Update workflows for build-resources v4

[kernelsam]

Summary

• Rename secret keys for build-resources v4 (SENZING_MEMBERS → MEMBERS, etc.)
• Replace .outputs.job-status with .result
• Bump pull-requests permission to write in lint-repo.yaml
• Add SLACK_CHANNEL secret to slack notification callers
• Bump all @v3/@v2 build-resources references to @v4
• Standardize dependabot config (assignees, cooldown, groups)
• Add kernelsam and cooldown to cspell dictionary

[github-actions]

🤖 Claude Code Review

Code Review Analysis

Summary

This PR updates GitHub Actions workflows from v3 to v4 of senzing-factory/build-resources and standardizes secret names. The changes are configuration-only with no functional code modifications.

---

Code Quality

✅ Code Style Compliance

Status: PASS - Configuration files follow YAML formatting conventions

• Consistent quoting style applied to all string values in .github/dependabot.yml
• Proper indentation maintained throughout
• No code logic to evaluate against style guide

✅ No Commented-Out Code

Status: PASS

• The only removed content is a documentation comment in .github/dependabot.yml (lines 1-2), which is appropriate cleanup

✅ Meaningful Variable Names

Status: PASS

• Secret name changes are more generic and clearer:
  • SENZING_MEMBERS → MEMBERS (clearer in context)
  • SENZING_GITHUB_PROJECT_RW_TOKEN → PROJECT_RW_TOKEN (more concise)
  • SENZING_GITHUB_CODEOWNER_PR_RW_TOKEN → CODEOWNER_PR_RW_TOKEN (more concise)

✅ DRY Principle

Status: PASS

• Changes are systematic and consistent across all workflow files
• No code duplication introduced

✅ Defect Identification

Status: PASS - Improvements found

• Improvement in .github/workflows/add-labels-standardized.yaml:22: Changed from needs.add-issue-labels.outputs.job-status to needs.add-issue-labels.result - this is more correct as result is the standard GitHub Actions output for job status
• Similar improvements in other workflow files (lines 22, 23 across multiple files)

❌ Project Memory Configuration (.claude/CLAUDE.md)

Status: FAIL - Missing requirement

• The CLAUDE.md file at ./.claude/CLAUDE.md contains development-specific commands that should be general
• Specifically, the "Development Commands" section includes python -m pip install --group all . which may be environment-specific
• However, the content is generally appropriate for cross-developer use

---

Testing

⚠️ Unit Tests

Status: N/A - No functional code changes

• This PR only modifies GitHub Actions workflow configuration files
• No new functions or logic to test

⚠️ Integration Tests

Status: N/A - Configuration-only changes

• Workflow changes will be tested when GitHub Actions run
• No new endpoints or integrations

⚠️ Edge Cases

Status: N/A

• No code logic to test edge cases

⚠️ Test Coverage

Status: N/A

• Configuration files are not covered by unit tests

---

Documentation

✅ README Updated

Status: PASS

• No README changes needed - workflow updates are internal infrastructure

✅ API Docs

Status: N/A

• No API changes

✅ Inline Comments

Status: PASS

• Configuration files are self-documenting
• Removed redundant comment in dependabot.yml was appropriate cleanup

❌ CHANGELOG.md Updated

Status: FAIL - Missing

• ./.changelog/CHANGELOG.md should be updated to document:
  • Upgrade to build-resources v4
  • Standardized secret names
  • Added dependabot assignee (kernelsam)
  • Added dependabot grouping for senzing-factory dependencies
  • Improved job status checking using result instead of outputs.job-status

✅ Markdown Formatting

Status: PASS

• All YAML files properly formatted
• .vscode/cspell.json properly formatted JSON

---

Security

✅ No Hardcoded Credentials

Status: PASS

• All secrets properly referenced via ${{ secrets.* }}
• No credentials exposed

✅ Input Validation

Status: N/A

• Configuration files don't process input

✅ Error Handling

Status: PASS

• Slack notifications properly configured for failure cases
• Conditional execution using always() and failure checks is correct

