fix docker-verify-refreshed-at-updated workflow

[kernelsam]

Add pull-requests: read permission to docker-verify-refreshed-at-updated.yaml and remove incorrectly named verify-dockerfile-refreshed-at-updated.yaml.

[github-actions]

🤖 Claude Code Review

Code Review

This PR consolidates two duplicate workflow files into one and adds the pull-requests: read permission needed by the reusable workflow.

---

Code Quality

✅ Code style: YAML formatting is consistent and clean.

✅ No commented-out code: The removed comment lines (# Required status check: ...) were informational notes, not disabled code. Their removal is acceptable.

✅ DRY principle: Deleting verify-dockerfile-refreshed-at-updated.yaml eliminates a duplicate that called the same reusable workflow. Good consolidation.

⚠️ Potential behavioral change: The deleted verify-dockerfile-refreshed-at-updated.yaml triggered on pull_request: with no branch filter (i.e., all PRs, all branches). The remaining docker-verify-refreshed-at-updated.yaml triggers only on PRs targeting [main]. If PRs to non-main branches should also verify Dockerfile timestamps, that coverage is now gone. Confirm this is intentional.

✅ No defects: The permission addition is correct — pull-requests: read is required by the reusable workflow to read PR metadata.

---

Testing

N/A: CI/CD workflow changes do not require unit/integration tests.

---

Documentation

⚠️ Removed status check documentation (.github/workflows/docker-verify-refreshed-at-updated.yaml, lines that were removed): The deleted comments explained which check is required for GitHub branch protection rules:

# Required status check: Verify Dockerfiles REFRESHED_AT Updated / Dockerfile Check Status
# The other status checks beginning with "Verify Dockerfiles REFRESHED_AT Updated / ..." are not required.

This is operationally useful for maintainers configuring branch protection. If these status checks are still required, consider preserving this information in a CONTRIBUTING.md, DEVELOPMENT.md, or the repo wiki rather than discarding it entirely.

⚠️ CHANGELOG.md not updated: The [Unreleased] section is empty. This is a workflow fix — whether it warrants a changelog entry depends on project convention, but it's worth confirming.

---

Security

✅ No hardcoded credentials.

✅ Least-privilege permissions: The remaining workflow already has permissions: {} at the workflow level (line 11), and the job grants only contents: read and pull-requests: read. This is correct.

✅ No sensitive data in logs.

✅ No license files (.lic) present.

---

Summary

Area	Status
Code Quality	✅ with one behavioral note
Testing	N/A
Documentation	⚠️ status check comment removed; CHANGELOG empty
Security	✅

Overall: The change is correct and clean. Two items to confirm before merging:

1. Is it intentional that Dockerfile timestamp checks no longer run on PRs targeting non-main branches?
2. Should the removed status-check documentation be preserved elsewhere?

---

Automated code review analyzing defects and coding standards

[github-actions]

Super-linter summary

Language	Validation result
CHECKOV	Pass ✅
GITHUB_ACTIONS	Pass ✅
GITHUB_ACTIONS_ZIZMOR	Pass ✅
GITLEAKS	Pass ✅
GIT_MERGE_CONFLICT_MARKERS	Pass ✅
JSCPD	Pass ✅
PRE_COMMIT	Pass ✅
SPELL_CODESPELL	Pass ✅
TRIVY	Pass ✅
YAML	Pass ✅
YAML_PRETTIER	Pass ✅

All files and directories linted successfully

For more information, see the GitHub Actions workflow run

Powered by Super-linter