Skip to content

Update workflows for build-resources v4#46

Merged
kernelsam merged 3 commits intomainfrom
skern-workflow-standardize
Feb 16, 2026
Merged

Update workflows for build-resources v4#46
kernelsam merged 3 commits intomainfrom
skern-workflow-standardize

Conversation

@kernelsam
Copy link
Contributor

@kernelsam kernelsam commented Feb 16, 2026

Summary

  • Rename secret keys for build-resources v4 (SENZING_MEMBERSMEMBERS, etc.)
  • Replace .outputs.job-status with .result
  • Bump pull-requests permission to write in lint-repo.yaml
  • Add SLACK_CHANNEL secret to slack notification callers
  • Bump all @v3/@v2 build-resources references to @v4
  • Standardize dependabot config (assignees, cooldown, groups)
  • Add kernelsam and cooldown to cspell dictionary

@kernelsam kernelsam self-assigned this Feb 16, 2026
@kernelsam kernelsam requested review from a team as code owners February 16, 2026 19:35
@kernelsam kernelsam requested a review from docktermj February 16, 2026 19:35
@github-actions
Copy link

github-actions bot commented Feb 16, 2026

🤖 Claude Code Review

Senzing Code Review

I'll analyze the pull request diff against the checklist.

Code Quality

✅ Code follows style guide

The changes follow YAML formatting standards and maintain consistency with the existing codebase structure.

✅ No commented-out code

No commented-out code detected in the diff.

✅ Meaningful variable names

All variable and parameter names are clear and meaningful:

  • assignees, cooldown, exclude-patterns, MEMBERS, SLACK_CHANNEL, PROJECT_RW_TOKEN, etc.

✅ DRY principle followed

The changes standardize secret names across workflows (e.g., MEMBERS, PROJECT_RW_TOKEN, CODEOWNER_PR_RW_TOKEN, SLACK_CHANNEL), which improves consistency and maintainability.

✅ No defects identified

The changes are configuration updates to GitHub Actions workflows. Key improvements:

  • Consistent secret naming across workflows
  • Proper use of needs.<job>.result instead of needs.<job>.outputs.job-status
  • Addition of required SLACK_CHANNEL secret for notifications
  • Upgrade from v3 to v4 of build-resources workflows

✅ Project memory consideration

No .claude/CLAUDE.md file exists in this repository, so no project-specific considerations apply.

Testing

⚠️ Testing limitations

GitHub Actions workflow changes are difficult to unit test. These changes should be validated through:

  • Syntax validation (actionlint)
  • Real-world execution in GitHub Actions environment

❌ No explicit test coverage

.github/workflows/lint-workflows.yaml:18 - The workflow uses senzing-factory/build-resources/.github/workflows/lint-workflows.yaml@v4 which should validate syntax, but there are no explicit tests for the behavioral changes (cooldown periods, secret mappings, etc.).

Recommendation: Monitor the first few Dependabot PRs and workflow runs after merge to ensure the new configurations work as expected.

Documentation

❌ CHANGELOG.md not updated

No CHANGELOG.md file exists in the repository, and none was updated. If this project maintains a changelog, it should document:

  • Upgrade to build-resources v4
  • Addition of Dependabot cooldown configuration
  • Standardization of secret names

✅ Inline documentation sufficient

The YAML changes are self-documenting. The additions like cooldown, groups, and assignees in .github/dependabot.yml:3-13 are standard Dependabot configuration options.

✅ Markdown formatting

.vscode/cspell.json:19 - The ignorePaths array was reformatted from multi-line to inline format, which is valid JSON and acceptable.

Security

✅ No hardcoded credentials

All sensitive values properly use GitHub secrets:

  • ${{ secrets.ORG_MEMBERSHIP_TOKEN }}
  • ${{ secrets.SENZING_MEMBERS }}
  • ${{ secrets.SLACK_BOT_TOKEN }}
  • ${{ secrets.SLACK_CHANNEL }}
  • ${{ secrets.SENZING_GITHUB_PROJECT_RW_TOKEN }}
  • ${{ secrets.SENZING_GITHUB_CODEOWNER_PR_RW_TOKEN }}

✅ Proper secret handling

Secret name changes improve clarity:

  • SENZING_MEMBERSMEMBERS (mapped in workflow call)
  • SENZING_GITHUB_PROJECT_RW_TOKENPROJECT_RW_TOKEN (mapped in workflow call)
  • SENZING_GITHUB_CODEOWNER_PR_RW_TOKENCODEOWNER_PR_RW_TOKEN (mapped in workflow call)

✅ No sensitive data exposure

No sensitive data logged or exposed.

✅ No license files

No .lic files or AQAAAD strings detected in the diff.

Summary

Overall Assessment: ✅ Approved with minor recommendations

This PR upgrades GitHub Actions workflows from build-resources v3 to v4 with improved configuration:

Strengths:

  • Consistent secret naming across all workflows
  • Proper use of needs.<job>.result for conditional workflow execution
  • Addition of Dependabot cooldown and grouping features
  • Improved permission scopes (pull-requests: write in lint-workflows)

Areas for improvement:

  1. Testing: Monitor initial workflow runs post-merge to validate behavior
  2. Documentation: Consider adding a CHANGELOG.md entry if the project maintains one

Key Changes:

  • .github/dependabot.yml:3-13 - Added cooldown (21 days), assignee (kernelsam), and grouping for senzing-factory updates
  • Multiple workflow files - Standardized secret names and fixed conditional logic
  • .github/workflows/lint-workflows.yaml:16 - Updated permissions from read to write for pull-requests

No blocking issues identified. The changes improve workflow maintainability and align with build-resources v4 requirements.

Automated code review analyzing defects and coding standards

@github-actions
Copy link

github-actions bot commented Feb 16, 2026

Super-linter summary

Language Validation result
CHECKOV Pass ✅
GITHUB_ACTIONS Pass ✅
GITHUB_ACTIONS_ZIZMOR Pass ✅
GITLEAKS Pass ✅
GIT_MERGE_CONFLICT_MARKERS Pass ✅
JSCPD Pass ✅
PRE_COMMIT Pass ✅
SPELL_CODESPELL Pass ✅
TRIVY Pass ✅
YAML Pass ✅
YAML_PRETTIER Pass ✅

All files and directories linted successfully

For more information, see the GitHub Actions workflow run

Powered by Super-linter

@github-actions
Copy link

github-actions bot commented Feb 16, 2026

🤖 Claude Code Review

Let me proceed with the code review based on the diff provided.

🔍 Code Review Analysis

✅ Code Quality

✅ Code follows style guide

  • YAML formatting is consistent and properly indented
  • Changes follow standard GitHub Actions workflow patterns

✅ No commented-out code

  • All changes are active configuration

✅ Meaningful variable names

  • All variable and secret names are descriptive (e.g., CODEOWNER_PR_RW_TOKEN, PROJECT_RW_TOKEN)

✅ DRY principle followed

  • Reusable workflow patterns are maintained

✅ No defects identified

  • Logic changes are consistent across all workflow files
  • Pattern changes (e.g., outputs.job-statusresult) are applied uniformly

✅ Project memory configuration

  • No .claude/CLAUDE.md file exists in this project, so no conflicts

⚠️ Testing

❌ Unit tests for new functions

  • N/A - These are GitHub Actions workflow configuration files, not code with testable functions
  • Note: Workflow changes should be validated through actual GitHub Actions runs

❌ Integration tests for new endpoints

  • N/A - No endpoints in workflow configurations

❌ Edge cases covered

  • N/A - Configuration changes

❌ Test coverage > 80%

  • N/A - YAML configuration files don't have traditional test coverage

⚠️ Documentation

⚠️ Readme updated if needed

  • The changes update workflow configurations but don't appear to require README updates
  • The changes are internal workflow improvements (v3→v4 migration, secret name standardization)
  • Recommendation: If there's a CONTRIBUTING.md or workflow documentation, consider documenting the new secret naming conventions

✅ API docs updated

  • N/A - No API changes

✅ Inline comments for complex logic

  • YAML workflow files are self-documenting; no complex logic requiring comments

❌ CHANGELOG.md updated

  • CHANGELOG.md is not modified in this diff
  • Issue: These workflow changes should be documented in CHANGELOG.md
  • Files affected: All workflow files in .github/workflows/
  • Recommendation: Add an entry like: 
    ## [Unreleased]
### Changed
- Updated GitHub Actions workflows from build-resources v3 to v4
- Standardized secret names (SENZING_GITHUB_PROJECT_RW_TOKEN → PROJECT_RW_TOKEN, etc.)
- Added dependabot grouping and cooldown configuration
- Fixed slack notification trigger conditions to use `.result` instead of `.outputs.job-status`

✅ Markdown formatting

  • .vscode/cspell.json changes are properly formatted JSON (not markdown)

✅ Security

✅ No hardcoded credentials

  • All credentials properly reference GitHub secrets

✅ Input validation implemented

  • N/A - Configuration files

✅ Proper error handling

  • Slack notifications correctly configured for failure cases

✅ No sensitive data in logs

  • All sensitive data uses GitHub secrets syntax

✅ No license files or AQAAAD strings

  • No .lic files or suspicious strings in the diff

📋 Summary

Critical Issues: 0

Issues Requiring Attention: 1

  1. Missing CHANGELOG.md update (.github/workflows/*)
    • Document the workflow migration from v3 to v4 and secret name standardization

Observations

Positive Changes:

  • ✅ Consistent migration from build-resources v3 to v4 across all workflows
  • ✅ Secret name standardization improves clarity (SENZING_GITHUB_PROJECT_RW_TOKENPROJECT_RW_TOKEN)
  • ✅ Bug fix: Changed .outputs.job-status to .result (correct GitHub Actions syntax)
  • ✅ Added SLACK_CHANNEL secret for better Slack integration
  • ✅ Improved dependabot configuration with grouping and cooldown
  • ✅ Added assignee for dependabot PRs
  • ✅ Updated permissions appropriately (e.g., pull-requests: write in lint-workflows.yaml)

Pattern Consistency:
All workflow files consistently apply the same changes:

  • Secret name updates
  • Version bumps (v3→v4)
  • Notification trigger fix (.outputs.job-status.result)
  • Added SLACK_CHANNEL secret

Recommendation

APPROVE with minor request: Add a CHANGELOG.md entry documenting these infrastructure improvements before merging.

Automated code review analyzing defects and coding standards

@github-actions
Copy link

github-actions bot commented Feb 16, 2026

Super-linter summary

Language Validation result
CHECKOV Pass ✅
GITHUB_ACTIONS Pass ✅
GITHUB_ACTIONS_ZIZMOR Pass ✅
GITLEAKS Pass ✅
GIT_MERGE_CONFLICT_MARKERS Pass ✅
JSCPD Pass ✅
PRE_COMMIT Pass ✅
SPELL_CODESPELL Pass ✅
TRIVY Pass ✅
YAML Pass ✅
YAML_PRETTIER Pass ✅

All files and directories linted successfully

For more information, see the GitHub Actions workflow run

Powered by Super-linter

@kernelsam kernelsam enabled auto-merge (squash) February 16, 2026 20:34
@kernelsam kernelsam assigned docktermj and unassigned kernelsam Feb 16, 2026
@github-actions
Copy link

github-actions bot commented Feb 16, 2026

🤖 Claude Code Review

Code Review Analysis

Code Quality

✅ Code Style Compliance

The changes follow the general YAML formatting conventions and maintain consistency with the existing codebase.

✅ No Commented-Out Code

No commented-out code detected in the diff.

✅ Meaningful Variable Names

All variable and parameter names are meaningful and follow GitHub Actions conventions (e.g., PROJECT_RW_TOKEN, CODEOWNER_PR_RW_TOKEN, SLACK_CHANNEL).

✅ DRY Principle Followed

The changes standardize secret names across multiple workflow files, which promotes consistency and maintainability.

✅ No Defects Identified

The changes are configuration updates with no logic errors. The updates include:

  • Standardizing secret parameter names in reusable workflows (.github/workflows/add-labels-standardized.yaml:17, .github/workflows/add-to-project-senzing-dependabot.yaml:14, .github/workflows/add-to-project-senzing.yaml:16, .github/workflows/dependabot-approve-and-merge.yaml:15)
  • Fixing job status references from outputs.job-status to result (standard GitHub Actions property)
  • Adding missing SLACK_CHANNEL secret references for Slack notifications

✅ Project Memory Configuration

No .claude/CLAUDE.md file detected in the repository, so no project-specific configuration to validate against.

Testing

⚠️ Testing Not Applicable

These are GitHub Actions workflow configuration changes. The changes will be tested through actual workflow execution on GitHub. Manual validation should include:

  • Verify workflows trigger correctly
  • Confirm secret mappings are correct in repository settings
  • Test Slack notifications function properly

Documentation

✅ Readme Updates Not Required

The changes are internal workflow configurations that don't affect user-facing functionality or API.

✅ API Docs Not Applicable

No API changes in this PR.

✅ Inline Comments Not Required

YAML workflow files are self-documenting through their declarative syntax.

❌ CHANGELOG.md Not Updated

File: CHANGELOG.md (expected location at repository root)

A CHANGELOG entry should be added documenting these workflow standardization changes, such as:

## [Unreleased]
### Changed
- Updated GitHub Actions workflows to use build-resources v4
- Standardized secret parameter names across reusable workflows
- Added Dependabot cooldown and grouping configuration
- Fixed job status checks to use standard `result` property

✅ Markdown Formatting

File: .vscode/cspell.json:20

The cspell.json changes show proper formatting with alphabetized words list and consistent structure. This follows JSON formatting best practices.

Security

✅ No Hardcoded Credentials

All sensitive values properly use GitHub secrets via ${{ secrets.* }} syntax.

✅ Input Validation

GitHub Actions handles validation of workflow syntax and secret references at runtime.

✅ Proper Error Handling

Failure notification workflows are properly configured with conditional execution on failure/cancellation states.

✅ No Sensitive Data in Logs

No logging of sensitive information detected.

✅ No License Files

No .lic files or AQAAAD strings detected in the diff.

Summary

Overall Assessment: ✅ Approved with minor documentation recommendation

The code changes are solid workflow configuration updates that standardize naming conventions and upgrade to build-resources v4. The only missing item is a CHANGELOG.md entry to document these infrastructure changes.

Required Action:

  • Add CHANGELOG.md entry documenting the workflow standardization changes

Notable Improvements in This PR:

  1. Dependabot cooldown configuration added (.github/dependabot.yml:5-8) to reduce notification frequency
  2. Dependabot grouping for senzing-factory updates (.github/dependabot.yml:10-13)
  3. Consistent secret naming across workflows improves maintainability
  4. Fixed incorrect job status references (using result instead of outputs.job-status)
  5. Added missing SLACK_CHANNEL secret references

Automated code review analyzing defects and coding standards

@github-actions
Copy link

github-actions bot commented Feb 16, 2026

Super-linter summary

Language Validation result
CHECKOV Pass ✅
GITHUB_ACTIONS Pass ✅
GITHUB_ACTIONS_ZIZMOR Pass ✅
GITLEAKS Pass ✅
GIT_MERGE_CONFLICT_MARKERS Pass ✅
JSCPD Pass ✅
PRE_COMMIT Pass ✅
SPELL_CODESPELL Pass ✅
TRIVY Pass ✅
YAML Pass ✅
YAML_PRETTIER Pass ✅

All files and directories linted successfully

For more information, see the GitHub Actions workflow run

Powered by Super-linter

@kernelsam kernelsam merged commit f0473a0 into main Feb 16, 2026
23 checks passed
@kernelsam kernelsam deleted the skern-workflow-standardize branch February 16, 2026 20:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@docktermj docktermj docktermj approved these changes

Assignees

@docktermj docktermj

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@kernelsam @docktermj