standardize workflows for build-resources v4

[kernelsam]

Summary

• Rename reusable workflow secret keys for build-resources v4
• Replace .outputs.job-status with .result
• Add SLACK_CHANNEL secret to slack notification callers
• Bump all build-resources workflow refs to @v4
• Standardize dependabot config (cooldown, groups, assignees)
• Add kernelsam and cooldown to cspell dictionary

[github-actions]

🤖 Claude Code Review

Let me proceed with the code review based on the diff provided:

---

Code Review - PR Diff Analysis

Code Quality

✅ Code follows our style guide

The changes are configuration files (YAML and JSON) which follow YAML/JSON standards appropriately.

✅ No commented-out code

• .github/dependabot.yml:1-2 - Removed commented lines, which is good cleanup.
• No other commented-out code found.

✅ Meaningful variable names

All variable/key names in the configuration files are clear and descriptive (cooldown, assignees, CODEOWNER_PR_RW_TOKEN, etc.).

✅ DRY principle followed

No obvious duplication in the changes. Configuration is appropriately structured.

✅ Identify Defects

Issues found:

1. Critical: Inconsistent secret naming pattern

   • .github/workflows/add-labels-standardized.yaml:17 - Uses MEMBERS as the secret parameter name, but the actual secret passed is SENZING_MEMBERS. This appears to be standardizing the secret name in the reusable workflow interface, which is good.

2. Potential issue: Changed condition logic

   • Multiple workflow files changed from needs.<job>.outputs.job-status to needs.<job>.result
   • Example: .github/workflows/add-labels-standardized.yaml:22
   • This is actually a correct fix - GitHub Actions uses result not outputs.job-status for job results.

3. Configuration validation needed:

   • .github/dependabot.yml:6-8 - Added cooldown configuration with 21-day default and exclusion for senzing-factory/*. Verify this is supported in Dependabot v2 (it is as of GitHub's latest features).

❌ Project memory configuration

No .claude/CLAUDE.md file exists, so this criterion doesn't apply.

Testing

⚠️ Unit tests for new functions

N/A - This PR only modifies configuration files (GitHub Actions workflows and Dependabot config). No code functions to test.

⚠️ Integration tests for new endpoints

N/A - No endpoints modified.

⚠️ Edge cases covered

N/A - Configuration changes only.

⚠️ Test coverage > 80%

N/A - No code changes.

Documentation

✅ Readme updated if needed

No README changes needed - these are internal workflow configuration updates.

✅ API docs updated

N/A - No API changes.

✅ Inline comments for complex logic

N/A - Configuration files generally don't need inline comments, and these are self-documenting.

❌ CHANGELOG.md updated

Missing: No CHANGELOG.md update provided. This PR makes significant changes to CI/CD workflows and Dependabot configuration that should be documented:

• Standardized workflow secret names
• Added Dependabot cooldown periods
• Fixed job status checking in workflows
• Added assignees to Dependabot PRs

✅ Markdown files follow CommonMark specification

The only markdown-like content is in YAML files which are properly formatted. .vscode/cspell.json was reformatted (likely by prettier) which is good.

Security

✅ No hardcoded credentials

All secrets properly use ${{ secrets.* }} references.

✅ Input validation implemented

N/A - Configuration files.

✅ Proper error handling

The workflows properly check for failure/cancelled states before triggering notifications.

✅ No sensitive data in logs

No sensitive data exposed.

✅ No license files or AQAAAD strings

No .lic files or license strings detected in the diff.

---

Summary

Critical Issues: 0

Major Issues: 1

1. Missing CHANGELOG.md update - Workflow standardization changes should be documented.

Minor Issues/Observations:

1. .github/dependabot.yml:6-8 - Verify the cooldown configuration is properly supported and test that Dependabot respects the 21-day cooldown with senzing-factory/* exclusions.

2. .github/workflows/*.yaml - The change from outputs.job-status to result is correct and fixes a potential bug in failure notifications.

3. Secret name standardization - Good improvement for consistency:

   • SENZING_MEMBERS → MEMBERS
   • SENZING_GITHUB_PROJECT_RW_TOKEN → PROJECT_RW_TOKEN
   • SENZING_GITHUB_CODEOWNER_PR_RW_TOKEN → CODEOWNER_PR_RW_TOKEN

Recommendations:

1. Add CHANGELOG.md entry documenting workflow standardization and Dependabot cooldown configuration
2. Test Dependabot cooldown behavior to ensure it works as expected
3. Verify all workflows execute successfully after these changes

Overall Assessment: This is a good standardization PR that fixes actual bugs (job status checking) and improves consistency. The only blocking issue is the missing CHANGELOG update.

