Update workflows for build-resources v4

[kernelsam]

Summary

• Rename secret keys for build-resources v4 (SENZING_MEMBERS → MEMBERS, etc.)
• Replace .outputs.job-status with .result
• Bump pull-requests permission to write in lint-repo.yaml
• Add SLACK_CHANNEL secret to slack notification callers
• Bump all @v3/@v2 build-resources references to @v4
• Standardize dependabot config (assignees, cooldown, groups)
• Add kernelsam and cooldown to cspell dictionary

[github-actions]

🤖 Claude Code Review

Let me proceed with the review based on the checklist and standard practices:

---

Code Review Results

Code Quality

✅ Code follows style guide

The YAML files follow standard conventions with proper indentation and structure. Changes are consistent with GitHub Actions best practices.

✅ No commented-out code

All clear - The diff shows removal of commented code (lines 1-2 in .github/dependabot.yml), which is a positive change.

✅ Meaningful variable names

All clear - Secret names are descriptive and follow conventions:

• CODEOWNER_PR_RW_TOKEN (more generic than SENZING_GITHUB_CODEOWNER_PR_RW_TOKEN)
• PROJECT_RW_TOKEN (more generic than SENZING_GITHUB_PROJECT_RW_TOKEN)
• MEMBERS (more generic than SENZING_MEMBERS)

✅ DRY principle followed

All clear - Changes standardize the interface to reusable workflows by using generic parameter names.

✅ No Defects Identified

All clear - Changes are configuration updates to:

1. Upgrade workflows from v3 to v4
2. Standardize secret names (more generic naming)
3. Add new Dependabot configuration options (cooldown, grouping, assignees)
4. Fix job status references from outputs.job-status to .result (correct GitHub Actions syntax)
5. Add missing SLACK_CHANNEL secret

Notable Improvements:

• .github/workflows/add-labels-standardized.yaml:22 - Changed from needs.add-issue-labels.outputs.job-status to needs.add-issue-labels.result (correct syntax)
• .github/workflows/add-to-project-senzing-dependabot.yaml:21 - Same correction
• .github/workflows/add-to-project-senzing.yaml:24 - Same correction

✅ Project Memory

No .claude/CLAUDE.md file exists in the project.

Testing

⚠️ Unit tests for new functions

N/A - This PR contains only configuration changes (YAML files), no executable code requiring unit tests.

⚠️ Integration tests for new endpoints

N/A - No new endpoints added; these are GitHub Actions workflow configurations.

⚠️ Edge cases covered

N/A - Configuration changes only.

⚠️ Test coverage > 80%

N/A - No code coverage applicable to YAML configuration.

Documentation

❌ Readme updated if needed

Missing - The PR adds significant new Dependabot configuration options but doesn't include README updates explaining:

• The new cooldown feature with 21-day default and exclusions for senzing-factory/*
• The new grouping strategy for senzing-factory packages
• The assignee configuration (kernelsam)

Recommendation: Add documentation explaining these configuration choices, especially the cooldown periods and grouping strategy.

✅ API docs updated

N/A - No API changes.

✅ Inline comments for complex logic

All clear - The removed comment in dependabot.yml (line 1-2) was redundant documentation. The configuration is self-explanatory.

❌ CHANGELOG.md updated

Missing - No CHANGELOG.md file exists, but this is a significant configuration change that should be documented somewhere. Consider adding:

• Upgrade to build-resources v4
• New Dependabot cooldown and grouping configuration
• Standardized secret naming conventions

✅ Markdown files follow CommonMark

N/A - No markdown files modified in this PR.

Security

✅ No hardcoded credentials

All clear - All credentials properly use GitHub secrets syntax ${{ secrets.* }}.

✅ Input validation implemented

All clear - GitHub Actions handles validation of workflow inputs.

✅ Proper error handling

All clear - Slack notification jobs correctly trigger on failure/cancelled states.

✅ No sensitive data in logs

All clear - No logging of sensitive data.

✅ No license files checked in

All clear - No .lic files or AQAAAD strings in the diff.

---

Summary

Overall Assessment: ✅ APPROVED WITH RECOMMENDATIONS

Critical Issues: 0

Recommendations:

1. Documentation - Add README or documentation explaining the new Dependabot configuration options (.github/dependabot.yml:5-13)
2. Changelog - Consider documenting this upgrade to build-resources v4 and the configuration changes

Positive Changes:

• ✅ Removed unnecessary comments
• ✅ Fixed incorrect GitHub Actions syntax (.outputs.job-status → .result)
• ✅ Standardized secret naming conventions for better reusability
• ✅ Added missing SLACK_CHANNEL secret to notification jobs
• ✅ Enhanced Dependabot configuration with cooldown and grouping features
• ✅ Consistent upgrade to v4 across all reusable workflows

The code quality is high, and the changes represent a well-planned upgrade to the build infrastructure. The only gaps are in documentation.

Automated code review analyzing defects and coding standards

[github-actions]

Super-linter summary

Language	Validation result
CHECKOV	Pass ✅
GITHUB_ACTIONS	Pass ✅
GITHUB_ACTIONS_ZIZMOR	Pass ✅
GITLEAKS	Pass ✅
GIT_MERGE_CONFLICT_MARKERS	Pass ✅
JSCPD	Pass ✅
PRE_COMMIT	Pass ✅
SPELL_CODESPELL	Pass ✅
TRIVY	Pass ✅
YAML	Pass ✅
YAML_PRETTIER	Pass ✅

All files and directories linted successfully

For more information, see the GitHub Actions workflow run

Powered by Super-linter

[github-actions]

🤖 Claude Code Review

Code Review Results

Summary

This PR updates GitHub Actions workflows to use build-resources v4 and standardizes secret naming conventions. The changes are primarily configuration updates for CI/CD workflows.

