standardize workflows for build-resources v4

[kernelsam]

Summary

• Rename reusable workflow secret keys for build-resources v4
• Replace .outputs.job-status with .result
• Add SLACK_CHANNEL secret to slack notification callers
• Bump all build-resources workflow refs to @v4
• Standardize dependabot config (cooldown, groups, assignees)
• Add kernelsam and cooldown to cspell dictionary

[github-actions]

🤖 Claude Code Review

Code Review Analysis

Code Quality

✅ Code follows style guide

All changes follow proper YAML formatting conventions. The modifications are consistent with standard GitHub Actions configuration patterns.

✅ No commented-out code

The only comment removed was a documentation link in .github/dependabot.yml:1-2, which is appropriate. No commented-out code present.

✅ Meaningful variable names

Variable and key names are clear and follow GitHub Actions conventions (e.g., CODEOWNER_PR_RW_TOKEN, PROJECT_RW_TOKEN).

✅ DRY principle followed

The changes standardize workflow configurations across multiple files, reducing duplication by consistently using v4 of build-resources workflows.

✅ No defects identified

Changes are primarily configuration updates:

• Upgrading workflow versions from v3 to v4
• Standardizing secret names (e.g., SENZING_GITHUB_PROJECT_RW_TOKEN → PROJECT_RW_TOKEN)
• Adding missing SLACK_CHANNEL secret parameter
• Fixing job status references (.outputs.job-status → .result)
• Adding dependabot assignee and grouping configuration

The .result change is correct - GitHub Actions uses .result for job outcomes, not .outputs.job-status.

✅ Project memory considerations

The .claude/CLAUDE.md file provides project context. These workflow changes don't conflict with project-specific requirements and are infrastructure updates unrelated to Python code style.

Testing

❌ Unit tests for new functions

Not applicable - These are GitHub Actions workflow configuration changes, not application code. However, these workflows should be tested through actual GitHub Actions runs.

❌ Integration tests for new endpoints

Not applicable - No application endpoints modified.

❌ Edge cases covered

Not applicable - Configuration changes.

❌ Test coverage > 80%

Not applicable - Configuration changes don't affect Python test coverage.

Documentation

⚠️ Readme updated if needed

No README changes included. Consider documenting the workflow version upgrade if there are breaking changes in build-resources v3→v4.

✅ API docs updated

Not applicable - No API changes.

✅ Inline comments for complex logic

YAML configurations are self-documenting. The removal of the dependabot documentation comment is acceptable as the link can be found in GitHub's documentation.

❌ CHANGELOG.md updated

Not found - There is no CHANGELOG.md in the repository root based on the git status. If workflow changes should be tracked, consider adding an entry.

Location: Would be /home/runner/work/sz-python-tools/sz-python-tools/CHANGELOG.md

✅ Markdown files follow CommonMark

No markdown files modified in this PR.

Security

✅ No hardcoded credentials

All secrets properly referenced using ${{ secrets.* }} syntax.

✅ Input validation implemented

Not applicable - These are GitHub Actions configurations with strongly-typed inputs.

✅ Proper error handling

The workflows include slack notification jobs that trigger on failure/cancellation, which is appropriate error handling for CI/CD.

✅ No sensitive data in logs

No logging changes that would expose sensitive data.

✅ No license files checked in

No .lic files or AQAAAD strings present in the diff.

Additional Observations

Positive Changes:

1. Dependabot improvements (.github/dependabot.yml:1-23):

   • Added assignee kernelsam for notifications
   • Added grouping for senzing-factory updates to reduce PR noise
   • Proper YAML formatting with --- document separator

2. Consistent secret naming across multiple workflows:

   • Standardizes on generic names (PROJECT_RW_TOKEN, CODEOWNER_PR_RW_TOKEN, MEMBERS) instead of Senzing-specific prefixes
   • Makes workflows more reusable

3. Bug fix - Changed .outputs.job-status to .result in conditional checks:

   • Files: All workflow files with slack notifications
   • This is the correct GitHub Actions syntax for checking job outcomes

4. Added missing parameter SLACK_CHANNEL secret:

   • Required by build-resources v4
   • Files: All workflows with slack notifications

5. Permission update (.github/workflows/lint-workflows.yaml:18):

   • Added pull-requests: write permission (changed from read)
   • Likely required for v4 workflow to post lint results

Spelling dictionary update:

.vscode/cspell.json:171 - Added kernelsam to dictionary for the new assignee name.

Summary

Overall Assessment: ✅ Approved

This PR successfully standardizes GitHub Actions workflows to use build-resources v4, with appropriate configuration updates and bug fixes. The changes are low-risk infrastructure updates that improve consistency and correctness.

Recommendation: Approve and merge. Consider adding a CHANGELOG entry if this project tracks infrastructure changes.

Automated code review analyzing defects and coding standards

[github-actions]

Super-linter summary

Language	Validation result
CHECKOV	Pass ✅
GITHUB_ACTIONS	Pass ✅
GITHUB_ACTIONS_ZIZMOR	Pass ✅
GITLEAKS	Pass ✅
GIT_MERGE_CONFLICT_MARKERS	Pass ✅
JSCPD	Pass ✅
PRE_COMMIT	Pass ✅
SPELL_CODESPELL	Pass ✅
TRIVY	Pass ✅
YAML	Pass ✅
YAML_PRETTIER	Pass ✅

All files and directories linted successfully

For more information, see the GitHub Actions workflow run

Powered by Super-linter

[github-actions]

🤖 Claude Code Review

Code Review - Workflow Standardization Update

Summary

This PR updates GitHub Actions workflows from senzing-factory/build-resources@v3 to @v4, standardizes secret naming, and adds new Dependabot configuration. Overall, this is a configuration update with mostly positive changes, but there are a few items requiring attention.

