#387 bump senzing-factory/github-action-install-senzing-sdk to @v5

[kernelsam]

Pull request questions

Which issue does this address

Issue number: #387

---

Resolves #387

[github-actions]

🤖 Claude Code Review

PR Code Review

This PR consolidates Slack failure notifications into reusable workflows, removes standalone slack-notification jobs, bumps github-action-install-senzing-sdk from @v4 to @v5, and adds staging token minting for Darwin/Windows pytest workflows.

---

Code Quality

✅ Style guide — YAML files are consistently formatted, indentation and naming follow GitHub Actions conventions.

✅ No commented-out code — None present.

✅ Meaningful variable names — Standard GitHub Actions conventions used throughout.

✅ DRY principle — Moving Slack secrets into the primary job and delegating notification responsibility to the reusable workflow reduces duplication across multiple workflow files. Good improvement.

⚠️ Potential defect — Linux pytest missing staging token step

pytest-darwin.yaml and pytest-windows.yaml both add a "Mint staging token" step (used to access private Homebrew tap and Scoop bucket respectively), but pytest-linux.yaml does not get this step despite also bumping to @v5. If Linux uses a different install method (e.g., apt/rpm) that doesn't require a private repo token, this asymmetry is intentional — but it is not documented. If Linux does need it, this is a bug.

File: .github/workflows/pytest-linux.yaml

⚠️ Potential defect — concurrency block removal in dependabot-approve-and-merge.yaml

Removing the concurrency group means multiple dependabot PRs could trigger this workflow simultaneously. Depending on whether the reusable workflow handles locking or merge ordering, this could introduce race conditions when multiple auto-merges are attempted. This warrants a deliberate decision and ideally a comment or explanation in the PR description.

File: .github/workflows/dependabot-approve-and-merge.yaml

✅ No bugs, crashes, or security vulnerabilities in the token-minting logic. The fallback ${{ steps.staging-token.outputs.token || github.token }} correctly handles the case when the step is skipped (non-production matrix entries).

---

Testing

✅ N/A — These are CI/CD workflow changes; no application logic is modified.

---

Documentation

✅ README — No update needed for workflow-only changes.

❌ CHANGELOG.md — Not updated. For workflow infrastructure changes that affect how the SDK is installed (especially bumping to @v5 and adding staging token support), a changelog entry under an [Unreleased] section would be appropriate if this project maintains one.

✅ Inline comments — The logic is straightforward and self-documenting.

✅ Markdown formatting — No markdown files were modified.

---

Security

✅ No hardcoded credentials — All sensitive values use ${{ secrets.* }}.

✅ Slack tokens — Properly passed as secrets to reusable workflows.

✅ Staging GitHub App credentials — SENZINGSDK_STAGING_CLIENT_ID and SENZINGSDK_STAGING_APP_KEY are stored as secrets, not hardcoded.

⚠️ Action pinning — actions/create-github-app-token@v3.1.1 is pinned to a tag, not a commit SHA. Tags are mutable and can be moved, which is a supply chain risk. GitHub's security hardening guide recommends pinning to a full commit SHA (e.g., actions/create-github-app-token@<sha>).

Files: .github/workflows/pytest-darwin.yaml, .github/workflows/pytest-windows.yaml

✅ No .lic files or AQAAAD-prefixed content — None found.

---

Summary

Area	Status
Code Quality	⚠️ Two items to clarify/address
Testing	✅ N/A
Documentation	❌ CHANGELOG not updated
Security	⚠️ Action not pinned to SHA

Blocking: None that are definitive — the Linux staging token omission and concurrency removal should be confirmed as intentional.