---

Code Quality

✅ Code follows style guide

All YAML files follow proper GitHub Actions syntax and conventions. The code is well-structured and consistent.

✅ No commented-out code

The changes remove commented-out documentation headers in .github/dependabot.yml (lines 1-2 in the old version), which is good cleanup.

✅ Meaningful variable names

All secret names and workflow references are clear and descriptive:

• PROJECT_RW_TOKEN, CODEOWNER_PR_RW_TOKEN, MEMBERS, SLACK_CHANNEL are all self-explanatory
• The naming is more generic (removing "SENZING_" prefix in some cases) which improves reusability

✅ DRY principle followed

No code duplication detected. The changes consistently update patterns across multiple files.

✅ No defects identified

The logic changes are sound:

• Changing from needs.<job>.outputs.job-status to needs.<job>.result is correct (using GitHub Actions native result instead of custom output)
• Secret name standardization is properly applied across all workflows
• Permission updates are appropriate (adding pull-requests: write to lint-workflows.yaml:16)

❌ New configuration in dependabot.yml needs validation

File: .github/dependabot.yml
Lines: 4-14

The new cooldown configuration at lines 6-9 has an exclude pattern:

cooldown:
  default-days: 21
  exclude:
    - "senzing-factory/*"

Issue: This appears to exclude senzing-factory/* dependencies from the cooldown period, but then immediately groups them at lines 11-14. This may be intentional (to allow senzing-factory updates daily while others are on 21-day cooldown), but should be verified that this is the desired behavior.

---

Testing

⚠️ No unit tests (N/A for workflow configuration)

This PR contains GitHub Actions workflow configuration files only - no testable code.

⚠️ No integration tests (N/A for workflow configuration)

Workflow changes will be tested when they run in GitHub Actions.

⚠️ Edge cases (N/A for workflow configuration)

The workflows will be tested by actual GitHub Actions execution.

⚠️ Test coverage (N/A for workflow configuration)

Not applicable for configuration files.

---

Documentation

✅ README updated if needed

No README changes needed - these are workflow configuration updates.

✅ API docs updated

No API changes in this PR.

✅ Inline comments for complex logic

The YAML is self-documenting. The removed comment in dependabot.yml was just a link to GitHub docs, which is not necessary.

⚠️ CHANGELOG.md not updated

File: CHANGELOG.md (missing)
No CHANGELOG.md exists in the repository, and none was updated. For infrastructure changes like workflow updates, a changelog entry would help track the migration to v4.

❌ Markdown formatting issues in cspell.json

File: .vscode/cspell.json
Line: 15

The formatting changed from multi-line to single-line for ignorePaths:

"ignorePaths": [".git/**"]

Issue: While this is valid JSON, the diff shows inconsistent formatting. The original multi-line format was more readable. The words array was also reformatted with different ordering (alphabetical). This appears to be an auto-formatter change (likely Prettier) which is fine, but should be consistently applied across the repository.

---

Security

✅ No hardcoded credentials

All secrets are properly referenced via ${{ secrets.* }} syntax.

✅ Input validation implemented

GitHub Actions handles input validation for workflow configurations.

✅ Proper error handling

The slack-notification jobs properly check for failures with:

if: ${{ always() && contains(fromJSON('["failure", "cancelled"]'), needs.<job>.result) }}

✅ No sensitive data in logs

No sensitive information is logged.

✅ No license files checked in

No .lic files or AQAAAD strings detected in the diff.

✅ Secret naming improvements

The secret names are being standardized from organization-specific names (e.g., SENZING_GITHUB_PROJECT_RW_TOKEN) to generic names (e.g., PROJECT_RW_TOKEN). This is good for template reusability across different organizations.

---

Critical Issues: 0

Warnings: 2

Recommendations:

1. Verify cooldown configuration logic (.github/dependabot.yml:6-14): Confirm that the intent is to exclude senzing-factory/* from the 21-day cooldown while grouping them for daily updates.

2. Consider adding CHANGELOG.md: Document the migration to build-resources v4 and the secret naming standardization for future reference.

3. JSON formatting: The .vscode/cspell.json changes appear to be auto-formatter adjustments. If using Prettier, ensure it's consistently applied across all JSON files in the repository.

---

Overall Assessment: ✅ APPROVED WITH RECOMMENDATIONS

The PR is well-structured and makes sensible updates to modernize the GitHub Actions workflows. The changes improve maintainability and follow GitHub Actions best practices. The main items to address are the cooldown configuration verification and documentation updates.

Automated code review analyzing defects and coding standards

[github-actions]

Super-linter summary

Language	Validation result
CHECKOV	Pass ✅
GITHUB_ACTIONS	Pass ✅
GITHUB_ACTIONS_ZIZMOR	Pass ✅
GITLEAKS	Pass ✅
GIT_MERGE_CONFLICT_MARKERS	Pass ✅
JSCPD	Pass ✅
PRE_COMMIT	Pass ✅
SPELL_CODESPELL	Pass ✅
TRIVY	Pass ✅
YAML	Pass ✅
YAML_PRETTIER	Pass ✅

All files and directories linted successfully

For more information, see the GitHub Actions workflow run

Powered by Super-linter