Automated code review analyzing defects and coding standards

[github-actions]

🤖 Claude Code Review

Let me proceed with the code review based on the diff provided and general best practices.

---

Code Review - PR Analysis

Summary

This PR standardizes GitHub workflows to use build-resources v4, updating secret names, adding Slack channel configurations, and enhancing Dependabot configuration. Overall quality is good with consistent patterns, but there are some items requiring attention.

---

Code Quality

✅ Code follows style guide

• YAML formatting is consistent and clean
• Proper indentation (2 spaces) throughout
• Uses YAML document markers (---) appropriately in .github/dependabot.yml:1

✅ No commented-out code

• All previous commented lines have been removed (e.g., removed comments from dependabot.yml:1-2)

✅ Meaningful variable names

• Secret names are clear: CODEOWNER_PR_RW_TOKEN, PROJECT_RW_TOKEN, MEMBERS
• Variable names are descriptive and follow conventions

✅ DRY principle followed

• Consistent pattern of adding SLACK_CHANNEL secret across multiple workflows
• Reusable workflow references updated uniformly to @v4

⚠️ Identify Defects

CRITICAL ISSUE - Secret Name Inconsistency:

• .github/workflows/add-labels-standardized.yaml:17 - The secret is mapped as MEMBERS: ${{ secrets.SENZING_MEMBERS }} but the reusable workflow may expect SENZING_MEMBERS. This could break the workflow if the called workflow hasn't been updated to use MEMBERS instead.

POTENTIAL ISSUES:

1. Breaking Changes in Secret Names (Multiple files):

   • SENZING_GITHUB_PROJECT_RW_TOKEN → PROJECT_RW_TOKEN
   • SENZING_GITHUB_CODEOWNER_PR_RW_TOKEN → CODEOWNER_PR_RW_TOKEN
   • SENZING_MEMBERS → MEMBERS

   These changes will fail if the repository secrets haven't been renamed or if the v4 workflows expect different names. Verify all repository secrets exist with the new names.

2. Missing context change (Multiple files):

   • Changed from needs.*.outputs.job-status to needs.*.result
   • This is correct IF the v4 workflows no longer output job-status. Verify the v4 reusable workflows removed this output.

3. Dependabot cooldown configuration (.github/dependabot.yml:7-10):

   • Unusual pattern: 21-day cooldown for all updates except senzing-factory/*
   • This may delay security updates significantly
   • Consider if this is intentional or if security updates should have shorter cooldowns

4. Assignee hardcoded (.github/dependabot.yml:5-6):

   • assignees: - "kernelsam" hardcodes a specific user
   • This creates a single point of dependency; consider using a team or multiple assignees

---

Testing

❌ Unit tests for new functions

• N/A - This PR only modifies configuration files (no code logic)

❌ Integration tests for new endpoints

• N/A - No endpoints modified

⚠️ Edge cases covered

• Missing: No validation that the v4 workflows are compatible with these secret name changes
• Recommendation: Test in a staging/dev environment before merging

❌ Test coverage > 80%

• N/A - Configuration changes only

---

Documentation

⚠️ Readme updated if needed

• No README changes included
• Recommendation: Document the secret name changes if there's a setup/deployment guide

❌ API docs updated

• N/A - No API changes

⚠️ Inline comments for complex logic

• Removed helpful comments from dependabot.yml:1-2
• Recommendation: Consider keeping a reference comment to the documentation URL, even if standardizing format

❌ CHANGELOG.md updated

• No CHANGELOG update included
• Recommendation: Document this breaking change (secret name updates, workflow version bump)

✅ Markdown files follow CommonMark

• .vscode/cspell.json formatting improved (arrays properly formatted)
• No markdown files modified in this PR

---

Security

✅ No hardcoded credentials

• All secrets properly referenced via ${{ secrets.* }}

✅ Input validation implemented

• N/A - Configuration files only

✅ Proper error handling

• Slack notifications configured for failures: if: ${{ always() && contains(fromJSON('["failure", "cancelled"]'), needs.*.result) }}