Automated code review analyzing defects and coding standards

[github-actions]

Super-linter summary

Language	Validation result
CHECKOV	Pass ✅
GITHUB_ACTIONS	Pass ✅
GITHUB_ACTIONS_ZIZMOR	Fail ❌
GITLEAKS	Pass ✅
GIT_MERGE_CONFLICT_MARKERS	Pass ✅
JSCPD	Pass ✅
PRE_COMMIT	Pass ✅
SPELL_CODESPELL	Pass ✅
TRIVY	Pass ✅
YAML	Fail ❌
YAML_PRETTIER	Fail ❌

Super-linter detected linting errors

For more information, see the GitHub Actions workflow run

Powered by Super-linter

GITHUB_ACTIONS_ZIZMOR

�[1m�[33mwarning[secrets-outside-env]�[0m�[1m: secrets referenced without a dedicated environment�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/pytest-darwin.yaml:73:26
   �[1m�[94m|�[0m
�[1m�[94m29�[0m �[1m�[94m|�[0m   pytest-darwin:
   �[1m�[94m|�[0m   �[1m�[94m-------------�[0m �[1m�[94mthis job�[0m
�[1m�[94m...�[0m
�[1m�[94m73�[0m �[1m�[94m|�[0m           client-id: ${{ secrets.SENZINGSDK_STAGING_CLIENT_ID }}
   �[1m�[94m|�[0m                          �[1m�[33m^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[33msecret is accessed outside of a dedicated environment�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#secrets-outside-env�[39m

�[1m�[33mwarning[secrets-outside-env]�[0m�[1m: secrets referenced without a dedicated environment�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/pytest-darwin.yaml:74:28
   �[1m�[94m|�[0m
�[1m�[94m29�[0m �[1m�[94m|�[0m   pytest-darwin:
   �[1m�[94m|�[0m   �[1m�[94m-------------�[0m �[1m�[94mthis job�[0m
�[1m�[94m...�[0m
�[1m�[94m74�[0m �[1m�[94m|�[0m           private-key: ${{ secrets.SENZINGSDK_STAGING_APP_KEY }}
   �[1m�[94m|�[0m                            �[1m�[33m^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[33msecret is accessed outside of a dedicated environment�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#secrets-outside-env�[39m

�[1m�[33mwarning[secrets-outside-env]�[0m�[1m: secrets referenced without a dedicated environment�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/pytest-windows.yaml:71:26
   �[1m�[94m|�[0m
�[1m�[94m29�[0m �[1m�[94m|�[0m   pytest-windows:
   �[1m�[94m|�[0m   �[1m�[94m--------------�[0m �[1m�[94mthis job�[0m
�[1m�[94m...�[0m
�[1m�[94m71�[0m �[1m�[94m|�[0m           client-id: ${{ secrets.SENZINGSDK_STAGING_CLIENT_ID }}
   �[1m�[94m|�[0m                          �[1m�[33m^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[33msecret is accessed outside of a dedicated environment�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#secrets-outside-env�[39m

�[1m�[33mwarning[secrets-outside-env]�[0m�[1m: secrets referenced without a dedicated environment�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/pytest-windows.yaml:72:28
   �[1m�[94m|�[0m
�[1m�[94m29�[0m �[1m�[94m|�[0m   pytest-windows:
   �[1m�[94m|�[0m   �[1m�[94m--------------�[0m �[1m�[94mthis job�[0m
�[1m�[94m...�[0m
�[1m�[94m72�[0m �[1m�[94m|�[0m           private-key: ${{ secrets.SENZINGSDK_STAGING_APP_KEY }}
   �[1m�[94m|�[0m                            �[1m�[33m^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[33msecret is accessed outside of a dedicated environment�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#secrets-outside-env�[39m

