Skip to content

Comments

standardize workflows for build-resources v4#282

Merged
docktermj merged 2 commits intomainfrom
skern-workflow-standardize
Feb 17, 2026
Merged

standardize workflows for build-resources v4#282
docktermj merged 2 commits intomainfrom
skern-workflow-standardize

Conversation

@kernelsam
Copy link
Contributor

Summary

  • Rename reusable workflow secret keys for build-resources v4
  • Replace .outputs.job-status with .result
  • Add SLACK_CHANNEL secret to slack notification callers
  • Bump all build-resources workflow refs to @v4
  • Standardize dependabot config (cooldown, groups, assignees)
  • Add kernelsam and cooldown to cspell dictionary

@kernelsam kernelsam requested a review from a team as a code owner February 16, 2026 22:15
@kernelsam kernelsam self-assigned this Feb 16, 2026
@kernelsam kernelsam force-pushed the skern-workflow-standardize branch from 8a3e778 to c1a6eeb Compare February 16, 2026 22:34
@kernelsam kernelsam force-pushed the skern-workflow-standardize branch from c1a6eeb to 99d2adb Compare February 16, 2026 22:46
@github-actions
Copy link
Contributor

🤖 Claude Code Review

Code Review Results

Summary

This PR standardizes GitHub workflow configurations to use build-resources@v4 across all workflow files. The changes are primarily configuration updates with improved secret naming conventions and workflow dependency handling.


Code Quality ✅

Code Style Guide Compliance ✅

All changes follow YAML formatting standards and maintain consistency with the codebase.

No Commented-Out Code ✅

No commented-out code present in the diff.

Meaningful Variable Names ✅

All variable and secret names are clear and descriptive:

  • PROJECT_RW_TOKEN, CODEOWNER_PR_RW_TOKEN, GPG_PRIVATE_KEY - Clear and consistent naming
  • Secret name standardization improves readability (e.g., SENZING_MEMBERSMEMBERS)

DRY Principle ✅

Changes apply consistent patterns across all workflow files, reducing duplication.

Defects ❌

Issue 1: Potential Breaking Change in .github/dependabot.yml:9-10

exclude:
  - "senzing-factory/*"

The exclude directive under cooldown is not a valid Dependabot configuration option. According to GitHub's Dependabot documentation, cooldown only supports default-days. This will likely cause a validation error or be silently ignored.

Recommendation: Remove lines 9-10 or move the exclude logic elsewhere if filtering is needed.


Testing ⚠️

Unit Tests N/A

No testable code changes - these are configuration files.

Integration Tests N/A

Workflow changes will be validated automatically when workflows run.

Edge Cases ⚠️

  • Missing: Should verify that all referenced secrets exist in the repository settings:
    • SLACK_CHANNEL (newly added across multiple files)
    • Updated secret names (MEMBERS, PROJECT_RW_TOKEN, CODEOWNER_PR_RW_TOKEN, GIT_ACTOR, GPG_PASSPHRASE, GPG_PRIVATE_KEY)

Test Coverage N/A

Not applicable to workflow configuration files.


Documentation ❌

README Updated N/A

No README changes needed for internal workflow updates.

API Docs N/A

No API changes.

Inline Comments ✅

YAML files are self-documenting; no additional comments needed.

CHANGELOG.md ❌

Missing: The CHANGELOG.md at .github/workflows/../../../CHANGELOG.md:1-197 has not been updated to document this infrastructure change. While this is an internal workflow update, it represents a significant standardization effort that should be noted.

Recommendation: Add entry to CHANGELOG.md:

## [Unreleased]

### Changed
- Standardized GitHub workflows to use build-resources@v4
- Updated secret naming conventions for improved consistency

Markdown Formatting ✅

The .github/dependabot.yml file correctly adds the YAML document separator (---) at the top, following best practices. All workflow YAML files are properly formatted.


Security ✅

No Hardcoded Credentials ✅

All sensitive values use GitHub secrets (${{ secrets.* }}).

