standardize workflows for build-resources v4

[kernelsam]

Summary

• Rename reusable workflow secret keys for build-resources v4
• Replace .outputs.job-status with .result
• Add SLACK_CHANNEL secret to slack notification callers
• Bump all build-resources workflow refs to @v4
• Standardize dependabot config (cooldown, groups, assignees)
• Add kernelsam and cooldown to cspell dictionary

[github-actions]

🤖 Claude Code Review

❌ CHANGELOG.md updated - The CHANGELOG.md file has not been updated to reflect these workflow configuration changes. While workflow updates are typically infrastructure changes, they should still be documented, especially when:

• Upgrading build-resources from v3 to v4
• Changing secret name conventions (SENZING_MEMBERS → MEMBERS, SENZING_GITHUB_PROJECT_RW_TOKEN → PROJECT_RW_TOKEN)
• Adding new Dependabot configuration features (cooldown periods, grouping)

✅ Markdown files follow CommonMark specification - The .vscode/cspell.json file shows proper formatting. The changes to .github/dependabot.yml added proper YAML document separator (---) at line 1.

---

Security

✅ No hardcoded credentials - No credentials detected in the diff.

✅ Input validation implemented - Not applicable to configuration changes.

✅ Proper error handling - Not applicable to configuration changes.

✅ No sensitive data in logs - Not applicable to configuration changes.

✅ No license files (.lic) flagged - No .lic files or AQAAAD strings present in the diff.

---

Summary

Issues Found:

1. CHANGELOG.md not updated (⚠️ Minor) - .github/dependabot.yml:1-31, .github/workflows/*.yaml (all modified files)
   • Infrastructure changes should be documented
   • Recommended entry:

     ## [Unreleased]
     
     ### Changed
     - Updated build-resources workflows from v3 to v4
     - Standardized workflow secret names (SENZING_MEMBERS → MEMBERS, SENZING_GITHUB_PROJECT_RW_TOKEN → PROJECT_RW_TOKEN)
     - Added SLACK_CHANNEL secret to slack notification workflows
     - Enhanced Dependabot configuration with cooldown periods, assignees, and senzing-factory grouping

Positive Observations:

✅ The changes are well-structured and consistent across all workflow files
✅ Secret name standardization improves clarity and maintainability
✅ Dependabot enhancements (cooldown, grouping) will reduce noise from automated PRs
✅ Build-resources v4 upgrade ensures latest workflow improvements
✅ YAML formatting is clean and follows conventions
✅ No security vulnerabilities introduced
✅ cspell.json alphabetization improves maintainability

Overall Assessment: This PR represents a solid infrastructure improvement with standardization and upgrades. The only recommendation is to add a CHANGELOG entry to document these workflow configuration changes.

Automated code review analyzing defects and coding standards

[github-actions]

Super-linter summary

Language	Validation result
CHECKOV	Pass ✅
EDITORCONFIG	Pass ✅
GITHUB_ACTIONS	Pass ✅
GITHUB_ACTIONS_ZIZMOR	Pass ✅
GITLEAKS	Pass ✅
GIT_MERGE_CONFLICT_MARKERS	Pass ✅
JSCPD	Pass ✅
PRE_COMMIT	Pass ✅
SPELL_CODESPELL	Pass ✅
TRIVY	Pass ✅
YAML	Fail ❌
YAML_PRETTIER	Fail ❌

Super-linter detected linting errors

For more information, see the GitHub Actions workflow run

Powered by Super-linter

YAML

/github/workspace/.github/dependabot.yml:1:1: [warning] missing document start "---" (document-start)
/github/workspace/.github/dependabot.yml:28:81: [warning] line too long (84 > 80 characters) (line-length)
/github/workspace/.github/dependabot.yml:31:1: [error] too many blank lines (1 > 0) (empty-lines)
/github/workspace/.github/workflows/add-labels-standardized.yaml:1:1: [warning] missing document start "---" (document-start)
/github/workspace/.github/workflows/add-labels-standardized.yaml:22:81: [warning] line too long (104 > 80 characters) (line-length)
/github/workspace/.github/workflows/add-to-project-app-server-dependabot.yaml:1:1: [warning] missing document start "---" (document-start)
/github/workspace/.github/workflows/add-to-project-app-server-dependabot.yaml:21:81: [warning] line too long (113 > 80 characters) (line-length)
/github/workspace/.github/workflows/add-to-project-app-server.yaml:1:1: [warning] missing document start "---" (document-start)
/github/workspace/.github/workflows/add-to-project-app-server.yaml:24:81: [warning] line too long (102 > 80 characters) (line-length)
/github/workspace/.github/workflows/claude-pr-review.yaml:1:1: [warning] missing document start "---" (document-start)
/github/workspace/.github/workflows/link-issues-to-pr-post-merge.yaml:1:1: [warning] missing document start "---" (document-start)
/github/workspace/.github/workflows/lint-workflows.yaml:1:1: [warning] missing document start "---" (document-start)
/github/workspace/.github/workflows/move-pr-to-done-dependabot.yaml:1:1: [warning] missing document start "---" (document-start)
/github/workspace/.github/workflows/npm-build.yaml:1:1: [warning] missing document start "---" (document-start)
/github/workspace/.github/workflows/npm-build.yaml:35:81: [warning] line too long (105 > 80 characters) (line-length)
/github/workspace/.github/workflows/npm-build.yaml:51:81: [warning] line too long (167 > 80 characters) (line-length)
/github/workspace/.github/workflows/spellcheck.yaml:1:1: [warning] missing document start "---" (document-start)

YAML_PRETTIER

Checking formatting...[�[33mwarn�[39m] .github/dependabot.yml
[�[33mwarn�[39m] Code style issues found in the above file. Run Prettier with --write to fix.

