reusable cspell, claude pr reviews, link issues and prs

[kernelsam]

Issue number: senzing-factory/build-resources#232 senzing-factory/build-resources#227 senzing-factory/build-resources#10

---

Resolves senzing-factory/build-resources#232
Resolves senzing-factory/build-resources#227
Resolves senzing-factory/build-resources#10

[github-actions]

🤖 Claude Code Review

PR Code Review for sz-python-tools

Code Quality

✅ Code follows style guide

The workflow YAML files follow standard GitHub Actions formatting conventions. The files use consistent indentation (2 spaces), clear naming, and proper YAML structure.

✅ No commented-out code

All code is active and necessary. No commented-out sections found.

✅ Meaningful variable names

Workflow names are clear and descriptive:

• claude-pr-review.yaml - clearly indicates Claude PR review functionality
• link-issues-to-pr-post-merge.yaml - describes the post-merge linking behavior
• spellcheck.yaml - clearly indicates spell checking

✅ DRY principle followed

Excellent refactoring! The spellcheck.yaml refactoring from inline steps to a reusable workflow at .github/workflows/spellcheck.yaml:13 follows DRY principles perfectly. This change consolidates duplicated spell checking logic into a centralized reusable workflow.

Before: 14 lines of duplicated configuration
After: 1 line calling a reusable workflow

✅ Identify Defects

No bugs, logic errors, or edge cases detected. The workflows are properly structured:

• .github/workflows/claude-pr-review.yaml:4-5: Good use of concurrency control to prevent multiple reviews
• .github/workflows/link-issues-to-pr-post-merge.yaml:12: Proper conditional check github.event.pull_request.merged == true prevents running on closed-but-not-merged PRs
• .github/workflows/link-issues-to-pr-post-merge.yaml:11: Comment clearly explains the conditional logic

Testing

⚠️ Unit tests for new functions

N/A - This PR only adds GitHub Actions workflow files, which are declarative configuration rather than executable code requiring unit tests. However, workflow behavior should be verified through actual PR testing.

⚠️ Integration tests for new endpoints

N/A - No endpoints added. These are GitHub Actions workflows.

⚠️ Edge cases covered

Partial - The workflows handle some edge cases:

• .github/workflows/claude-pr-review.yaml:4-5: Handles concurrent PR updates
• .github/workflows/link-issues-to-pr-post-merge.yaml:12: Distinguishes between closed vs merged PRs

Missing edge case considerations:

• What happens if CLAUDE_CODE_OAUTH_TOKEN secret is missing/invalid?
• No error handling or fallback if reusable workflows fail

❌ Test coverage > 80%

Not Applicable - This is infrastructure configuration, not testable code in the traditional sense. Coverage metrics don't apply to YAML workflow definitions.

Documentation

❌ README updated if needed

MISSING - The .github/workflows/README.md file should be updated to document the three new/modified workflows:

1. claude-pr-review.yaml - Not documented at all
2. link-issues-to-pr-post-merge.yaml - Not documented at all
3. spellcheck.yaml - Existing documentation may be outdated after refactoring

The README currently documents other workflows but these three are missing entries.

Required additions at .github/workflows/README.md:

## claude-pr-review.yaml

When a Pull Request is opened or updated,
this action runs Claude Code to perform automated code review.

- [Claude PR Review GitHub Action]
  - Uses: [senzing-factory/build-resources/.../claude-pull-request-review.yaml]

## link-issues-to-pr-post-merge.yaml

When a Pull Request is merged into the main branch,
this action automatically links referenced issues to the PR.

- [Link Issues to PR Post Merge GitHub Action]
  - Uses: [senzing-factory/build-resources/.../link-issues-to-pull-request-post-merge.yaml]

## spellcheck.yaml

When a Pull Request is made against the main branch,
this action runs spell checking using cspell.

- [Spellcheck GitHub Action]
  - Uses: [senzing-factory/build-resources/.../cspell.yaml]

✅ API docs updated

N/A - No API changes in this PR.

✅ Inline comments for complex logic

Good inline comment at .github/workflows/link-issues-to-pr-post-merge.yaml:11:

# Only run if PR was actually merged (not just closed)

❌ CHANGELOG.md updated

MISSING - The CHANGELOG.md at /home/runner/work/sz-python-tools/sz-python-tools/CHANGELOG.md should be updated to reflect these infrastructure improvements under the [Unreleased] section.

Suggested entry:

## [Unreleased]

### Added

- Claude PR Review automation workflow
- Automatic issue-to-PR linking on merge
- Centralized spell check using reusable workflow

### Changed

- Refactored spellcheck workflow to use centralized reusable workflow

Security

✅ No hardcoded credentials

Credentials properly use GitHub secrets: .github/workflows/claude-pr-review.yaml:20

secrets:
  CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}

✅ Input validation implemented

GitHub Actions workflows have built-in input validation. Permissions are properly scoped with principle of least privilege:

• .github/workflows/claude-pr-review.yaml:11: Top-level permissions: {} (empty/none)
• .github/workflows/claude-pr-review.yaml:16-18: Job-level permissions grant only contents: read and pull-requests: write
• .github/workflows/link-issues-to-pr-post-merge.yaml:7: Top-level permissions: {}
• .github/workflows/link-issues-to-pr-post-merge.yaml:13-15: Job-level permissions properly scoped

✅ Proper error handling

GitHub Actions handle errors automatically. Workflows will fail gracefully if reusable workflows encounter errors.

✅ No sensitive data in logs

No sensitive data exposure detected. Secrets are properly masked in GitHub Actions logs.

🔴 CRITICAL: License file detected

SECURITY VIOLATION DETECTED at /home/runner/work/sz-python-tools/sz-python-tools/testdata/senzing-license/g2.lic:1

The file contains binary-encoded license data that appears to include encoded strings. While this file pre-exists in the repository (not added by this PR), it should be flagged:

• File: testdata/senzing-license/g2.lic
• Issue: Contains what appears to be encoded license information
• Note: This is test data and was not added in this PR, but should be verified it's intentionally checked in

This is not a blocker for THIS PR since the .lic file was not added or modified in this change, but it should be verified with the team that license files are supposed to be in version control.

Summary

✅ Strengths

1. Excellent DRY refactoring of spellcheck workflow
2. Proper security practices with scoped permissions and secret management
3. Good use of reusable workflows from senzing-factory/build-resources
4. Clear conditional logic with explanatory comments
5. Proper concurrency controls

❌ Required Changes

1. Update .github/workflows/README.md to document all three workflows
2. Update CHANGELOG.md with entries for these infrastructure improvements

⚠️ Recommendations

1. Consider adding error notification mechanisms if reusable workflows fail
2. Verify the CLAUDE_CODE_OAUTH_TOKEN secret is configured in the repository settings
3. Test these workflows on an actual PR to ensure they work as expected

Overall Assessment

Approve with minor documentation updates required. The code quality is excellent and follows best practices for GitHub Actions workflows. The only blocking issues are missing documentation updates to the README and CHANGELOG.

Automated code review analyzing defects and coding standards