Migrate slack notifications to composite action

[kernelsam]

Summary

• Replace standalone slack-notification jobs with inline composite action step from senzing-factory/build-resources/slack-failure-notification@v4
• Pass SLACK_BOT_TOKEN and SLACK_CHANNEL secrets to reusable workflows (add-labels-to-issue, add-to-project, add-to-project-dependabot) that now handle notifications internally
• Add concurrency groups where missing (skip tag-only and project management workflows)
• Remove unused outputs: status from jobs that only existed for the old notification pattern
• Use sdk-versions composite action instead of hardcoded version lists (code-snippets-v4 only)

Test plan

• Verify add-labels and add-to-project workflows still function on issue creation
• Verify build/test workflows notify on failure
• Verify concurrency cancels in-progress runs on new pushes

[github-actions]

🤖 Claude Code Review

PR Code Review

Summary

This PR migrates Slack failure notifications from a separate reusable workflow job (build-failure-slack-notification.yaml@v4) to a composite action used as an inline step, and adds concurrency blocks to several workflows. Changes are confined to .github/ files.

---

Code Quality

Style guide ✅
YAML formatting is consistent and follows standard GitHub Actions conventions. Unable to fetch the remote style guide URL, but no deviations from expected patterns are visible.

No commented-out code ✅

Meaningful variable names ✅

DRY principle ✅
The PR improves DRY by centralizing Slack notification logic into a single composite action rather than duplicating a separate job per workflow.

Defects ❌

Critical behavior regression in .github/workflows/docker-push-containers-to-dockerhub.yaml, line 36:

- name: Notify Slack on failure
  if: (failure() || cancelled())

In GitHub Actions, when a job is cancelled, pending steps are set to skipped and do not execute — even if their if expression references cancelled(). The always() function is required to force evaluation. Without it, the Slack step will silently not fire on workflow cancellations.

The old pattern correctly used always() on the separate job:

if: ${{ always() && contains(fromJSON('["failure", "cancelled"]'), needs.docker-push-containers-to-dockerhub.result) }}

Fix:

if: always() && (failure() || cancelled())

Minor concern in .github/workflows/add-labels-standardized.yaml: SLACK_BOT_TOKEN and SLACK_CHANNEL are now being forwarded into add-labels-to-issue.yaml@v4. This only works if the upstream reusable workflow declares and uses those secrets. If not, the secrets are silently ignored and no notification is sent on failure. The same applies to add-to-project-senzing-dependabot.yaml and add-to-project-senzing.yaml. Worth confirming against the upstream workflow definitions.

---

Testing

✅ N/A — workflow YAML changes; no unit/integration tests required.

---

Documentation

CHANGELOG.md — The [Unreleased] section exists but does not appear to be updated for this PR. For CI/CD infrastructure changes this may be optional per team convention, but worth confirming.

README / API docs ✅ — Not applicable for workflow-only changes.

---

Security

No hardcoded credentials ✅

Secrets handling ✅ — All secrets are referenced via ${{ secrets.* }}.

zizmor suppression ✅ — Adding secrets-outside-env ignore for docker-push-containers-to-dockerhub.yaml is intentional and documented. Passing secrets as composite action with inputs (rather than env) is the expected pattern for this type of action.

No license files (.lic / AQAAAD-prefixed content) ✅

---

Summary Table

Item	Status	Notes
Style guide	✅	Consistent YAML formatting
No commented-out code	✅
DRY principle	✅	Improved
Defects	❌	cancelled() without always() won't fire on cancellation
Upstream secret contracts	⚠️	Verify upstream workflows accept forwarded Slack secrets
Tests	✅	N/A
CHANGELOG	⚠️	[Unreleased] section not updated
Security	✅

Action Required

The if: (failure() || cancelled()) condition on line 36 of docker-push-containers-to-dockerhub.yaml should be changed to if: always() && (failure() || cancelled()) to preserve the cancellation-notification behavior that existed in the old separate-job approach.