�[32m14�[39m findings (�[1m�[93m10�[39m suppressed�[0m): �[35m0�[39m informational, �[36m0�[39m low, �[33m4�[39m medium, �[31m0�[39m high🌈 zizmor v1.23.1
�[32m INFO�[0m �[1maudit�[0m�[2m:�[0m �[2mzizmor�[0m�[2m:�[0m 🌈 completed /github/workspace/.github/workflows/add-labels-standardized.yaml
�[32m INFO�[0m �[1maudit�[0m�[2m:�[0m �[2mzizmor�[0m�[2m:�[0m 🌈 completed /github/workspace/.github/workflows/add-to-project-g2-python-dependabot.yaml
�[32m INFO�[0m �[1maudit�[0m�[2m:�[0m �[2mzizmor�[0m�[2m:�[0m 🌈 completed /github/workspace/.github/workflows/add-to-project-g2-python.yaml
�[32m INFO�[0m �[1maudit�[0m�[2m:�[0m �[2mzizmor�[0m�[2m:�[0m 🌈 completed /github/workspace/.github/workflows/add-to-project-garage-dependabot.yaml
�[32m INFO�[0m �[1maudit�[0m�[2m:�[0m �[2mzizmor�[0m�[2m:�[0m 🌈 completed /github/workspace/.github/workflows/add-to-project-garage.yaml
�[32m INFO�[0m �[1maudit�[0m�[2m:�[0m �[2mzizmor�[0m�[2m:�[0m 🌈 completed /github/workspace/.github/workflows/dependabot-approve-and-merge.yaml
�[32m INFO�[0m �[1maudit�[0m�[2m:�[0m �[2mzizmor�[0m�[2m:�[0m 🌈 completed /github/workspace/.github/workflows/pylint.yaml
�[32m INFO�[0m �[1maudit�[0m�[2m:�[0m �[2mzizmor�[0m�[2m:�[0m 🌈 completed /github/workspace/.github/workflows/pytest-darwin.yaml
�[32m INFO�[0m �[1maudit�[0m�[2m:�[0m �[2mzizmor�[0m�[2m:�[0m 🌈 completed /github/workspace/.github/workflows/pytest-linux.yaml
�[32m INFO�[0m �[1maudit�[0m�[2m:�[0m �[2mzizmor�[0m�[2m:�[0m 🌈 completed /github/workspace/.github/workflows/pytest-windows.yaml

YAML

/github/workspace/.github/workflows/add-labels-standardized.yaml:1:1: [warning] missing document start "---" (document-start)
/github/workspace/.github/workflows/add-labels-standardized.yaml:21:1: [error] too many blank lines (1 > 0) (empty-lines)
/github/workspace/.github/workflows/add-to-project-g2-python-dependabot.yaml:1:1: [warning] missing document start "---" (document-start)
/github/workspace/.github/workflows/add-to-project-g2-python-dependabot.yaml:20:1: [error] too many blank lines (1 > 0) (empty-lines)
/github/workspace/.github/workflows/add-to-project-g2-python.yaml:1:1: [warning] missing document start "---" (document-start)
/github/workspace/.github/workflows/add-to-project-g2-python.yaml:23:1: [error] too many blank lines (1 > 0) (empty-lines)
/github/workspace/.github/workflows/add-to-project-garage-dependabot.yaml:1:1: [warning] missing document start "---" (document-start)
/github/workspace/.github/workflows/add-to-project-garage-dependabot.yaml:20:1: [error] too many blank lines (1 > 0) (empty-lines)
/github/workspace/.github/workflows/add-to-project-garage.yaml:1:1: [warning] missing document start "---" (document-start)
/github/workspace/.github/workflows/add-to-project-garage.yaml:23:1: [error] too many blank lines (1 > 0) (empty-lines)
/github/workspace/.github/workflows/dependabot-approve-and-merge.yaml:1:1: [warning] missing document start "---" (document-start)
/github/workspace/.github/workflows/pylint.yaml:1:1: [warning] missing document start "---" (document-start)
/github/workspace/.github/workflows/pylint.yaml:47:1: [error] too many blank lines (1 > 0) (empty-lines)
/github/workspace/.github/workflows/pytest-darwin.yaml:1:1: [warning] missing document start "---" (document-start)
/github/workspace/.github/workflows/pytest-darwin.yaml:30:81: [warning] line too long (124 > 80 characters) (line-length)
/github/workspace/.github/workflows/pytest-darwin.yaml:40:81: [warning] line too long (91 > 80 characters) (line-length)
/github/workspace/.github/workflows/pytest-darwin.yaml:82:81: [warning] line too long (84 > 80 characters) (line-length)
/github/workspace/.github/workflows/pytest-darwin.yaml:89:81: [warning] line too long (86 > 80 characters) (line-length)
/github/workspace/.github/workflows/pytest-darwin.yaml:90:81: [warning] line too long (88 > 80 characters) (line-length)
/github/workspace/.github/workflows/pytest-darwin.yaml:96:81: [warning] line too long (81 > 80 characters) (line-length)
/github/workspace/.github/workflows/pytest-darwin.yaml:110:81: [warning] line too long (97 > 80 characters) (line-length)
/github/workspace/.github/workflows/pytest-darwin.yaml:117:81: [warning] line too long (88 > 80 characters) (line-length)
/github/workspace/.github/workflows/pytest-darwin.yaml:118:81: [warning] line too long (88 > 80 characters) (line-length)
/github/workspace/.github/workflows/pytest-linux.yaml:1:1: [warning] missing document start "---" (document-start)
/github/workspace/.github/workflows/pytest-linux.yaml:32:81: [warning] line too long (124 > 80 characters) (line-length)
/github/workspace/.github/workflows/pytest-linux.yaml:42:81: [warning] line too long (91 > 80 characters) (line-length)
/github/workspace/.github/workflows/pytest-linux.yaml:100:81: [warning] line too long (97 > 80 characters) (line-length)
/github/workspace/.github/workflows/pytest-linux.yaml:107:81: [warning] line too long (88 > 80 characters) (line-length)
/github/workspace/.github/workflows/pytest-linux.yaml:108:81: [warning] line too long (88 > 80 characters) (line-length)
/github/workspace/.github/workflows/pytest-windows.yaml:1:1: [warning] missing document start "---" (document-start)
/github/workspace/.github/workflows/pytest-windows.yaml:30:81: [warning] line too long (122 > 80 characters) (line-length)
/github/workspace/.github/workflows/pytest-windows.yaml:39:81: [warning] line too long (91 > 80 characters) (line-length)
/github/workspace/.github/workflows/pytest-windows.yaml:80:81: [warning] line too long (84 > 80 characters) (line-length)
/github/workspace/.github/workflows/pytest-windows.yaml:88:81: [warning] line too long (87 > 80 characters) (line-length)
/github/workspace/.github/workflows/pytest-windows.yaml:104:81: [warning] line too long (97 > 80 characters) (line-length)
/github/workspace/.github/workflows/pytest-windows.yaml:111:81: [warning] line too long (88 > 80 characters) (line-length)
/github/workspace/.github/workflows/pytest-windows.yaml:112:81: [warning] line too long (88 > 80 characters) (line-length)