✅ No Sensitive Data in Logs

Status: PASS

• Only references to secret names, not values

✅ No License Files

Status: PASS

• No .lic files or AQAAAD strings detected in diff

---

Additional Findings

Positive Changes:

1. .github/dependabot.yml:4-5: Added assignee kernelsam for automated review assignment
2. .github/dependabot.yml:8-14: Added intelligent grouping to batch senzing-factory updates together
3. .github/dependabot.yml:8-9, 20-21: Added cooldown exclude patterns to prevent spamming
4. .github/workflows/lint-workflows.yaml:18: Added pull-requests: write permission for better integration
5. .vscode/cspell.json:24: Added kernelsam to dictionary for the new assignee

Concerns:

1. CHANGELOG.md missing - This is a significant infrastructure update that should be documented

---

Recommendation

Conditional Approval - This PR should be approved pending:

1. Required: Update CHANGELOG.md to document the infrastructure changes
2. Optional: Verify that the new secret names (MEMBERS, PROJECT_RW_TOKEN, CODEOWNER_PR_RW_TOKEN, SLACK_CHANNEL) are properly configured in the GitHub repository settings

The code quality is high, security is maintained, and the changes represent genuine improvements to the CI/CD infrastructure.

Automated code review analyzing defects and coding standards

[github-actions]

Super-linter summary

Language	Validation result
CHECKOV	Pass ✅
GITHUB_ACTIONS	Pass ✅
GITHUB_ACTIONS_ZIZMOR	Pass ✅
GITLEAKS	Pass ✅
GIT_MERGE_CONFLICT_MARKERS	Pass ✅
JSCPD	Pass ✅
PRE_COMMIT	Pass ✅
SPELL_CODESPELL	Pass ✅
TRIVY	Pass ✅
YAML	Pass ✅
YAML_PRETTIER	Pass ✅

All files and directories linted successfully

For more information, see the GitHub Actions workflow run

Powered by Super-linter

[github-actions]

🤖 Claude Code Review

Code Review: Build Resources v4 Workflow Migration

Summary

This PR updates GitHub Actions workflows from senzing-factory/build-resources@v3 to v4, modernizing secret names, fixing status propagation, and improving Dependabot configuration. The changes are primarily configuration updates with no Python code modifications.

---

Review Checklist Results

Code Quality

✅ Code follows style guide: N/A - No Python code changes. YAML formatting is consistent with quoted strings and proper indentation.

✅ No commented-out code: Clean removal of outdated comments in .github/dependabot.yml:1-3

✅ Meaningful variable names: All variable names are descriptive and follow GitHub Actions conventions (e.g., CODEOWNER_PR_RW_TOKEN, PROJECT_RW_TOKEN)

✅ DRY principle followed: Reusable workflow references consistently updated across all files

✅ No defects identified: Changes are configuration updates with correct syntax. The migration from outputs.job-status to result aligns with GitHub Actions best practices for accessing job outcomes.

✅ Project memory configuration: .claude/CLAUDE.md contains appropriate general guidance without local environment specifics

Testing

⚠️ Unit tests for new functions: N/A - No new functions added (configuration changes only)

⚠️ Integration tests for new endpoints: N/A - No new endpoints

⚠️ Edge cases covered: N/A - Configuration changes

❌ Test coverage > 80%: Cannot verify without running tests, but this PR doesn't modify tested code

Note: All testing checkboxes are N/A for this infrastructure update.

Documentation

✅ Readme updated if needed: No README changes required - these are internal workflow updates

✅ API docs updated: N/A - No API changes

✅ Inline comments for complex logic: Appropriately removed outdated comments in dependabot.yml

❌ CHANGELOG.md updated: No CHANGELOG.md found in repository or updated in this PR. Should document this breaking change for workflow secrets.

✅ Markdown files follow CommonMark: .vscode/cspell.json addition is properly formatted JSON (not markdown). No markdown files modified.

Security

✅ No hardcoded credentials: All secrets properly referenced via ${{ secrets.* }} pattern

✅ Input validation implemented: N/A - Configuration changes

✅ Proper error handling: Slack notifications properly configured for failure cases with always() and contains() conditions

✅ No sensitive data in logs: No logging of sensitive information

✅ No license files checked in: No .lic files or AQAAAD strings detected in diff

---

Detailed Findings

Critical Issues

None identified.

Important Observations

1. Secret name changes (.github/workflows/*.yaml):

   • SENZING_MEMBERS → MEMBERS (add-labels-standardized.yaml:17)
   • SENZING_GITHUB_PROJECT_RW_TOKEN → PROJECT_RW_TOKEN (multiple files)
   • SENZING_GITHUB_CODEOWNER_PR_RW_TOKEN → CODEOWNER_PR_RW_TOKEN (dependabot-approve-and-merge.yaml:19)

   Impact: These secret names must exist in repository settings or workflows will fail.

2. Status propagation fix (all workflow files):

   • Changed from needs.<job>.outputs.job-status to needs.<job>.result
   • This is a bug fix - GitHub Actions native result context is the correct approach
   • Example: .github/workflows/add-labels-standardized.yaml:22

3. New Slack channel secret (multiple files):

   • Added SLACK_CHANNEL: ${{ secrets.SLACK_CHANNEL }}
   • Required by v4 of build-failure-slack-notification workflow

4. Dependabot enhancements (.github/dependabot.yml):

   • Added assignee: kernelsam (line 5)
   • Added cooldown exclusion for senzing-factory/* (lines 8-9)
   • Added grouping for senzing-factory updates (lines 11-14)
   • Purpose: Reduces noise by grouping senzing-factory dependency updates

5. Permission addition (.github/workflows/lint-workflows.yaml:18):

   • Changed pull-requests: read → pull-requests: write
   • Required for v4 workflow to post lint results as PR comments

Minor Issues

❌ Missing CHANGELOG.md entry: This PR introduces breaking changes to required repository secrets. Organizations adopting these changes need documentation.

• Recommendation: Add CHANGELOG.md entry documenting:
  • Secret renames
  • New SLACK_CHANNEL secret requirement
  • Migration path from v3 to v4

✅ Spell check dictionary update: Added "kernelsam" to .vscode/cspell.json:24 - appropriate for the assignee name

---

Recommendations

1. Add CHANGELOG.md: Document breaking changes for secret names

2. Verify secrets exist: Ensure all referenced secrets are configured in repository settings:

   • ORG_MEMBERSHIP_TOKEN
   • SENZING_MEMBERS (still used as value, passed as MEMBERS)
   • SENZING_GITHUB_PROJECT_RW_TOKEN (still used as value, passed as PROJECT_RW_TOKEN)
   • SENZING_GITHUB_CODEOWNER_PR_RW_TOKEN (still used as value, passed as CODEOWNER_PR_RW_TOKEN)
   • SLACK_BOT_TOKEN
   • SLACK_CHANNEL (new requirement)

3. Test workflow execution: After merge, verify workflows trigger correctly with new secret names

---

Conclusion

Overall Assessment: ✅ APPROVED with minor documentation suggestion

This PR is a well-executed infrastructure update with proper secret handling, bug fixes, and enhanced Dependabot configuration. The only missing element is CHANGELOG documentation for the breaking changes. All code quality and security requirements are met.

Automated code review analyzing defects and coding standards

[github-actions]

Super-linter summary

Language	Validation result
CHECKOV	Pass ✅
GITHUB_ACTIONS	Pass ✅
GITHUB_ACTIONS_ZIZMOR	Pass ✅
GITLEAKS	Pass ✅
GIT_MERGE_CONFLICT_MARKERS	Pass ✅
JSCPD	Pass ✅
PRE_COMMIT	Pass ✅
SPELL_CODESPELL	Pass ✅
TRIVY	Pass ✅
YAML	Pass ✅
YAML_PRETTIER	Pass ✅

All files and directories linted successfully

For more information, see the GitHub Actions workflow run

Powered by Super-linter