Input Validation ✅

Workflow inputs are properly validated through GitHub's workflow syntax.

Proper Error Handling ✅

All workflows include failure notification jobs with appropriate conditionals:

  • if: ${{ always() && contains(fromJSON('["failure", "cancelled"]'), needs.*.result) }}

No Sensitive Data in Logs ✅

All secrets are properly masked in GitHub Actions by default.

License Files ✅

No .lic files or AQAAAD strings detected in the diff.


Additional Observations

Improvements in This PR ✅

  1. Consistent secret naming: Removed SENZING_ prefix from generic secrets used in reusable workflows
  2. Better dependency tracking: Changed from outputs.job-status to .result for more reliable job status checks (.github/workflows/add-labels-standardized.yaml:22, add-to-project-garage-dependabot.yaml:20, add-to-project-garage.yaml:23, go-proxy-pull.yaml:27, etc.)
  3. Added missing SLACK_CHANNEL secret: Now explicitly passed to notification workflows (.github/workflows/add-labels-standardized.yaml:25, add-to-project-garage-dependabot.yaml:24, etc.)
  4. Dependabot grouping: Added senzing-factory group to reduce PR noise (.github/dependabot.yml:12-15)
  5. Improved permissions: Updated pull-requests permission from read to write in lint-workflows.yaml:18 for better integration

Final Verdict

Status: ⚠️ Approve with Minor Fixes Required

Critical Issues:

  1. Fix invalid exclude directive in .github/dependabot.yml:9-10

Recommended Improvements:

  1. Update CHANGELOG.md to document the workflow standardization
  2. Verify all new/renamed secrets exist in repository settings before merging

Files Requiring Changes:

  • .github/dependabot.yml:9-10 - Remove invalid exclude under cooldown
  • CHANGELOG.md - Add entry documenting workflow updates

Once the critical Dependabot configuration issue is resolved, this PR can be merged safely.

Automated code review analyzing defects and coding standards

@github-actions
Copy link
Contributor

Super-linter summary

Language Validation result
CHECKOV Pass ✅
GITHUB_ACTIONS Pass ✅
GITHUB_ACTIONS_ZIZMOR Pass ✅
GITLEAKS Pass ✅
GIT_MERGE_CONFLICT_MARKERS Pass ✅
JSCPD Pass ✅
PRE_COMMIT Pass ✅
SPELL_CODESPELL Pass ✅
TRIVY Pass ✅
YAML Pass ✅
YAML_PRETTIER Pass ✅

All files and directories linted successfully

For more information, see the GitHub Actions workflow run

Powered by Super-linter

@docktermj docktermj enabled auto-merge (squash) February 17, 2026 13:36
@docktermj docktermj self-assigned this Feb 17, 2026
@docktermj docktermj requested a review from a team as a code owner February 17, 2026 13:49
@github-actions
Copy link
Contributor

🤖 Claude Code Review

Code Review - PR: Standardize workflows for build-resources v4

Review Against Checklist

✅ Code Quality

✅ Code follows style guide

  • The changes primarily affect YAML configuration files and minimal Go code
  • Go code changes in cmd/docs.go:20-26 follow proper formatting with appropriate blank lines between logical blocks
  • YAML files are properly formatted with consistent quoting and structure

✅ No commented-out code

  • No commented-out code added in this PR
  • The dependabot.yml file actually removes commented code (lines with # Please see...)

✅ Meaningful variable names

  • No new variables introduced; existing variable names remain unchanged

✅ DRY principle followed

  • Changes are configuration updates that don't introduce duplication
  • Workflow standardization across files reduces overall duplication in the repository

✅ No defects identified

  • No bugs, logic errors, or race conditions introduced
  • Changes are primarily configuration updates to use build-resources v4
  • Go code changes only add blank lines for readability

⚠️ Project memory configuration consideration

  • .claude/CLAUDE.md:36-38 contains environment-specific path /opt/senzing/er/lib
  • This is acceptable as it's a standard installation path for Senzing, not a developer-specific local path