YAML_PRETTIER

Checking formatting...[�[33mwarn�[39m] .github/workflows/add-labels-standardized.yaml
[�[33mwarn�[39m] .github/workflows/add-to-project-g2-python-dependabot.yaml
[�[33mwarn�[39m] .github/workflows/add-to-project-g2-python.yaml
[�[33mwarn�[39m] .github/workflows/add-to-project-garage-dependabot.yaml
[�[33mwarn�[39m] .github/workflows/add-to-project-garage.yaml
[�[33mwarn�[39m] .github/workflows/pylint.yaml
[�[33mwarn�[39m] Code style issues found in 6 files. Run Prettier with --write to fix.

[github-actions]

🤖 Claude Code Review

I'll review this PR diff against the checklist now.

---

PR Code Review

Summary

This PR refactors GitHub Actions workflows to:

1. Consolidate Slack failure notifications into reusable workflows (removing standalone slack-notification jobs)
2. Upgrade github-action-install-senzing-sdk from @v4 to @v5
3. Add staging token minting for macOS/Windows SDK installs
4. Relax some linter/security-scanner rules

---

Code Quality

✅ Code style guide — YAML formatting is consistent with the rest of the repo. No issues.

✅ No commented-out code — # shellcheck disable=SC2046 and # zizmor: ignore[github-app] are directive comments, not dead code.

✅ Meaningful variable names — staging-token, senzingsdk-version, staging-tap-token / staging-bucket-token are clear.

✅ DRY principle — Removing the repetitive standalone slack-notification job from seven workflows is a good consolidation, assuming the reusable workflows now handle it internally.

⚠️ Potential defect — dependabot-approve-and-merge.yaml

Removing the concurrency block (lines ~7–10 in the original file) eliminates in-progress run cancellation. If multiple dependabot PRs land close together, multiple instances of this workflow will run concurrently. This is likely intentional (dependabot PRs are independent), but worth confirming — previously the group key included github.head_ref, so each PR was already its own group. The removal is safe in that case, but please confirm this was intentional and not accidental cleanup.

