Update workflows for build-resources v4

[kernelsam]

Summary

• Rename secret keys for build-resources v4 (SENZING_MEMBERS → MEMBERS, etc.)
• Replace .outputs.job-status with .result
• Bump pull-requests permission to write in lint-repo.yaml
• Add SLACK_CHANNEL secret to slack notification callers
• Bump all @v3/@v2 build-resources references to @v4
• Standardize dependabot config (assignees, cooldown, groups)
• Add kernelsam and cooldown to cspell dictionary

[github-actions]

🤖 Claude Code Review

Let me proceed with the code review based on the diff provided:

---

Code Review: Update GitHub Actions Workflows to build-resources v4

Summary

This PR updates GitHub Actions workflows from v3 to v4 of the senzing-factory/build-resources reusable workflows and updates Dependabot configuration. The changes involve secret name standardization, status checking improvements, and Dependabot cooldown configuration.

---

Code Quality ✅

✅ Code follows style guide: The YAML files appear well-formatted and consistent.

✅ No commented-out code: The only removed comment was documentation in .github/dependabot.yml:1-2, which is appropriate cleanup.

✅ Meaningful variable names: All variable and secret names are clear and descriptive (e.g., PROJECT_RW_TOKEN, CODEOWNER_PR_RW_TOKEN).

✅ DRY principle followed: The changes systematically update similar patterns across multiple workflow files, maintaining consistency.

✅ No defects identified: The changes appear to be straightforward workflow updates. However, there are a few items to verify:

Minor Observations:

1. Secret name changes - Multiple secrets have been renamed in the reusable workflows:

   • SENZING_MEMBERS → MEMBERS (.github/workflows/add-labels-standardized.yaml:17)
   • SENZING_GITHUB_PROJECT_RW_TOKEN → PROJECT_RW_TOKEN (multiple files)
   • SENZING_GITHUB_CODEOWNER_PR_RW_TOKEN → CODEOWNER_PR_RW_TOKEN (.github/workflows/dependabot-approve-and-merge.yaml:15)

   ⚠️ Action Required: Verify that the senzing-factory/build-resources@v4 workflows expect these new secret names, as this is a breaking change.

2. Status checking improvement: Changed from needs.*.outputs.job-status to needs.*.result (multiple files)

   • This is a better practice as .result is a built-in GitHub Actions property, while .outputs.job-status requires explicit output definition.
   • ✅ Good improvement

3. New SLACK_CHANNEL secret: Added across multiple notification calls

   • .github/workflows/add-labels-standardized.yaml:25
   • .github/workflows/add-to-project-senzing-dependabot.yaml:24
   • .github/workflows/add-to-project-senzing.yaml:26
   • .github/workflows/pylint.yaml:48

   ⚠️ Action Required: Ensure the SLACK_CHANNEL secret is configured in the repository settings.

4. Dependabot configuration changes (.github/dependabot.yml):

   • Added assignee configuration (line 4-5)
   • Added cooldown periods (21 days default, except for senzing-factory updates - lines 6-8, 18-21)
   • Added grouping for senzing-factory updates (lines 11-14)
   • ✅ These are sensible improvements to reduce notification noise

5. Permission changes (.github/workflows/lint-workflows.yaml:16):

   • Changed pull-requests: read → pull-requests: write
   • ⚠️ Verify: Confirm that the v4 lint-workflows actually requires write permissions for pull requests.

---

Testing ⚠️

⚠️ No unit tests - Not applicable for workflow configuration files.

⚠️ No integration tests - The changes should be tested by:

• Triggering each workflow after merge to verify they execute successfully
• Confirming all referenced secrets exist in the repository
• Verifying Dependabot respects the new cooldown configuration

⚠️ Edge cases - Consider:

• What happens if SLACK_CHANNEL secret is not configured?
• Workflows may fail with unclear error messages

❌ Test coverage - Not applicable for YAML configuration.

---

Documentation ✅

✅ Readme updated - No README changes needed for internal workflow updates.

✅ API docs updated - Not applicable.

✅ Inline comments - The removal of comments from dependabot.yml is acceptable as the configuration is self-explanatory.

⚠️ CHANGELOG.md - Not found in the diff. Consider adding an entry documenting this infrastructure update.

✅ Markdown formatting - The .vscode/cspell.json changes follow JSON formatting standards and are alphabetically sorted.

---

Security ✅

✅ No hardcoded credentials - All sensitive values use GitHub secrets.

✅ Input validation - Not applicable for workflow configuration.

✅ Proper error handling - Workflows have slack notification jobs that trigger on failure/cancellation.

✅ No sensitive data in logs - No logging of secrets observed.

✅ No license files - No .lic files or AQAAAD strings detected.

---

Additional Findings

cspell.json changes (.vscode/cspell.json)

✅ Good: Added relevant terms:

• cooldown (line 9) - Related to new Dependabot feature
• kernelsam (line 19) - Dependabot assignee

The words are properly alphabetically sorted, which is good practice.

---

Action Items

Critical

None

High Priority

1. Verify secret availability: Ensure these secrets exist in repository settings:

   • SLACK_CHANNEL (new requirement)
   • Verify existing secrets work with renamed parameters

2. Test workflows: After merge, manually trigger workflows to verify:

   • Slack notifications work correctly
   • Project management workflows function with new secret names
   • Dependabot cooldown configuration is respected

Medium Priority

1. Update CHANGELOG.md: Document the infrastructure updates (workflow version bump to v4)

2. Verify permission escalation: Confirm that .github/workflows/lint-workflows.yaml truly needs pull-requests: write permission (was read in v3)

---

Overall Assessment

Status: ✅ APPROVED with recommendations

This is a clean infrastructure update that modernizes the GitHub Actions workflows to use the latest build-resources templates. The changes are systematic and consistent across all affected files. The secret name changes and status checking improvements are positive changes that align with GitHub Actions best practices.

Confidence Level: High - This appears to be a standard workflow version bump with breaking changes properly addressed.

Recommendation: Approve and merge, but verify the action items above post-merge to ensure all workflows execute successfully.

Automated code review analyzing defects and coding standards

[github-actions]

Super-linter summary

Language	Validation result
CHECKOV	Pass ✅
GITHUB_ACTIONS	Pass ✅
GITHUB_ACTIONS_ZIZMOR	Pass ✅
GITLEAKS	Pass ✅
GIT_MERGE_CONFLICT_MARKERS	Pass ✅
JSCPD	Pass ✅
PRE_COMMIT	Pass ✅
SPELL_CODESPELL	Pass ✅
TRIVY	Pass ✅
YAML	Pass ✅
YAML_PRETTIER	Pass ✅

All files and directories linted successfully

For more information, see the GitHub Actions workflow run

Powered by Super-linter

[github-actions]

🤖 Claude Code Review

Let me proceed with the review based on the checklist and common best practices.

---

Code Review: GitHub Workflows Update (v3 → v4 Migration)

Code Quality

✅ Code Style Compliance

The changes follow YAML formatting conventions with consistent indentation and structure.

✅ No Commented-Out Code

All removed code is cleanly deleted, not commented out. The removal of the comment block in .github/dependabot.yml:1-2 is appropriate.

✅ Meaningful Variable Names

All variable names are clear and descriptive:

• CODEOWNER_PR_RW_TOKEN → properly renamed from SENZING_GITHUB_CODEOWNER_PR_RW_TOKEN
• PROJECT_RW_TOKEN → renamed from SENZING_GITHUB_PROJECT_RW_TOKEN
• MEMBERS → renamed from SENZING_MEMBERS

✅ DRY Principle Followed

The changes systematically update workflow versions across all files, maintaining consistency without duplication.

✅ No Defects Identified

The changes are logically sound:

• Critical Fix: Changed needs.*.outputs.job-status to needs.*.result (lines in multiple files). This is correct - GitHub Actions provides result as a built-in property, not outputs.job-status.
• Proper addition of SLACK_CHANNEL secret across all Slack notification calls.
• Secret name standardization improves maintainability.

⚠️ Potential Issue: Dependabot Configuration

File: .github/dependabot.yml:5-9

The cooldown configuration may not be valid:

cooldown:
  default-days: 21
  exclude:
    - "senzing-factory/*"

According to GitHub's dependabot documentation, there is no cooldown option. This appears to be a custom or experimental feature. Verify this is supported by your version of GitHub Enterprise or remove if invalid.

File: .github/dependabot.yml:4-5

assignees:
  - "kernelsam"

This hardcodes a specific user. Consider if this should be configurable via repository variables for easier maintenance across repos.

---

Testing

⚠️ Testing Requirements

Status: Not directly applicable - these are GitHub Actions workflow configuration files.

However, recommend:

• Test the workflows in a staging environment or separate branch before merging to default branch
• Verify the cooldown configuration is actually supported
• Ensure all referenced secrets exist in the repository settings:
  • SENZING_GITHUB_PROJECT_RW_TOKEN (mapped to PROJECT_RW_TOKEN)
  • SENZING_GITHUB_CODEOWNER_PR_RW_TOKEN (mapped to CODEOWNER_PR_RW_TOKEN)
  • SENZING_MEMBERS (mapped to MEMBERS)
  • SLACK_BOT_TOKEN
  • SLACK_CHANNEL
  • ORG_MEMBERSHIP_TOKEN

---

Documentation

✅ README Updates

Not applicable - workflow changes don't require README updates.

✅ API Documentation

Not applicable.

✅ Inline Comments

The removal of the comment in dependabot.yml is acceptable as the configuration is self-explanatory.

❌ CHANGELOG.md Not Updated

File: CHANGELOG.md

The PR includes significant workflow infrastructure changes but doesn't update the changelog. Add an entry describing:

• Migration from build-resources v3 to v4
• Updated secret naming conventions
• New dependabot cooldown and grouping features

✅ Markdown Formatting

File: .vscode/cspell.json

The cspell dictionary is properly formatted and alphabetically sorted, which improves maintainability.

---

Security

✅ No Hardcoded Credentials

All sensitive values properly use GitHub secrets syntax.

✅ Input Validation

Not applicable - workflow files are declarative configuration.

✅ Proper Error Handling

The conditional checks for workflow failures are properly structured:

if: ${{ always() && contains(fromJSON('["failure", "cancelled"]'), needs.*.result) }}

✅ No Sensitive Data in Logs

No logging of secrets detected.

✅ No License Files

No .lic files or AQAAAD strings detected in the diff.

---

Summary

Critical Issues: 0

High Priority Issues: 1

1. .github/dependabot.yml:5-9: Verify the cooldown configuration is supported. If this is invalid YAML for GitHub's dependabot, workflows will fail.

Medium Priority Issues: 2

1. CHANGELOG.md: Missing entry for this infrastructure update
2. .github/dependabot.yml:4-5: Hardcoded assignee "kernelsam" - consider making this configurable

Low Priority Issues: 0

Positive Changes

• ✅ Correct fix changing outputs.job-status to result throughout
• ✅ Consistent secret renaming improves clarity
• ✅ Proper addition of SLACK_CHANNEL secret
• ✅ Clean removal of outdated comments
• ✅ Organized cspell dictionary

Recommendation: Request confirmation on the cooldown feature validity before merging. Update CHANGELOG.md to document these infrastructure changes.

Automated code review analyzing defects and coding standards

[github-actions]

Super-linter summary

Language	Validation result
CHECKOV	Pass ✅
GITHUB_ACTIONS	Pass ✅
GITHUB_ACTIONS_ZIZMOR	Pass ✅
GITLEAKS	Pass ✅
GIT_MERGE_CONFLICT_MARKERS	Pass ✅
JSCPD	Pass ✅
PRE_COMMIT	Pass ✅
SPELL_CODESPELL	Pass ✅
TRIVY	Pass ✅
YAML	Pass ✅
YAML_PRETTIER	Pass ✅

All files and directories linted successfully

For more information, see the GitHub Actions workflow run

Powered by Super-linter

[github-actions]

Super-linter summary

Language	Validation result
CHECKOV	Pass ✅
GITHUB_ACTIONS	Pass ✅
GITHUB_ACTIONS_ZIZMOR	Pass ✅
GITLEAKS	Pass ✅
GIT_MERGE_CONFLICT_MARKERS	Pass ✅
JSCPD	Pass ✅
PRE_COMMIT	Pass ✅
SPELL_CODESPELL	Pass ✅
TRIVY	Pass ✅
YAML	Pass ✅
YAML_PRETTIER	Pass ✅

All files and directories linted successfully

For more information, see the GitHub Actions workflow run

Powered by Super-linter

[github-actions]

🤖 Claude Code Review

Let me proceed with the code review based on the checklist items:

---

Code Review Results

Code Quality

✅ Code follows style guide

The changes are primarily GitHub Actions workflow updates. The YAML formatting is consistent and follows standard GitHub Actions conventions:

• Proper indentation (2 spaces)
• Consistent key ordering
• Clear structure

✅ No commented-out code

All commented code has been properly removed:

• .github/dependabot.yml:1-2 - Removed outdated comments

✅ Meaningful variable names

All variable and secret names are clear and descriptive:

• MEMBERS (renamed from SENZING_MEMBERS)
• PROJECT_RW_TOKEN (renamed from SENZING_GITHUB_PROJECT_RW_TOKEN)
• CODEOWNER_PR_RW_TOKEN (renamed from SENZING_GITHUB_CODEOWNER_PR_RW_TOKEN)

✅ DRY principle followed

The changes consistently apply the same patterns across multiple workflow files, which is good for maintainability.

✅ Identify Defects

No critical defects found. The changes are:

1. Updating workflow versions from v3 to v4
2. Standardizing secret names to be more generic (removing SENZING_ prefix or GITHUB_ infix)
3. Changing from needs.job.outputs.job-status to needs.job.result (correct pattern for GitHub Actions)
4. Adding new Dependabot features (cooldown, groups, assignees)

✅ Project memory configuration

No .claude/CLAUDE.md file exists in this repository, so no conflicts to check.

Testing

⚠️ Unit tests for new functions

N/A - These are workflow configuration changes only, not code changes. However:

• Recommendation: The workflow changes should be tested in a development environment before merging to ensure:
  • The v4 workflows function correctly
  • Secret name changes are reflected in repository settings
  • Dependabot configuration works as expected

⚠️ Integration tests for new endpoints

N/A - No new endpoints added.

⚠️ Edge cases covered

N/A - Configuration changes only.

⚠️ Test coverage > 80%

N/A - Configuration changes only.

Documentation

✅ Readme updated if needed

No README changes needed - these are workflow improvements that don't affect user-facing functionality.

✅ API docs updated

N/A - No API changes.

✅ Inline comments for complex logic

N/A - Workflow files are self-documenting through their structure.

❌ CHANGELOG.md updated

Missing: A CHANGELOG.md update should document these workflow updates, particularly:

• Migration to build-resources v4 workflows
• Dependabot configuration enhancements (cooldown, groups, assignees)
• Secret name standardization

File: CHANGELOG.md should be updated

✅ Markdown files follow CommonMark specification

The cspell.json changes are properly formatted JSON, not Markdown. No Markdown files were modified.

Security

✅ No hardcoded credentials

All credentials continue to use GitHub secrets appropriately.

✅ Input validation implemented

N/A - Configuration changes only.

✅ Proper error handling

The workflows maintain proper error handling patterns with the slack-notification jobs.

✅ No sensitive data in logs

No sensitive data exposed.

✅ No checked-in license files

No .lic files or AQAAAD strings found in the diff.

---

Summary

Overall Assessment: ✅ APPROVED with minor documentation recommendation

This PR represents a clean migration to standardized workflow patterns (build-resources v4). The changes are consistent, well-structured, and improve maintainability.

Required Before Merge:

1. ❌ Update CHANGELOG.md to document:
   • Migration to build-resources v4
   • Dependabot enhancements (cooldown, groups, assignees)
   • Secret name standardization

Critical Issues:

• None

Important Notes:

1. Secret names changed - Ensure repository secrets are updated to match new names:

   • SENZING_MEMBERS → Still referenced as MEMBERS in workflow
   • SENZING_GITHUB_PROJECT_RW_TOKEN → Referenced as PROJECT_RW_TOKEN in workflow
   • SENZING_GITHUB_CODEOWNER_PR_RW_TOKEN → Referenced as CODEOWNER_PR_RW_TOKEN in workflow
   • New: SLACK_CHANNEL secret now required

2. Dependabot configuration (.github/dependabot.yml:1-22):

   • Added assignee kernelsam
   • Added 21-day cooldown with exception for senzing-factory actions
   • Added grouping for senzing-factory updates

3. Job status reference fix - All workflows correctly changed from needs.job.outputs.job-status to needs.job.result which is the proper GitHub Actions syntax.

---

Automated code review analyzing defects and coding standards

[github-actions]

Super-linter summary

Language	Validation result
CHECKOV	Pass ✅
GITHUB_ACTIONS	Pass ✅
GITHUB_ACTIONS_ZIZMOR	Pass ✅
GITLEAKS	Pass ✅
GIT_MERGE_CONFLICT_MARKERS	Pass ✅
JSCPD	Pass ✅
PRE_COMMIT	Pass ✅
SPELL_CODESPELL	Pass ✅
TRIVY	Pass ✅
YAML	Pass ✅
YAML_PRETTIER	Pass ✅

All files and directories linted successfully

For more information, see the GitHub Actions workflow run

Powered by Super-linter