees)
• Add kernelsam and cooldown to cspell dictionary

[github-actions]

🤖 Claude Code Review

I'll review this pull request against the checklist. Let me analyze the diff.

Code Review

Code Quality

✅ Code follows style guide - This PR only modifies GitHub Actions workflow files and configuration (YAML), not application code. The YAML formatting follows GitHub Actions conventions.

✅ No commented-out code - All changes are active configuration updates, no commented code present.

✅ Meaningful variable names - N/A - This is configuration, not code with variables.

✅ DRY principle followed - The changes systematically update workflow references from v3 to v4, which is appropriate for this type of migration.

✅ Identify Defects - No logic errors, bugs, or security vulnerabilities detected. The changes are:

• Updating workflow references from v3 to v4
• Standardizing secret parameter names (e.g., SENZING_GITHUB_PROJECT_RW_TOKEN → PROJECT_RW_TOKEN)
• Updating status checking from needs.<job>.outputs.job-status to needs.<job>.result
• Adding missing SLACK_CHANNEL secret parameters
• Adding dependabot grouping configuration for senzing-factory/* dependencies
• Adding consistent YAML quoting for strings

✅ Project memory configuration (./.claude/CLAUDE.md) - The existing .claude/CLAUDE.md is appropriate and contains no local environment-specific details. It properly documents project structure, common commands, and general setup instructions.

Testing

⚠️ Unit tests for new functions - N/A - This PR contains only GitHub Actions workflow configuration changes, no code requiring unit tests.

⚠️ Integration tests for new endpoints - N/A - No new endpoints added.

⚠️ Edge cases covered - N/A - Configuration changes don't require test coverage.

⚠️ Test coverage > 80% - N/A - This PR doesn't affect test coverage.

Documentation

✅ Readme updated if needed - No README update needed - these are internal workflow changes that don't affect end-user functionality.

✅ API docs updated - N/A - No API changes.

✅ Inline comments for complex logic - N/A - YAML workflow files are self-documenting.

❌ CHANGELOG.md updated - There is no visible CHANGELOG.md update in this diff. Workflow migrations from v3 to v4 should be documented, as this is a significant infrastructure change.

✅ Markdown files follow CommonMark specification - The only markdown reference is in .github/dependabot.yml which removed a comment, improving formatting. No markdown files were modified.

Security

✅ No hardcoded credentials - All sensitive values properly use GitHub secrets (e.g., ${{ secrets.SLACK_BOT_TOKEN }}).

✅ Input validation implemented - N/A - These are workflow configurations, not input-processing code.

✅ Proper error handling - The workflows already include proper failure conditions with if: ${{ always() && contains(fromJSON('["failure", "cancelled"]'), ...) }}.

✅ No sensitive data in logs - All sensitive values are passed via secrets, not exposed in workflow definitions.

✅ No checked in license files (.lic) or AQAAAD strings - No license files or license strings detected in the diff.

---

Summary

Overall Assessment: ✅ APPROVED with minor recommendation

This is a clean infrastructure upgrade migrating GitHub Actions workflows from build-resources v3 to v4. The changes are systematic and consistent:

1. All workflow references updated from @v3 to @v4
2. Secret parameter names standardized (removing SENZING_ prefix for generic names)
3. Status checking improved from custom outputs.job-status to native result
4. Missing SLACK_CHANNEL secrets added where needed
5. Dependabot configuration enhanced with grouping for senzing-factory/* dependencies

Minor Recommendation:

• Consider adding a CHANGELOG.md entry documenting this v3→v4 workflow migration, especially if there are any behavioral changes in the reusable workflows being referenced.

No blocking issues found. The PR is ready to merge.

Automated code review analyzing defects and coding standards

[github-actions]

🤖 Claude Code Review

I'll analyze this PR diff against the review checklist.

Code Review Analysis

Code Quality

✅ Code follows style guide - This PR contains only YAML configuration changes for GitHub workflows and Dependabot. The YAML formatting is consistent and follows proper conventions.

✅ No commented-out code - No commented code detected in the diff.

✅ Meaningful variable names - All variable/field names are descriptive and follow GitHub Actions conventions (e.g., SLACK_CHANNEL, PROJECT_RW_TOKEN, job-status).

✅ DRY principle followed - The changes standardize workflow references from @v3 to @v4, which is good for maintainability.

✅ Identify Defects - No bugs, logic errors, or security vulnerabilities detected. The changes are configuration updates that:

• Upgrade build-resources workflows from v3 to v4
• Standardize secret names (e.g., SENZING_MEMBERS → MEMBERS, SENZING_GITHUB_PROJECT_RW_TOKEN → PROJECT_RW_TOKEN)
• Add missing SLACK_CHANNEL secret references
• Add Dependabot cooldown exclusion and grouping for senzing-factory/*
• Fix job status references from needs.<job>.outputs.job-status to needs.<job>.result

✅ Project memory configuration - The .github/dependabot.yml:1 adds a YAML document separator (---) which is a good practice. The .github/workflows/*.yaml changes are appropriate and don't contain local-specific configurations.

Testing

✅ Unit tests for new functions - N/A - No functional code changes, only workflow configuration updates.

✅ Integration tests for new endpoints - N/A - No new endpoints added.

✅ Edge cases covered - N/A - Configuration changes.

✅ Test coverage > 80% - N/A - No code changes affecting test coverage.

Documentation

✅ Readme updated if needed - N/A - Workflow configuration changes don't require README updates.

✅ API docs updated - N/A - No API changes.

✅ Inline comments for complex logic - N/A - YAML configurations are self-documenting.

❌ CHANGELOG.md updated - No CHANGELOG.md update detected. While these are infrastructure changes, upgrading from v3 to v4 of build-resources workflows may be worth documenting.

✅ Markdown formatting - The .github/dependabot.yml:1 properly adds the YAML document separator. No markdown files were modified in this PR.

Security

✅ No hardcoded credentials - All sensitive values use GitHub secrets (${{ secrets.* }}).

✅ Input validation implemented - N/A - Configuration changes only.

✅ Proper error handling - The conditional checks for failure notifications are properly implemented (e.g., if: ${{ always() && contains(fromJSON('["failure", "cancelled"]'), needs.<job>.result) }}).

✅ No sensitive data in logs - No logging of sensitive information.

✅ No license files - No .lic files or AQAAAD strings detected in the diff.

Summary

Overall Assessment: ✅ APPROVED with minor recommendation

This is a clean infrastructure update that standardizes the project's GitHub Actions workflows to use build-resources v4. The changes are:

1. Consistent: All workflows upgraded from @v3 to @v4
2. Correct: Secret name changes align with the v4 interface (generic names like MEMBERS instead of SENZING_MEMBERS)
3. Improved: Fixes job status references to use .result instead of .outputs.job-status
4. Enhanced: Adds Dependabot grouping and cooldown exclusions for better dependency management

Minor Recommendation:

• Consider adding an entry to CHANGELOG.md documenting the upgrade to build-resources v4, as this may affect how workflows behave or how developers interact with CI/CD processes.

No blocking issues found. The PR is ready to merge.

Automated code review analyzing defects and coding standards

[github-actions]

Super-linter summary

Language	Validation result
CHECKOV	Pass ✅
GITHUB_ACTIONS	Pass ✅
GITHUB_ACTIONS_ZIZMOR	Pass ✅
GITLEAKS	Pass ✅
GIT_MERGE_CONFLICT_MARKERS	Pass ✅
JSCPD	Pass ✅
PRE_COMMIT	Pass ✅
SPELL_CODESPELL	Pass ✅
TRIVY	Pass ✅
YAML	Pass ✅
YAML_PRETTIER	Pass ✅

All files and directories linted successfully

For more information, see the GitHub Actions workflow run

Powered by Super-linter

[github-actions]

🤖 Claude Code Review

I'll review this pull request against the provided checklist. Let me analyze the diff systematically.