⚠️ Potential defect — actions/create-github-app-token pinned to a mutable tag

In pytest-darwin.yaml and pytest-windows.yaml:

uses: actions/create-github-app-token@v3.1.1

This is pinned to a version tag, not a commit SHA. Per supply chain security best practices (and what zizmor's unpinned-uses rule enforces for other actions), this should be pinned to a SHA. Example:

uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e  # v3.1.1

⚠️ Logic concern — senzingsdk-token fallback

In both pytest-darwin.yaml and pytest-windows.yaml:

senzingsdk-token: ${{ steps.staging-token.outputs.token || github.token }}

When matrix.senzingsdk-version == 'production-v4', the "Mint staging token" step is skipped, so steps.staging-token.outputs.token is empty and github.token is used. This is correct behavior — just confirm github-action-install-senzing-sdk@v5 accepts github.token as a valid senzingsdk-token for production installs (i.e., the parameter is optional or harmless when passed the default token).

---

Testing

✅ N/A — These are CI/CD configuration changes with no application logic. Unit/integration tests do not apply.

---

Documentation

✅ README — No README changes needed for workflow refactoring.

✅ CHANGELOG.md — Not present in this diff, but this is an infrastructure-only change; acceptable to omit.

✅ Inline comments — The # zizmor: ignore[github-app] inline suppression comments are clear and appropriate.

✅ Markdown formatting — No .md files changed.

---

Security

✅ No hardcoded credentials — All secrets use ${{ secrets.* }} references.

❌ Global zizmor secrets-outside-env suppression — .github/linters/zizmor.yaml

rules:
  secrets-outside-env:
    disable: true

Disabling this rule globally suppresses zizmor warnings for all workflows where secrets are used directly in with: blocks rather than as environment variables. The intent appears to be to allow passing secrets to reusable workflows (e.g., SLACK_BOT_TOKEN, SLACK_CHANNEL) and to the create-github-app-token action. However, a global disable is broader than necessary and will hide future violations.

Recommendation: Use inline # zizmor: ignore[secrets-outside-env] suppressions where needed (as is already done for [github-app]), and keep the rule enabled globally.

✅ No sensitive data in logs — No echo or logging of secret values.

✅ No license files — No .lic files or AQAAAD-prefixed content present.

⚠️ Reduced failure visibility

Removing standalone slack-notification jobs from seven workflows is only safe if the reusable workflow versions (@v4) now emit those notifications internally on failure. If senzing-factory/build-resources workflows were updated independently to include notifications, this is fine. If not, failures in these workflows will now be silent. Verify that the upstream reusable workflows handle failure notifications before merging.

---

Summary Table

Category	Status	Key Issues
Code Quality	⚠️	Mutable tag on create-github-app-token; confirm concurrency removal intent
Testing	✅	N/A for CI config
Documentation	✅	No issues
Security	❌	Global secrets-outside-env disable is overly broad

Blocking issue: The global secrets-outside-env: disable: true in zizmor.yaml should be replaced with targeted inline suppressions to preserve the security signal for future changes.

Automated code review analyzing defects and coding standards

[github-actions]

Super-linter summary

Language	Validation result
CHECKOV	Pass ✅
GITHUB_ACTIONS	Pass ✅
GITHUB_ACTIONS_ZIZMOR	Pass ✅
GITLEAKS	Pass ✅
GIT_MERGE_CONFLICT_MARKERS	Pass ✅
JSCPD	Pass ✅
PRE_COMMIT	Pass ✅
SPELL_CODESPELL	Pass ✅
TRIVY	Pass ✅
YAML	Pass ✅
YAML_PRETTIER	Pass ✅

All files and directories linted successfully

For more information, see the GitHub Actions workflow run

Powered by Super-linter

[github-actions]

🤖 Claude Code Review

I'll analyze this PR diff against the review checklist now.

---

PR Code Review

Overview

This PR refactors CI/CD workflows to:

1. Move Slack failure notifications from separate reusable workflow jobs to inline composite action steps
2. Upgrade github-action-install-senzing-sdk from @v4 → @v5
3. Add staging token minting for non-production SDK versions on Darwin/Windows
4. Update linter configurations (yaml-lint, zizmor)

---

Code Quality

✅ No commented-out code

✅ Meaningful variable/job names — Job and step names are descriptive (Mint staging tap token, Notify Slack on failure, etc.)