[github-actions]

Super-linter summary

Language	Validation result
CHECKOV	Pass ✅
EDITORCONFIG	Pass ✅
GITHUB_ACTIONS	Pass ✅
GITHUB_ACTIONS_ZIZMOR	Pass ✅
GITLEAKS	Pass ✅
GIT_MERGE_CONFLICT_MARKERS	Pass ✅
JSCPD	Pass ✅
PRE_COMMIT	Pass ✅
SPELL_CODESPELL	Pass ✅
TRIVY	Pass ✅
YAML	Pass ✅
YAML_PRETTIER	Fail ❌

Super-linter detected linting errors

For more information, see the GitHub Actions workflow run

Powered by Super-linter

YAML_PRETTIER

Checking formatting...[�[33mwarn�[39m] .github/dependabot.yml
[�[33mwarn�[39m] Code style issues found in the above file. Run Prettier with --write to fix.

[github-actions]

Super-linter summary

Language	Validation result
CHECKOV	Pass ✅
EDITORCONFIG	Pass ✅
GITHUB_ACTIONS	Pass ✅
GITHUB_ACTIONS_ZIZMOR	Pass ✅
GITLEAKS	Pass ✅
GIT_MERGE_CONFLICT_MARKERS	Pass ✅
JSCPD	Pass ✅
PRE_COMMIT	Pass ✅
SPELL_CODESPELL	Pass ✅
TRIVY	Pass ✅
YAML	Pass ✅
YAML_PRETTIER	Pass ✅

All files and directories linted successfully

For more information, see the GitHub Actions workflow run

Powered by Super-linter

[github-actions]

🤖 Claude Code Review

Code Review Analysis

Code Quality

✅ Code follows style guide - The changes are primarily YAML/configuration file updates. All YAML files follow proper formatting with consistent indentation and structure.

✅ No commented-out code - No commented code found in the diff.

✅ Meaningful variable names - All variable/key names are descriptive (e.g., cooldown, default-days, PROJECT_RW_TOKEN).

✅ DRY principle followed - Changes standardize workflow patterns across multiple files, reducing duplication by using centralized workflow references.

✅ No defects identified - The changes appear to be straightforward configuration updates:

• Standardizing workflow references from v3 to v4
• Renaming secrets for consistency (SENZING_MEMBERS → MEMBERS, SENZING_GITHUB_PROJECT_RW_TOKEN → PROJECT_RW_TOKEN)
• Adding missing SLACK_CHANNEL secret references
• Fixing job status references from outputs.job-status to result
• Adding Dependabot cooldown configuration

Minor observations:

• .github/dependabot.yml:1 - Added YAML frontmatter (---) which is good practice
• .github/workflows/lint-workflows.yaml:16 - Changed pull-requests permission from read to write - this appears intentional for the v4 workflow update
• .vscode/cspell.json - Dictionary was alphabetically reorganized, which is a positive maintenance change

Testing

❌ Unit tests for new functions - N/A - No new functions added

❌ Integration tests for new endpoints - N/A - No new endpoints

❌ Edge cases covered - N/A - Configuration changes only

❌ Test coverage > 80% - N/A - No code changes requiring tests

Documentation

✅ Readme updated if needed - N/A - No user-facing changes requiring README updates

✅ API docs updated - N/A - No API changes

✅ Inline comments for complex logic - N/A - Configuration files don't require inline comments

⚠️ CHANGELOG.md updated - Not visible in the diff. Should verify if CHANGELOG.md exists and needs updating for the build-resources v4 migration.

✅ Markdown files follow CommonMark - No markdown files were modified in this diff

Security

✅ No hardcoded credentials - All sensitive values use GitHub secrets (${{ secrets.* }})

✅ Input validation implemented - N/A - Configuration changes only

✅ Proper error handling - The workflows include proper failure notifications via Slack

✅ No sensitive data in logs - No logging changes

✅ No license files (.lic) or AQAAAD strings - None found in diff

---

Summary

Overall Assessment: ✅ APPROVED

This PR represents a maintenance update that standardizes workflow configurations to use build-resources v4. The changes are well-structured and follow best practices:

Key Changes:

1. Workflow version updates: All workflows migrated from v3 to v4
2. Secret standardization: Renamed secrets for consistency across workflows
3. Bug fixes: Corrected job status references from outputs.job-status to result
4. Enhancements: Added missing SLACK_CHANNEL secrets and Dependabot cooldown configuration
5. Maintenance: Alphabetized cspell dictionary

No blocking issues found.

Recommendations:

1. Verify CHANGELOG.md has been updated (not visible in diff)
2. Confirm the pull-requests: write permission change in lint-workflows.yaml:16 is required for the v4 workflow

---

Automated code review analyzing defects and coding standards