Skip to content

Update workflows for build-resources v4#132

Merged
kernelsam merged 2 commits into
mainfrom
skern-workflow-standardize
Feb 16, 2026
Merged

Update workflows for build-resources v4#132
kernelsam merged 2 commits into
mainfrom
skern-workflow-standardize

Conversation

@kernelsam
Copy link
Copy Markdown
Contributor

@kernelsam kernelsam commented Feb 16, 2026

Summary

  • Rename secret keys for build-resources v4 (SENZING_MEMBERSMEMBERS, etc.)
  • Replace .outputs.job-status with .result
  • Bump pull-requests permission to write in lint-repo.yaml
  • Add SLACK_CHANNEL secret to slack notification callers
  • Bump all @v3/@v2 build-resources references to @v4
  • Standardize dependabot config (assignees, cooldown, groups)
  • Add kernelsam and cooldown to cspell dictionary

@kernelsam kernelsam requested review from a team as code owners February 16, 2026 19:35
@kernelsam kernelsam self-assigned this Feb 16, 2026
@kernelsam kernelsam requested a review from docktermj February 16, 2026 19:35
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Feb 16, 2026

🤖 Claude Code Review

Let me proceed with the code review based on the diff provided.

Code Review Analysis

Code Quality

Code follows style guide: The changes are primarily YAML configuration files for GitHub workflows. The formatting is consistent and follows YAML best practices with proper indentation and quoting.

No commented-out code: Clean diff with no commented-out code.

Meaningful variable names: All variable and parameter names are descriptive and follow conventions (e.g., SLACK_BOT_TOKEN, PROJECT_RW_TOKEN, job-status).

DRY principle followed: The changes consistently update workflow references from @v3 to @v4 and standardize secret parameter names across all files, which improves maintainability.

Identify Defects: No critical bugs, logic errors, or security vulnerabilities detected. The changes are configuration updates that:

  • Update workflow versions from v3 to v4
  • Standardize secret parameter names (e.g., SENZING_MEMBERSMEMBERS, SENZING_GITHUB_PROJECT_RW_TOKENPROJECT_RW_TOKEN)
  • Fix job status references (.outputs.job-status.result)
  • Add missing SLACK_CHANNEL secret parameter

⚠️ Minor Issue - .github/dependabot.yml:5-8: The cooldown.exclude-patterns syntax may not be valid. According to GitHub Dependabot documentation, the cooldown configuration only supports default-days. The exclude-patterns might not be a valid configuration option. Please verify this against the official GitHub Dependabot configuration schema.

Project memory: No .claude/CLAUDE.md file exists in this project, so no project-specific considerations needed.

Testing

Unit tests for new functions: Not applicable - these are configuration file changes with no code functions.

Integration tests for new endpoints: Not applicable - no new endpoints.

Edge cases covered: Not applicable - configuration changes.

Test coverage > 80%: Not applicable - no code to test.

Note: Testing requirements don't apply to pure configuration changes. However, it's recommended to verify these workflow changes in a test environment before merging.

Documentation

Readme updated if needed: Not applicable - these workflow changes don't require README updates.

API docs updated: Not applicable - no API changes.

Inline comments for complex logic: Not applicable - configuration files are self-documenting.

⚠️ CHANGELOG.md updated: Cannot verify if CHANGELOG.md exists or has been updated. For workflow infrastructure changes like this, it's recommended to document the migration from v3 to v4 of build-resources workflows.

Markdown files formatted with prettier: The only markdown-related change is in .vscode/cspell.json which properly formats the JSON array on a single line, consistent with prettier formatting.

Security

No hardcoded credentials: All sensitive values are properly referenced through GitHub secrets (e.g., ${{ secrets.SLACK_BOT_TOKEN }}).

Input validation implemented: Not applicable - these are workflow configurations with no user input.

Proper error handling: The workflows include failure notification jobs that trigger on failure or cancelled states.

No sensitive data in logs: No sensitive data exposed in the configuration.

No license files (.lic) or AQAAAD strings: No license files or suspicious license strings found in the diff.

Summary

Overall Assessment: ✅ APPROVED with minor concerns

This PR updates GitHub workflow configurations from build-resources v3 to v4. The changes are well-structured and consistent across all workflow files.

Key Changes:

  1. Workflow version updates: @v3@v4 (11 files)
  2. Secret name standardization for better reusability
  3. Job status reference corrections: .outputs.job-status.result
  4. Added missing SLACK_CHANNEL secret parameter
  5. Updated permissions in .github/workflows/lint-workflows.yaml:16 from read to write for pull-requests
  6. Added Dependabot grouping and cooldown exclusions

Issues to Address:

  1. ⚠️ Minor - .github/dependabot.yml:5-8: Verify that cooldown.exclude-patterns is valid Dependabot configuration syntax. This may not be supported and could cause the configuration to fail silently.

  2. ℹ️ Recommendation: Consider updating CHANGELOG.md to document this infrastructure upgrade.

  3. ℹ️ Recommendation: Test these workflow changes in a non-production environment first, as workflow configuration errors can break CI/CD pipelines.

Files Modified: 12 files

  • 11 GitHub workflow files
  • 1 VSCode configuration file (cspell.json - formatting improvement)

Automated code review analyzing defects and coding standards

@github-actions
Copy link
Copy Markdown

github-actions Bot commented Feb 16, 2026

Super-linter summary

Language Validation result
CHECKOV Pass ✅
GITHUB_ACTIONS Pass ✅
GITHUB_ACTIONS_ZIZMOR Pass ✅
GITLEAKS Pass ✅
GIT_MERGE_CONFLICT_MARKERS Pass ✅
JSCPD Pass ✅
PRE_COMMIT Pass ✅
SPELL_CODESPELL Pass ✅
TRIVY Pass ✅
YAML Pass ✅
YAML_PRETTIER Pass ✅

All files and directories linted successfully

For more information, see the GitHub Actions workflow run

Powered by Super-linter

@github-actions
Copy link
Copy Markdown

github-actions Bot commented Feb 16, 2026

🤖 Claude Code Review

Let me continue with the review based on the diff provided.