✅ DRY principle — The Slack notification was previously a separate reusable workflow job repeated in every workflow; it is now consolidated into an inline step using a composite action (slack-failure-notification@v4). Acceptable trade-off.

❌ Potential logic defect — inconsistent Slack notification conditions across OS matrix:

• pytest-linux.yaml: Notifies on failure/cancelled if on default branch OR if triggered by schedule
• pytest-darwin.yaml: Notifies on failure/cancelled only if triggered by schedule
• pytest-windows.yaml: Notifies on failure/cancelled only if triggered by schedule

If pytest-darwin.yaml and pytest-windows.yaml are also triggered on push/PR to the default branch (check their on: triggers), failures on the default branch would go silently on Darwin and Windows. This asymmetry is likely unintentional.

❌ Removed concurrency group in dependabot-approve-and-merge.yaml — Removing the concurrency block means multiple dependabot PRs targeting main can now run this workflow simultaneously. If the workflow does anything non-idempotent (e.g., approving or merging), this could cause race conditions. No explanation for this removal is present.

---

Testing

✅ N/A — This PR contains only CI/CD workflow and linter config changes. No application code or tests were modified.

---

Documentation

❌ No CHANGELOG.md update visible — The PR makes meaningful behavioral changes to CI (SDK version bump, notification routing changes, removal of concurrency) that should be documented.

✅ Inline comments used appropriately — # zizmor: ignore[github-app] comments are well-placed.

✅ Markdown files not affected

---

Security

⚠️ secrets-outside-env disabled in zizmor (.github/linters/zizmor.yaml):

rules:
  secrets-outside-env:
    disable: true

This suppresses the check that ensures secrets are injected via env: blocks rather than passed directly as with: inputs. This was added to accommodate the new inline pattern:

slack-bot-token: ${{ secrets.SLACK_BOT_TOKEN }}

While composite actions sometimes require secrets as inputs, globally disabling this rule reduces security posture across the entire repo. Consider a targeted per-step zizmor: ignore[secrets-outside-env] comment on only the Slack notification steps instead of a global disable.

⚠️ actions/create-github-app-token@v3.1.1 pinned to a version tag, not a commit SHA (pytest-darwin.yaml, pytest-windows.yaml):

uses: actions/create-github-app-token@v3.1.1

GitHub Actions security best practices recommend pinning to a full commit SHA to prevent tag mutable supply-chain risk (e.g., actions/create-github-app-token@df432ceeef7de0a747073d666227a85d4d19d7d5). The existing unpinned-uses zizmor rule may or may not catch version-tag pinning depending on its policy configuration.

✅ No hardcoded credentials

✅ No .lic files or AQAAAD-prefixed strings

✅ Secrets properly referenced via ${{ secrets.* }}

---

Summary

Area	Status
Code style	✅
No commented-out code	✅
Logic correctness	❌ Darwin/Windows Slack condition asymmetry; concurrency removal unexplained
Testing	✅ N/A
CHANGELOG	❌ Missing
Security – zizmor secrets-outside-env global disable	⚠️
Security – version tag pinning on create-github-app-token	⚠️

Recommended actions before merge:

1. Verify Darwin/Windows Slack notification conditions are intentionally narrower than Linux, or fix to match.
2. Document or revert the removal of the concurrency block in dependabot-approve-and-merge.yaml.
3. Replace global secrets-outside-env: disable in zizmor with targeted per-step ignores.
4. Pin actions/create-github-app-token to a commit SHA.
5. Add a CHANGELOG entry.

---

Automated code review analyzing defects and coding standards

[github-actions]

Super-linter summary

Language	Validation result
CHECKOV	Pass ✅
GITHUB_ACTIONS	Pass ✅
GITHUB_ACTIONS_ZIZMOR	Pass ✅
GITLEAKS	Pass ✅
GIT_MERGE_CONFLICT_MARKERS	Pass ✅
JSCPD	Pass ✅
PRE_COMMIT	Pass ✅
SPELL_CODESPELL	Pass ✅
TRIVY	Pass ✅
YAML	Pass ✅
YAML_PRETTIER	Pass ✅

All files and directories linted successfully

For more information, see the GitHub Actions workflow run

Powered by Super-linter