✅ Testing

✅ Unit tests not required

  • Changes are configuration-only (GitHub Actions workflows and dependabot)
  • Minor Go formatting changes (cmd/docs.go) don't alter logic

✅ Integration tests not required

  • No new endpoints or functionality added

✅ Edge cases not applicable

  • Configuration changes don't have edge cases to test

✅ Test coverage maintained

  • No changes to test coverage; existing coverage checks remain at 50% threshold (.github/coverage/testcoverage.yaml:18,22,26)

✅ Documentation

✅ README update not needed

  • No functional changes requiring README updates

✅ API docs not applicable

  • No API changes

✅ Inline comments not needed

  • Changes are self-explanatory configuration updates

❌ CHANGELOG.md not updated

  • CRITICAL: CHANGELOG.md has not been updated for this PR
  • This PR standardizes workflows for build-resources v4, which should be documented
  • Location: /home/runner/work/serve-http/serve-http/CHANGELOG.md:8 (Unreleased section is empty)
  • Recommendation: Add entry under ## [Unreleased] section:
    ### Changed in Unreleased
    
    - Standardize GitHub Actions workflows to build-resources v4
    - Update dependabot configuration with senzing-factory grouping

✅ Markdown files properly formatted

  • All YAML changes follow proper formatting
  • Consistent quoting style applied throughout

✅ Security

✅ No hardcoded credentials

  • All secrets properly referenced via ${{ secrets.* }}
  • Secret names standardized (e.g., SENZING_MEMBERSMEMBERS, SENZING_GITHUB_CODEOWNER_PR_RW_TOKENCODEOWNER_PR_RW_TOKEN)

✅ Input validation implemented

  • Not applicable for configuration changes

✅ Proper error handling

  • Workflow error handling unchanged; uses standard GitHub Actions patterns

✅ No sensitive data in logs

  • No logging changes introduced

✅ No license files checked in

  • No .lic files or strings starting with AQAAAD found in diff

Summary

Issues Found:

  1. ❌ CRITICAL - CHANGELOG.md not updated
    • File: /home/runner/work/serve-http/serve-http/CHANGELOG.md:8
    • This PR makes significant configuration changes that should be documented

Recommendations:

  1. Update CHANGELOG.md to document the workflow standardization changes
  2. Consider adding a brief comment in one of the workflow files explaining the v3 → v4 migration if there are breaking changes (though this appears to be a smooth upgrade)

Positive Aspects:

  • ✅ Consistent standardization across all workflow files
  • ✅ Proper secret management with renamed but correctly referenced secrets
  • ✅ Added Slack channel configuration for better notifications
  • ✅ Improved dependabot configuration with grouping for senzing-factory updates
  • ✅ Minor code formatting improvements in cmd/docs.go improve readability
  • ✅ Changed from outputs.job-status to result for better GitHub Actions compatibility
  • ✅ Added pull-requests: write permission to lint-workflows.yaml:18 for better integration

Overall Assessment: The PR is well-structured and improves the repository's CI/CD configuration. The only blocking issue is the missing CHANGELOG.md update, which should be added before merging.

Automated code review analyzing defects and coding standards

@github-actions
Copy link
Contributor

Super-linter summary

Language Validation result
CHECKOV Pass ✅
GITHUB_ACTIONS Pass ✅
GITHUB_ACTIONS_ZIZMOR Pass ✅
GITLEAKS Pass ✅
GIT_MERGE_CONFLICT_MARKERS Pass ✅
JSCPD Pass ✅
PRE_COMMIT Pass ✅
SPELL_CODESPELL Pass ✅
TRIVY Pass ✅
YAML Pass ✅
YAML_PRETTIER Pass ✅

All files and directories linted successfully

For more information, see the GitHub Actions workflow run

Powered by Super-linter

@docktermj docktermj merged commit 696591b into main Feb 17, 2026
42 checks passed
@docktermj docktermj deleted the skern-workflow-standardize branch February 17, 2026 14:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants