standardize workflows for build-resources v4

[kernelsam]

Summary

• Rename reusable workflow secret keys for build-resources v4
• Replace .outputs.job-status with .result
• Add SLACK_CHANNEL secret to slack notification callers
• Bump all build-resources workflow refs to @v4
• Standardize dependabot config (cooldown, groups, assignees)
• Add kernelsam and cooldown to cspell dictionary

[github-actions]

🤖 Claude Code Review

Code Review: Workflow Configuration Updates

Analyzing the pull request against the Senzing code review checklist.

Review Summary

This PR updates GitHub Actions workflow configurations to standardize on build-resources v4. The changes are primarily configuration updates with consistent patterns across all workflow files.

---

Code Quality

✅ Code Style Compliance

The changes follow proper YAML formatting conventions:

• Consistent quote usage for string values
• Proper indentation maintained throughout
• Document separator (---) added at top of .github/dependabot.yml:1

✅ No Commented-Out Code

All changes are active configuration updates with no commented code.

✅ Meaningful Naming

Variable and key names are descriptive:

• ORG_MEMBERSHIP_TOKEN → MEMBERS (more concise)
• SENZING_GITHUB_PROJECT_RW_TOKEN → PROJECT_RW_TOKEN (clearer intent)
• SENZING_GITHUB_CODEOWNER_PR_RW_TOKEN → CODEOWNER_PR_RW_TOKEN (simplified)

✅ DRY Principle

The standardization to v4 workflows eliminates duplication by centralizing workflow logic in reusable workflows.

✅ No Defects Identified

The changes are configuration updates with consistent patterns. Key observations:

• Proper migration from outputs.job-status to result field (.github/workflows/add-labels-standardized.yaml:22,26)
• All workflow version references updated from @v3 to @v4
• Secret names consistently updated across all files
• New SLACK_CHANNEL secret properly added where needed

---

Testing

⚠️ Testing Considerations

While this PR is configuration-only (GitHub Actions YAML), testing recommendations:

• Manual Verification Needed: These workflow changes should be tested in a staging environment or monitored closely after merge
• N/A Unit Tests: Configuration files don't have unit tests
• N/A Integration Tests: Workflow testing occurs at runtime in GitHub Actions
• N/A Test Coverage: Not applicable for YAML configuration

Recommendation: Monitor the first few workflow runs after merge to ensure v4 workflows behave as expected.

---

Documentation

✅ Readme Updates

Not required - these are internal workflow configuration changes that don't affect user-facing documentation.

✅ API Documentation

Not applicable - no API changes.

✅ Inline Comments

Configuration changes are self-documenting with clear key names.

❌ CHANGELOG.md Not Updated

Issue: .github/workflows/* changes represent infrastructure updates that should be documented.

Recommendation: Add entry to CHANGELOG.md:

### Changed
- Updated GitHub Actions workflows to use senzing-factory/build-resources@v4
- Standardized secret naming conventions across workflows
- Added Dependabot grouping for senzing-factory dependencies

✅ Markdown Formatting

The diff doesn't show markdown file changes. YAML files follow proper formatting conventions.

---

Security

✅ No Hardcoded Credentials

All sensitive values properly use GitHub secrets (${{ secrets.* }}).

✅ Input Validation

GitHub Actions handles input validation for workflow configurations.

✅ Proper Error Handling

Error handling delegated to reusable workflows with proper conditional checks:

• .github/workflows/add-labels-standardized.yaml:22: if: ${{ always() && contains(fromJSON('["failure", "cancelled"]'), needs.add-issue-labels.result) }}

✅ No Sensitive Data in Logs

Secrets properly referenced, not exposed in workflow definitions.

✅ No License Files

No .lic files or AQAAAD strings detected in the diff.

---

Specific Findings

.github/dependabot.yml

Lines 10-15: New grouping configuration added

groups:
  senzing-factory:
    patterns:
      - "senzing-factory/*"

✅ Good: This groups senzing-factory dependency updates together, reducing PR noise.

Lines 7-9: Cooldown exclusion added

cooldown:
  default-days: 21
  exclude:
    - "senzing-factory/*"

✅ Good: Allows senzing-factory updates to bypass cooldown period, enabling faster security/bug fix adoption.

All Workflow Files

Consistent Pattern: Secret name standardization

• SENZING_MEMBERS → MEMBERS
• SENZING_GITHUB_PROJECT_RW_TOKEN → PROJECT_RW_TOKEN
• SENZING_GITHUB_CODEOWNER_PR_RW_TOKEN → CODEOWNER_PR_RW_TOKEN

✅ Good: Cleaner naming convention, reduces verbosity.

New Secret: SLACK_CHANNEL added to all slack notification calls

• Examples: Lines in add-labels-standardized.yaml:25, create-javadoc-documentation.yaml:64, etc.

✅ Good: Makes Slack channel configurable per repository.

.github/workflows/lint-workflows.yaml

Line 16: Permission change

-      pull-requests: read
+      pull-requests: write

⚠️ Review Needed: Permission escalation from read to write. This likely aligns with v4 workflow requirements (perhaps for posting lint results), but should be verified as intentional.

---

Final Assessment

Category	Status	Critical Issues
Code Quality	✅ Pass	0
Testing	⚠️ Monitor	0
Documentation	❌ Incomplete	0
Security	✅ Pass	0

Required Actions

1. CHANGELOG.md: Add entry documenting workflow updates

Recommended Actions

1. Monitor first workflow runs after merge for v4 compatibility
2. Verify pull-requests: write permission in lint-workflows.yaml is intentional

Approval Status

✅ Approved with minor documentation update needed

The code changes are well-structured and follow consistent patterns. The only missing piece is CHANGELOG documentation. No security or functional concerns identified.

Automated code review analyzing defects and coding standards

[github-actions]

Super-linter summary

Language	Validation result
CHECKOV	Pass ✅
GITHUB_ACTIONS	Pass ✅
GITHUB_ACTIONS_ZIZMOR	Pass ✅
GITLEAKS	Pass ✅
GIT_MERGE_CONFLICT_MARKERS	Pass ✅
JSCPD	Pass ✅
PRE_COMMIT	Pass ✅
SPELL_CODESPELL	Pass ✅
TRIVY	Pass ✅
YAML	Fail ❌
YAML_PRETTIER	Fail ❌

Super-linter detected linting errors

For more information, see the GitHub Actions workflow run

Powered by Super-linter

YAML

/github/workspace/.github/dependabot.yml:1:1: [warning] missing document start "---" (document-start)
/github/workspace/.github/dependabot.yml:25:1: [error] too many blank lines (1 > 0) (empty-lines)
/github/workspace/.github/workflows/maven-darwin.yaml:1:1: [warning] missing document start "---" (document-start)
/github/workspace/.github/workflows/maven-darwin.yaml:49:81: [warning] line too long (88 > 80 characters) (line-length)
/github/workspace/.github/workflows/maven-darwin.yaml:56:81: [warning] line too long (187 > 80 characters) (line-length)
/github/workspace/.github/workflows/maven-darwin.yaml:81:81: [warning] line too long (144 > 80 characters) (line-length)
/github/workspace/.github/workflows/add-labels-standardized.yaml:1:1: [warning] missing document start "---" (document-start)
/github/workspace/.github/workflows/add-labels-standardized.yaml:22:81: [warning] line too long (104 > 80 characters) (line-length)
/github/workspace/.github/workflows/maven-linux.yaml:1:1: [warning] missing document start "---" (document-start)
/github/workspace/.github/workflows/maven-linux.yaml:51:81: [warning] line too long (249 > 80 characters) (line-length)
/github/workspace/.github/workflows/maven-linux.yaml:69:81: [warning] line too long (102 > 80 characters) (line-length)
/github/workspace/.github/workflows/maven-linux.yaml:77:81: [warning] line too long (143 > 80 characters) (line-length)
/github/workspace/.github/workflows/add-to-project-garage-dependabot.yaml:1:1: [warning] missing document start "---" (document-start)
/github/workspace/.github/workflows/add-to-project-garage-dependabot.yaml:21:81: [warning] line too long (113 > 80 characters) (line-length)
/github/workspace/.github/workflows/maven-windows.yaml:1:1: [warning] missing document start "---" (document-start)
/github/workspace/.github/workflows/maven-windows.yaml:52:81: [warning] line too long (235 > 80 characters) (line-length)
/github/workspace/.github/workflows/maven-windows.yaml:77:81: [warning] line too long (145 > 80 characters) (line-length)
/github/workspace/.github/workflows/add-to-project-garage.yaml:1:1: [warning] missing document start "---" (document-start)
/github/workspace/.github/workflows/add-to-project-garage.yaml:24:81: [warning] line too long (102 > 80 characters) (line-length)
/github/workspace/.github/workflows/move-pr-to-done-dependabot.yaml:1:1: [warning] missing document start "---" (document-start)
/github/workspace/.github/workflows/claude-pr-review.yaml:1:1: [warning] missing document start "---" (document-start)
/github/workspace/.github/workflows/spellcheck.yaml:1:1: [warning] missing document start "---" (document-start)
/github/workspace/.github/workflows/create-javadoc-documentation.yaml:1:1: [warning] missing document start "---" (document-start)
/github/workspace/.github/workflows/create-javadoc-documentation.yaml:48:81: [warning] line too long (163 > 80 characters) (line-length)
/github/workspace/.github/workflows/create-javadoc-documentation.yaml:49:81: [warning] line too long (123 > 80 characters) (line-length)
/github/workspace/.github/workflows/create-javadoc-documentation.yaml:61:81: [warning] line too long (100 > 80 characters) (line-length)
/github/workspace/.github/workflows/verify-dockerfile-refreshed-at-updated.yaml:1:1: [warning] missing document start "---" (document-start)
/github/workspace/.github/workflows/dependabot-approve-and-merge.yaml:1:1: [warning] missing document start "---" (document-start)
/github/workspace/.github/workflows/docker-push-containers-to-dockerhub.yaml:1:1: [warning] missing document start "---" (document-start)
/github/workspace/.github/workflows/docker-push-containers-to-dockerhub.yaml:40:81: [warning] line too long (131 > 80 characters) (line-length)
/github/workspace/.github/workflows/docker-push-containers-to-dockerhub.yaml:46:81: [warning] line too long (81 > 80 characters) (line-length)
/github/workspace/.github/workflows/link-issues-to-pr-post-merge.yaml:1:1: [warning] missing document start "---" (document-start)
/github/workspace/.github/workflows/lint-workflows.yaml:1:1: [warning] missing document start "---" (document-start)

YAML_PRETTIER

Checking formatting...[�[33mwarn�[39m] .github/dependabot.yml
[�[33mwarn�[39m] Code style issues found in the above file. Run Prettier with --write to fix.

[github-actions]

Super-linter summary

Language	Validation result
CHECKOV	Pass ✅
GITHUB_ACTIONS	Pass ✅
GITHUB_ACTIONS_ZIZMOR	Pass ✅
GITLEAKS	Pass ✅
GIT_MERGE_CONFLICT_MARKERS	Pass ✅
JSCPD	Pass ✅
PRE_COMMIT	Pass ✅
SPELL_CODESPELL	Pass ✅
TRIVY	Pass ✅
YAML	Pass ✅
YAML_PRETTIER	Pass ✅

All files and directories linted successfully

For more information, see the GitHub Actions workflow run

Powered by Super-linter