Update workflows for build-resources v4

[kernelsam]

Summary

• Rename secret keys for build-resources v4 (SENZING_MEMBERS → MEMBERS, etc.)
• Replace .outputs.job-status with .result
• Bump pull-requests permission to write in lint-repo.yaml
• Add SLACK_CHANNEL secret to slack notification callers
• Bump all @v3/@v2 build-resources references to @v4
• Standardize dependabot config (assignees, cooldown, groups)
• Add kernelsam to cspell dictionary

[github-actions]

🤖 Claude Code Review

Let me proceed with the review based on the standard code review checklist.

Code Review - PR Analysis

Code Quality

✅ Code follows style guide

• The changes are primarily YAML workflow configuration updates
• YAML formatting is consistent and properly indented
• Changes follow standard GitHub Actions workflow patterns

✅ No commented-out code

• No commented code found in the diff
• The only comment removed was a redundant documentation link in .github/dependabot.yml:1-2 which improves cleanliness

✅ Meaningful variable names

• All variable/secret names are clear and descriptive
• Examples: CODEOWNER_PR_RW_TOKEN, PROJECT_RW_TOKEN, SLACK_CHANNEL
• Secret name changes improve clarity (e.g., SENZING_MEMBERS → MEMBERS, SENZING_GITHUB_PROJECT_RW_TOKEN → PROJECT_RW_TOKEN)

✅ DRY principle followed

• No code duplication introduced
• Consistent patterns applied across all workflow files

✅ No defects identified

• Version upgrades from v3 to v4 are consistent across all workflows
• Proper secret passing and permissions maintained
• Logic improvements:
  • Changed from needs.*.outputs.job-status to needs.*.result (.github/workflows/add-labels-standardized.yaml:22, .github/workflows/add-to-project-factory-dependabot.yaml:21, .github/workflows/add-to-project-factory.yaml:23) - this is correct as result is the standard GitHub Actions context property
  • Added missing SLACK_CHANNEL secret to all Slack notification jobs

⚠️ Minor Note

• .github/workflows/lint-repo.yaml:16: Changed pull-requests: read to pull-requests: write - this expands permissions. While likely needed for the v4 workflow, ensure this permission expansion is intentional and required.

Testing

❌ Not Applicable

• No unit tests expected for workflow configuration changes
• No integration tests expected for workflow configuration changes
• No edge cases to cover in workflow YAML
• No test coverage metrics applicable

Note: These workflow changes should be tested through actual GitHub Actions execution, which will happen automatically when merged.

Documentation

✅ README update not needed

• These are internal workflow configuration changes
• No user-facing functionality affected

✅ API docs not applicable

• No API changes

✅ Inline comments appropriate

• The removal of the comment in .github/dependabot.yml:1-2 is actually an improvement
• The removed comment was just a link to documentation, which developers can easily find
• Remaining configuration is self-documenting

❌ CHANGELOG.md not updated

• No CHANGELOG.md file update in this diff
• Recommendation: Consider adding an entry documenting the workflow version upgrades and configuration changes

✅ Markdown formatting

• No markdown files modified in this PR

Security

✅ No hardcoded credentials

• All credentials properly referenced via secrets.* and vars.*
• No credential values exposed in the diff

✅ Input validation not applicable

• Workflow configurations don't require runtime input validation

✅ Proper error handling

• Slack notification jobs properly configured with if: ${{ always() && contains(...) }} conditions
• Maintains error notification patterns

✅No sensitive data in logs

• No logging statements that could expose sensitive data

✅ No license files

• No .lic files or strings starting with AQAAAD found in the diff

---

Summary

This PR is a clean upgrade of GitHub Actions workflow dependencies from v3 to v4 with associated configuration updates. The changes are well-structured and consistent.

Critical Issues: None

Major Issues: None

Minor Recommendations:

1. CHANGELOG.md (.github/workflows/*.yaml): Consider adding a CHANGELOG entry documenting:

   • Upgrade to build-resources v4
   • Updated secret names for better clarity
   • Added SLACK_CHANNEL secret passing

2. Permission Expansion (.github/workflows/lint-repo.yaml:16): Verify that the pull-requests: write permission is required by the v4 linter workflow (upgraded from read in v3)

3. New Configuration (.github/dependabot.yml): The new configurations are improvements:

   • Added assignees field - good practice
   • Added groups and exclude-patterns for senzing-factory - better dependency management
   • Removed redundant documentation comment - cleaner code

Approval Status: ✅ APPROVED

This PR is ready to merge. The changes are consistent, well-organized, and improve the workflow configuration. The only optional improvement would be adding a CHANGELOG entry.

Automated code review analyzing defects and coding standards

[github-actions]

Super-linter summary

Language	Validation result
CHECKOV	Pass ✅
GITHUB_ACTIONS	Pass ✅
GITHUB_ACTIONS_ZIZMOR	Pass ✅
GITLEAKS	Pass ✅
GIT_MERGE_CONFLICT_MARKERS	Pass ✅
JSCPD	Pass ✅
JSON	Pass ✅
JSON_PRETTIER	Pass ✅
PRE_COMMIT	Pass ✅
SPELL_CODESPELL	Pass ✅
TRIVY	Pass ✅
YAML	Pass ✅
YAML_PRETTIER	Pass ✅

All files and directories linted successfully

For more information, see the GitHub Actions workflow run

Powered by Super-linter