Code Review Results

Code Quality

  • Code follows style guide: The changes are well-formatted YAML and JSON with consistent indentation. The .vscode/cspell.json change properly formats the array on a single line.

  • No commented-out code: No commented-out code detected in any of the changes.

  • Meaningful variable names: All variable and parameter names are clear and descriptive (e.g., PROJECT_RW_TOKEN, CODEOWNER_PR_RW_TOKEN, MEMBERS, SLACK_CHANNEL).

  • DRY principle followed: The changes consistently update multiple workflow files with the same pattern, which is appropriate for standardization across workflows.

  • Identify Defects: Found several issues:

    1. .github/dependabot.yml:5-8: The cooldown.exclude syntax appears incorrect. According to Dependabot documentation, the cooldown configuration doesn't have an exclude property. This will likely cause a validation error.

    2. .github/dependabot.yml:10-13: The groups configuration is placed at the wrong indentation level. It should be indented under the package ecosystem update configuration, not at the same level as directory and schedule.

    3. .github/workflows/add-labels-standardized.yaml:22: Changed from needs.add-issue-labels.outputs.job-status to needs.add-issue-labels.result. Need to verify that the called workflow v4 no longer outputs job-status and that result is the correct property. This could cause the slack notification to fail if the property doesn't exist.

    4. Consistency issue across all workflow files: All workflow files are changing from using custom output outputs.job-status or outputs.status to using the built-in result property. This is a breaking change that assumes v4 workflows no longer provide the custom outputs. If v4 still provides those outputs, using result may not work as expected since result reflects the job completion status, not necessarily the semantic job status.

  • Project memory: No .claude/CLAUDE.md file exists, so no project-specific considerations needed.

Testing

  • ⚠️ Unit tests for new functions: N/A - No new functions added, only configuration updates.

  • ⚠️ Integration tests for new endpoints: N/A - No new endpoints added.

  • ⚠️ Edge cases covered: N/A - Configuration changes only.

  • ⚠️ Test coverage > 80%: N/A - No code changes that would affect coverage.

Documentation

  • Readme updated if needed: No README changes included. Should document the migration from v3 to v4 workflows and any breaking changes in secret names.

  • API docs updated: N/A - No API changes.

  • Inline comments for complex logic: N/A - YAML configuration is self-documenting.

  • CHANGELOG.md updated: No CHANGELOG.md changes detected. This should document:

    • Migration to build-resources v4
    • Changes to secret naming conventions
    • Changes to workflow behavior (outputs → result)
    • New Dependabot grouping configuration

  • Markdown files follow CommonMark: N/A - No markdown file changes in this PR.

Security

  • No hardcoded credentials: All secrets properly referenced via ${{ secrets.* }} syntax.

  • Input validation implemented: N/A - Configuration changes only.

  • Proper error handling: Slack notifications are properly configured to trigger on failure/cancellation.

  • No sensitive data in logs: No logging changes that would expose sensitive data.

  • No license files (.lic) or AQAAAD strings: No license files or suspicious strings detected.

Summary

Critical Issues (Must Fix):

  1. .github/dependabot.yml:5-13: The Dependabot configuration has structural errors. The cooldown.exclude property doesn't exist, and the groups configuration is incorrectly indented.

High Priority Issues:

  1. All workflow files: The change from outputs.job-status/outputs.status to result needs verification that build-resources v4 workflows are compatible with this change. Using result instead of a custom output is a significant behavioral change.

  2. Missing CHANGELOG.md: Document the v3→v4 migration and breaking changes.

Recommendations:

  • Test the Dependabot configuration in a non-production environment first
  • Verify that build-resources v4 workflows work correctly with the result property
  • Add migration documentation
  • Consider if the new SLACK_CHANNEL secret needs to be documented or added to the repository secrets

Overall Assessment: ⚠️ Changes Needed - The PR has critical configuration errors that will prevent it from working correctly.

Automated code review analyzing defects and coding standards

@github-actions
Copy link
Copy Markdown

github-actions Bot commented Feb 16, 2026

Super-linter summary

Language Validation result
CHECKOV Pass ✅
GITHUB_ACTIONS Pass ✅
GITHUB_ACTIONS_ZIZMOR Pass ✅
GITLEAKS Pass ✅
GIT_MERGE_CONFLICT_MARKERS Pass ✅
JSCPD Pass ✅
PRE_COMMIT Pass ✅
SPELL_CODESPELL Pass ✅
TRIVY Pass ✅
YAML Pass ✅
YAML_PRETTIER Pass ✅

All files and directories linted successfully

For more information, see the GitHub Actions workflow run

Powered by Super-linter

@kernelsam kernelsam enabled auto-merge (squash) February 16, 2026 20:33
@kernelsam kernelsam assigned docktermj and unassigned kernelsam Feb 16, 2026
@kernelsam kernelsam merged commit 2c77338 into main Feb 16, 2026
28 checks passed
@kernelsam kernelsam deleted the skern-workflow-standardize branch February 16, 2026 20:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@docktermj docktermj docktermj approved these changes

Assignees

@docktermj docktermj

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@kernelsam @docktermj @senzingdevops