Automated code review analyzing defects and coding standards

[github-actions]

Super-linter summary

Language	Validation result
CHECKOV	Pass ✅
GITHUB_ACTIONS	Pass ✅
GITHUB_ACTIONS_ZIZMOR	Fail ❌
GITLEAKS	Pass ✅
GIT_MERGE_CONFLICT_MARKERS	Pass ✅
JSCPD	Pass ✅
PRE_COMMIT	Pass ✅
SPELL_CODESPELL	Pass ✅
TRIVY	Pass ✅
YAML	Pass ✅
YAML_PRETTIER	Pass ✅

Super-linter detected linting errors

For more information, see the GitHub Actions workflow run

Powered by Super-linter

GITHUB_ACTIONS_ZIZMOR

�[1m�[33mwarning[secrets-outside-env]�[0m�[1m: secrets referenced without a dedicated environment�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/docker-build-container.yaml:33:25
   �[1m�[94m|�[0m
�[1m�[94m16�[0m �[1m�[94m|�[0m   docker-build-container:
   �[1m�[94m|�[0m   �[1m�[94m----------------------�[0m �[1m�[94mthis job�[0m
�[1m�[94m...�[0m
�[1m�[94m33�[0m �[1m�[94m|�[0m           password: ${{ secrets.DOCKERHUB_ACCESS_TOKEN }}
   �[1m�[94m|�[0m                         �[1m�[33m^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[33msecret is accessed outside of a dedicated environment�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#secrets-outside-env�[39m

�[1m�[33mwarning[secrets-outside-env]�[0m�[1m: secrets referenced without a dedicated environment�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/docker-build-container.yaml:34:25
   �[1m�[94m|�[0m
�[1m�[94m16�[0m �[1m�[94m|�[0m   docker-build-container:
   �[1m�[94m|�[0m   �[1m�[94m----------------------�[0m �[1m�[94mthis job�[0m
�[1m�[94m...�[0m
�[1m�[94m34�[0m �[1m�[94m|�[0m           username: ${{ secrets.DOCKERHUB_USERNAME }}
   �[1m�[94m|�[0m                         �[1m�[33m^^^^^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[33msecret is accessed outside of a dedicated environment�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#secrets-outside-env�[39m

�[32m16�[39m findings (�[1m�[93m4�[39m ignored, �[93m10�[39m suppressed�[0m): �[35m0�[39m informational, �[36m0�[39m low, �[33m2�[39m medium, �[31m0�[39m high🌈 zizmor v1.23.1
�[32m INFO�[0m �[1maudit�[0m�[2m:�[0m �[2mzizmor�[0m�[2m:�[0m 🌈 completed /github/workspace/.github/workflows/add-labels-standardized.yaml
�[32m INFO�[0m �[1maudit�[0m�[2m:�[0m �[2mzizmor�[0m�[2m:�[0m 🌈 completed /github/workspace/.github/workflows/add-to-project-senzing-dependabot.yaml
�[32m INFO�[0m �[1maudit�[0m�[2m:�[0m �[2mzizmor�[0m�[2m:�[0m 🌈 completed /github/workspace/.github/workflows/add-to-project-senzing.yaml
�[32m INFO�[0m �[1maudit�[0m�[2m:�[0m �[2mzizmor�[0m�[2m:�[0m 🌈 completed /github/workspace/.github/workflows/docker-build-container.yaml
�[32m INFO�[0m �[1maudit�[0m�[2m:�[0m �[2mzizmor�[0m�[2m:�[0m 🌈 completed /github/workspace/.github/workflows/docker-push-containers-to-dockerhub.yaml
�[32m INFO�[0m �[1maudit�[0m�[2m:�[0m �[2mzizmor�[0m�[2m:�[0m 🌈 completed /github/workspace/.github/workflows/lint-workflows.yaml
�[32m INFO�[0m �[1maudit�[0m�[2m:�[0m �[2mzizmor�[0m�[2m:�[0m 🌈 completed /github/workspace/.github/workflows/spellcheck.yaml

[github-actions]

🤖 Claude Code Review

Code Review

This PR refactors GitHub Actions workflows to consolidate Slack notifications, add concurrency controls, and update triggers. Here is the review:

---

Code Quality

✅ No commented-out code — All removed lines are active YAML, not comments.