Code Review

Code Quality

✅ Code follows style guide

The changes follow Go and YAML formatting standards. The Go changes in cmd/docs.go properly use blank lines between logical sections as per the style guide.

✅ No commented-out code

No commented-out code found in the diff.

✅ Meaningful variable names

All variable names are clear and appropriate (dir, err, args).

✅ DRY principle followed

No code duplication detected. The changes are primarily standardization updates.

✅ Identify Defects

No bugs, logic errors, edge cases, crashes, race conditions, memory leaks, or security vulnerabilities identified. The changes are:

• Workflow version bumps (v3 → v4)
• Secret name standardization
• YAML formatting improvements
• Minor Go formatting improvements in cmd/docs.go:21,27

Testing

⚠️ Unit tests for new functions

N/A - No new functions added. Changes are configuration and formatting updates only.

⚠️ Integration tests for new endpoints

N/A - No new endpoints added.

⚠️ Edge cases covered

N/A - No new logic to test.

⚠️ Test coverage > 80%

N/A - No code logic changes that would affect coverage.

Documentation

✅ Readme updated if needed

No README updates needed. Changes are internal workflow configurations.

✅ API docs updated

No API changes present.

✅ Inline comments for complex logic

No complex logic added. Existing code is straightforward.

✅ CHANGELOG.md updated

Not required - These are infrastructure/workflow updates that typically don't require CHANGELOG entries in user-facing tools.

✅ Markdown files follow CommonMark

The only markdown-related file (.github/dependabot.yml) is YAML, not markdown. No markdown files were modified.

Security

✅ No hardcoded credentials

No credentials hardcoded. All secrets are properly referenced via GitHub secrets.

✅ Input validation implemented

No new inputs requiring validation.

✅ Proper error handling

The existing error handling in cmd/docs.go remains appropriate.

✅ No sensitive data in logs

No logging changes present.

✅ No license files checked in

No .lic files or AQAAAD strings detected in the diff.

---

Summary

Overall Assessment: ✅ APPROVED

This PR is a clean infrastructure update that:

1. Standardizes workflow references from v3 to v4 of senzing-factory/build-resources
2. Standardizes secret names across workflows (e.g., SENZING_GITHUB_PROJECT_RW_TOKEN → PROJECT_RW_TOKEN, SENZING_MEMBERS → MEMBERS)
3. Adds missing SLACK_CHANNEL secrets to Slack notification workflows
4. Improves YAML formatting in .github/dependabot.yml (adds quotes, proper structure)
5. Adds Dependabot grouping for senzing-factory/* dependencies with cooldown exclusion
6. Improves Go formatting with proper blank line separation in cmd/docs.go:21,27
7. Fixes job status references from needs.<job>.outputs.job-status to needs.<job>.result (more idiomatic)

Key Improvements:

• Better Dependabot management with grouping and cooldown exclusions
• More consistent secret naming conventions
• Proper use of GitHub Actions' result context variable
• Enhanced workflow permissions (pull-requests: write added in lint-workflows.yaml:18)

No Issues Found:

• No security vulnerabilities
• No logic errors
• No breaking changes
• Follows existing code patterns
• Maintains backward compatibility

The changes are well-structured, safe, and improve the maintainability of the repository's CI/CD infrastructure.

Automated code review analyzing defects and coding standards

[github-actions]

Super-linter summary

Language	Validation result
CHECKOV	Pass ✅
GITHUB_ACTIONS	Pass ✅
GITHUB_ACTIONS_ZIZMOR	Pass ✅
GITLEAKS	Pass ✅
GIT_MERGE_CONFLICT_MARKERS	Pass ✅
JSCPD	Pass ✅
PRE_COMMIT	Pass ✅
SPELL_CODESPELL	Pass ✅
TRIVY	Pass ✅
YAML	Pass ✅
YAML_PRETTIER	Pass ✅

All files and directories linted successfully

For more information, see the GitHub Actions workflow run

Powered by Super-linter