✅ No sensitive data in logs

• No logging changes introduced

✅ No license files checked in

• No .lic files or AQAAAD strings present

---

Critical Items Requiring Action

1. VERIFY SECRET NAMES - Confirm all repository secrets have been renamed:

   • SENZING_GITHUB_PROJECT_RW_TOKEN → PROJECT_RW_TOKEN
   • SENZING_GITHUB_CODEOWNER_PR_RW_TOKEN → CODEOWNER_PR_RW_TOKEN
   • SENZING_MEMBERS → MEMBERS (or verify v4 workflow accepts MEMBERS)
   • Confirm SLACK_CHANNEL secret exists

2. TEST WORKFLOW COMPATIBILITY - Validate that:

   • v4 workflows use needs.*.result instead of needs.*.outputs.job-status
   • v4 workflows accept the new secret parameter names
   • All workflows execute successfully with these changes

3. UPDATE CHANGELOG - Document breaking changes and version bump

4. REVIEW DEPENDABOT COOLDOWN - Confirm 21-day cooldown is intentional and won't delay critical security patches

---

Recommendations

• Add a migration guide comment in the PR description explaining secret renames
• Consider reverting the hardcoded assignee to use a team or org variable
• Add workflow dispatch triggers for manual testing before merge
• Keep a documentation reference comment in dependabot.yml for maintainability

---

Automated code review analyzing defects and coding standards

[github-actions]

Super-linter summary

Language	Validation result
CHECKOV	Pass ✅
GITHUB_ACTIONS	Pass ✅
GITHUB_ACTIONS_ZIZMOR	Pass ✅
GITLEAKS	Pass ✅
GIT_MERGE_CONFLICT_MARKERS	Pass ✅
JSCPD	Pass ✅
PRE_COMMIT	Pass ✅
SPELL_CODESPELL	Pass ✅
TRIVY	Pass ✅
YAML	Fail ❌
YAML_PRETTIER	Fail ❌

Super-linter detected linting errors

For more information, see the GitHub Actions workflow run

Powered by Super-linter

YAML

/github/workspace/.github/dependabot.yml:1:1: [warning] missing document start "---" (document-start)
/github/workspace/.github/dependabot.yml:23:1: [error] too many blank lines (1 > 0) (empty-lines)
/github/workspace/.github/workflows/add-labels-standardized.yaml:1:1: [warning] missing document start "---" (document-start)
/github/workspace/.github/workflows/add-labels-standardized.yaml:22:81: [warning] line too long (104 > 80 characters) (line-length)
/github/workspace/.github/workflows/add-to-project-g2-python-dependabot.yaml:1:1: [warning] missing document start "---" (document-start)
/github/workspace/.github/workflows/add-to-project-g2-python-dependabot.yaml:21:81: [warning] line too long (113 > 80 characters) (line-length)
/github/workspace/.github/workflows/add-to-project-g2-python.yaml:1:1: [warning] missing document start "---" (document-start)
/github/workspace/.github/workflows/add-to-project-g2-python.yaml:24:81: [warning] line too long (102 > 80 characters) (line-length)
/github/workspace/.github/workflows/dependabot-approve-and-merge.yaml:1:1: [warning] missing document start "---" (document-start)
/github/workspace/.github/workflows/lint-workflows.yaml:1:1: [warning] missing document start "---" (document-start)
/github/workspace/.github/workflows/move-pr-to-done-dependabot.yaml:1:1: [warning] missing document start "---" (document-start)
/github/workspace/.github/workflows/pylint.yaml:1:1: [warning] missing document start "---" (document-start)
/github/workspace/.github/workflows/pylint.yaml:40:81: [warning] line too long (164 > 80 characters) (line-length)

YAML_PRETTIER

Checking formatting...[�[33mwarn�[39m] .github/dependabot.yml
[�[33mwarn�[39m] Code style issues found in the above file. Run Prettier with --write to fix.

[github-actions]

Super-linter summary

Language	Validation result
CHECKOV	Pass ✅
GITHUB_ACTIONS	Pass ✅
GITHUB_ACTIONS_ZIZMOR	Pass ✅
GITLEAKS	Pass ✅
GIT_MERGE_CONFLICT_MARKERS	Pass ✅
JSCPD	Pass ✅
PRE_COMMIT	Pass ✅
SPELL_CODESPELL	Pass ✅
TRIVY	Pass ✅
YAML	Pass ✅
YAML_PRETTIER	Pass ✅

All files and directories linted successfully

For more information, see the GitHub Actions workflow run

Powered by Super-linter