✅ Meaningful variable names — Workflow names, job IDs, and secret references are clear and consistent.

✅ DRY principle — The PR reduces repetition by consolidating Slack notification logic: either delegating it to called reusable workflows (passing SLACK_BOT_TOKEN/SLACK_CHANNEL through), or using inline composite action steps. This is an improvement.

✅ No defects detected — However, two behavioral changes are worth confirming are intentional:

1. lint-workflows.yaml trigger narrowed (line ~4–6): The push: branches-ignore: [main] trigger is removed, leaving only pull_request: branches: [main]. This means lint no longer runs on direct branch pushes, only on PRs targeting main. This eliminates double runs when a PR branch is pushed, which is consistent with the added concurrency group. Confirm this is the desired behavior.

2. docker-push-containers-to-dockerhub.yaml notification approach changed: The separate slack-notification job (which ran always()) is replaced by an inline composite action step using senzing-factory/build-resources/slack-failure-notification@v4. The inline step uses job.status instead of needs.<job>.result. This is semantically equivalent for the failure/cancelled case, but the inline step can only trigger if the job reaches that step — if an earlier step hard-fails and skips subsequent steps entirely, the notification step may not fire. Verify the composite action handles this correctly.

✅ No .claude/CLAUDE.md found — No project-level Claude configuration to review.

---

Testing

✅ N/A — Changes are limited to CI/CD workflow YAML files. No application logic was modified.

---

Documentation

✅ README not required — These are internal CI workflow changes with no user-facing API impact.

⚠️ CHANGELOG.md not updated — The [Unreleased] section in CHANGELOG.md has no entry for these workflow changes. For CI-only changes, this is often acceptable by convention. Confirm whether your project's convention requires logging workflow/infrastructure changes.

✅ No complex inline logic — The YAML changes are straightforward; no additional comments are needed.

✅ Markdown formatting — The YAML files are well-structured. No Markdown formatting issues in the diff.

---

Security

✅ No hardcoded credentials — All secrets use ${{ secrets.* }} references.

✅ zizmor.yaml suppression is justified — The secrets-outside-env ignore for docker-build-container.yaml and docker-push-containers-to-dockerhub.yaml is appropriate because the secrets are passed as with: inputs to composite actions (not as environment variables), which is the correct and safe pattern for composite actions. The suppression is targeted (file-level), not blanket.

✅ No sensitive data in logs — No echo or log statements involving secrets.

✅ No .lic files — No license files checked in.

✅ Input validation N/A — No application logic modified.

---

Summary

The PR is clean and the changes are well-scoped. Two items to confirm before merging:

1. Intentional? Removing the push trigger from lint-workflows.yaml means linting only runs on PRs, not on branch pushes without a PR.
2. Verified? The inline Notify Slack on failure step in docker-push-containers-to-dockerhub.yaml will execute if the job fails — confirm the composite action handles the step-skip-on-earlier-failure scenario correctly.

---

Automated code review analyzing defects and coding standards

[github-actions]

Super-linter summary

Language	Validation result
CHECKOV	Pass ✅
GITHUB_ACTIONS	Pass ✅
GITHUB_ACTIONS_ZIZMOR	Pass ✅
GITLEAKS	Pass ✅
GIT_MERGE_CONFLICT_MARKERS	Pass ✅
JSCPD	Pass ✅
PRE_COMMIT	Pass ✅
SPELL_CODESPELL	Pass ✅
TRIVY	Pass ✅
YAML	Pass ✅
YAML_PRETTIER	Pass ✅

All files and directories linted successfully

For more information, see the GitHub Actions workflow run

Powered by Super-linter