---

Code Quality

✅ Code follows style guide

The YAML formatting follows the CommonMark specification requirements. The addition of the --- document start marker in .github/dependabot.yml:1 is proper YAML syntax.

✅ No commented-out code

All changes are active configuration. The previous comments in dependabot.yml:1-2 were properly removed.

✅ Meaningful variable names

Secret names are more standardized (PROJECT_RW_TOKEN, CODEOWNER_PR_RW_TOKEN, MEMBERS) which improves clarity.

✅ DRY principle followed

Consistent patterns across all workflow files.

⚠️ Identify Defects

Issue found in .github/dependabot.yml:9-10:

cooldown:
  default-days: 21
  exclude:
    - "senzing-factory/*"

The exclude field under cooldown is not a valid Dependabot configuration option according to the Dependabot documentation. The cooldown option only supports default-days. This will likely cause the configuration to be invalid or ignored.

Correct structure should be:

- package-ecosystem: "github-actions"
  assignees:
    - "kernelsam"
  cooldown:
    default-days: 21
  directory: "/"
  ignore:  # Use 'ignore' instead
    - dependency-name: "senzing-factory/*"

✅ Project memory consideration

The .claude/CLAUDE.md contains general project guidance and doesn't contain environment-specific configuration.

---

Testing

⚠️ Unit tests for new functions

N/A - This is configuration only, but workflows should be validated. The Dependabot configuration error noted above needs testing.

❌ Integration tests for new endpoints

The workflow changes affect CI/CD pipeline behavior. The following should be verified:

1. .github/workflows/add-labels-standardized.yaml:22 - Changed from needs.add-issue-labels.outputs.job-status to needs.add-issue-labels.result. This is correct syntax but needs verification that @v4 workflows output the result context correctly.
2. All secret renames need verification that corresponding GitHub secrets exist with the new names.

⚠️ Edge cases covered

• What happens if SLACK_CHANNEL secret is not set? (Now required in multiple workflows: add-labels-standardized.yaml:25, pylint.yaml:55, etc.)
• Dependabot cooldown exclude pattern behavior is undefined/invalid.

❌ Test coverage > 80%

Cannot assess coverage for configuration changes, but functional testing of workflow execution is required.

---

Documentation

❌ Readme updated if needed

No README update found. Should document:

• The v3→v4 migration
• New required secrets (SLACK_CHANNEL)
• New Dependabot features (assignees, groups)
• Any breaking changes from the workflow updates

✅ API docs updated

N/A - Configuration changes only.

⚠️ Inline comments for complex logic

The Dependabot configuration in .github/dependabot.yml:12-15 groups senzing-factory updates but lacks comments explaining the strategy. Consider adding:

# Group senzing-factory updates together to manage build-resources changes as a unit
groups:
  senzing-factory:
    patterns:
      - "senzing-factory/*"

❌ CHANGELOG.md updated

No CHANGELOG.md update found in the diff. This infrastructure change should be documented.

✅ Markdown formatting

All YAML files are properly formatted with consistent quoting and structure.

---

Security

✅ No hardcoded credentials

All sensitive values use GitHub secrets appropriately.

✅ Input validation implemented

N/A - Configuration files.

✅ Proper error handling

Workflow conditionals properly check for failure/cancellation states.

✅ No sensitive data in logs

Secret handling follows GitHub Actions best practices.

✅ No license files checked in

No .lic files or AQAAAD strings detected in the diff.

---

Critical Issues Summary

1. .github/dependabot.yml:9-10 - Invalid exclude field under cooldown. Use ignore with dependency-name instead.

2. Missing documentation - README and CHANGELOG should document the v3→v4 migration and new requirements.

3. Secret verification needed - Ensure all renamed secrets exist in the repository:

   • SLACK_CHANNEL (new requirement)
   • PROJECT_RW_TOKEN (renamed from SENZING_GITHUB_PROJECT_RW_TOKEN)
   • CODEOWNER_PR_RW_TOKEN (renamed from SENZING_GITHUB_CODEOWNER_PR_RW_TOKEN)
   • MEMBERS (renamed from SENZING_MEMBERS)

4. .vscode/cspell.json:171 - Added "kernelsam" to dictionary. This appears to be a GitHub username for the Dependabot assignee. ✅ Acceptable.

---

Recommendation

Do not merge until:

1. The Dependabot configuration syntax error is fixed
2. Secrets are verified/renamed in GitHub repository settings
3. CHANGELOG.md is updated
4. Workflows are tested to confirm v4 compatibility

---

Automated code review analyzing defects and coding standards

[github-actions]

Super-linter summary

Language	Validation result
CHECKOV	Pass ✅
GITHUB_ACTIONS	Pass ✅
GITHUB_ACTIONS_ZIZMOR	Pass ✅
GITLEAKS	Pass ✅
GIT_MERGE_CONFLICT_MARKERS	Pass ✅
JSCPD	Pass ✅
PRE_COMMIT	Pass ✅
SPELL_CODESPELL	Pass ✅
TRIVY	Pass ✅
YAML	Pass ✅
YAML_PRETTIER	Pass ✅

All files and directories linted successfully

For more information, see the GitHub Actions workflow run

Powered by Super-linter