Update workflows for build-resources v4

[kernelsam]

Summary

• Rename secret keys for build-resources v4 (SENZING_MEMBERS → MEMBERS, etc.)
• Replace .outputs.job-status with .result
• Bump pull-requests permission to write in lint-repo.yaml
• Add SLACK_CHANNEL secret to slack notification callers
• Bump all @v3/@v2 build-resources references to @v4
• Standardize dependabot config (assignees, cooldown, groups)
• Add kernelsam and cooldown to cspell dictionary

[github-actions]

🤖 Claude Code Review

Code Review - mapper-file PR

I'll analyze the pull request diff against the review checklist.

Code Quality

✅ Code follows style guide

The changes follow YAML formatting conventions and improve consistency by:

• Adding quotes to string values consistently
• Improving indentation and structure
• Following GitHub Actions best practices

✅ No commented-out code

Only one comment was removed from .github/dependabot.yml:1-2 (documentation URL), which is appropriate as it wasn't adding value.

✅ Meaningful variable names

All variable/key names are clear and follow GitHub Actions conventions:

• SENZING_MEMBERS → MEMBERS (more concise)
• SENZING_GITHUB_PROJECT_RW_TOKEN → PROJECT_RW_TOKEN (more concise)
• SENZING_GITHUB_CODEOWNER_PR_RW_TOKEN → CODEOWNER_PR_RW_TOKEN (more concise)

✅ DRY principle followed

The PR refactors workflow files to use centralized templates (senzing-factory/build-resources@v4), reducing duplication.

✅ No defects identified

Changes are primarily:

• Version bumps (v3 → v4)
• Secret name standardization
• Adding missing SLACK_CHANNEL secret
• Fixing job status references (outputs.job-status → result)
• Adding new dependabot features (assignees, groups, exclude-patterns)
• Permission updates

Minor Issue - .github/workflows/dependabot-approve-and-merge.yaml:19: Added CODEOWNER_PR_RW_TOKEN but check if this workflow still needs the contents: write permission if the token already has write access.

✅ Project memory compliance

The changes don't affect .claude/CLAUDE.md and are general workflow improvements applicable to any environment.

Testing

⚠️ Unit tests for new functions

N/A - This PR only modifies YAML configuration files (GitHub Actions workflows). No code functions were added.

⚠️ Integration tests for new endpoints

N/A - No endpoints modified.

⚠️ Edge cases covered

N/A - Configuration changes only.

⚠️ Test coverage > 80%

N/A - No code changes affecting coverage.

Documentation

✅ README updated if needed

README changes not needed for internal workflow updates.

✅ API docs updated

Not applicable - no API changes.

✅ Inline comments for complex logic

YAML configuration is self-documenting. The removed comment in dependabot.yml was redundant.

⚠️ CHANGELOG.md updated

Issue: No CHANGELOG.md update detected. This PR updates all GitHub Actions workflows to v4 - this should be documented.
Recommendation: Add entry documenting the workflow version bump and secret name changes.

✅ Markdown files follow CommonMark

All YAML files are properly formatted with consistent indentation and no trailing whitespace.

Security

✅ No hardcoded credentials

All sensitive values use GitHub secrets (${{ secrets.* }}).

✅ Input validation implemented

N/A for YAML configuration.

✅ Proper error handling

Slack notifications are properly configured for failure cases with correct conditional checks.

✅ No sensitive data in logs

No logging of sensitive data.

✅ No license files checked in

No .lic files or AQAAAD strings found in the diff.

---

Summary

Overall Assessment: ✅ Approved with Minor Recommendations

Strengths:

1. Consistent upgrade to build-resources v4 across all workflows
2. Standardized secret naming (removes org-specific prefixes)
3. Added missing SLACK_CHANNEL secret configuration
4. Fixed job status references to use .result instead of .outputs.job-status
5. Enhanced dependabot configuration with assignees, groups, and exclusions
6. Added kernelsam to cspell dictionary

Minor Issues:

1. CHANGELOG.md not updated - Document this infrastructure upgrade
2. Permission review - .github/workflows/dependabot-approve-and-merge.yaml:14-15 may have redundant contents: write permission if using a personal access token

Action Items:

• Add CHANGELOG.md entry documenting workflow v3→v4 migration
• Verify contents: write permission necessity in dependabot-approve-and-merge.yaml

Recommendation: Merge after addressing CHANGELOG.md

Automated code review analyzing defects and coding standards

[github-actions]

Super-linter summary

Language	Validation result
CHECKOV	Pass ✅
GITHUB_ACTIONS	Pass ✅
GITHUB_ACTIONS_ZIZMOR	Pass ✅
GITLEAKS	Pass ✅
GIT_MERGE_CONFLICT_MARKERS	Pass ✅
JSCPD	Pass ✅
PRE_COMMIT	Pass ✅
SPELL_CODESPELL	Pass ✅
TRIVY	Pass ✅
YAML	Pass ✅
YAML_PRETTIER	Pass ✅

All files and directories linted successfully

For more information, see the GitHub Actions workflow run

Powered by Super-linter

[github-actions]

🤖 Claude Code Review

I'll analyze this pull request diff against the provided checklist.

Code Review Analysis

Code Quality

• ✅ Code follows style guide: The changes are primarily configuration files (YAML, JSON) which follow proper YAML/JSON formatting conventions. No Python code is being modified.

• ✅ No commented-out code: No commented-out code found. The removal of the comment at .github/dependabot.yml:1-2 actually improves cleanliness.

• ✅ Meaningful variable names: All variable/field names are clear and descriptive (e.g., PROJECT_RW_TOKEN, CODEOWNER_PR_RW_TOKEN, SLACK_CHANNEL).

• ✅ DRY principle followed: The changes consolidate workflow references to use v4 consistently, which is good. The secret name refactoring (e.g., SENZING_GITHUB_PROJECT_RW_TOKEN → PROJECT_RW_TOKEN) standardizes naming.

• ✅ Identify Defects: No bugs, logic errors, or security vulnerabilities detected. The changes are:

  • Upgrading workflow versions from v3 to v4
  • Standardizing secret names for better clarity
  • Fixing job status references from needs.<job>.outputs.job-status to needs.<job>.result (this is actually a bug fix - result is the correct GitHub Actions context property)
  • Adding missing SLACK_CHANNEL secret references
  • Improving dependabot configuration with grouping and assignees

• ✅ Project memory consideration: The .claude/CLAUDE.md file indicates this is a Senzing Python utility. These workflow changes are infrastructure updates and don't conflict with any project-specific requirements.

Testing

• ✅ Unit tests for new functions: N/A - no new functions added, only configuration changes.

• ✅ Integration tests for new endpoints: N/A - no new endpoints.

• ✅ Edge cases covered: N/A - configuration changes.

• ✅ Test coverage > 80%: N/A - no code changes affecting coverage.

Documentation

• ✅ Readme updated if needed: Not needed - these are internal CI/CD workflow changes that don't affect user-facing functionality.

• ✅ API docs updated: N/A - no API changes.

• ✅ Inline comments for complex logic: N/A - configuration files don't require inline comments. The removal of the redundant comment in dependabot.yml is appropriate.

• ❌ CHANGELOG.md updated: No CHANGELOG.md changes detected. However, for infrastructure/CI changes, this may not be necessary depending on project conventions. This is a minor issue.

• ✅ Markdown files follow CommonMark: The only markdown change is in .vscode/cspell.json (not markdown) - it's a JSON file with properly sorted dictionary entries.

Security

• ✅ No hardcoded credentials: All sensitive values are properly referenced via ${{ secrets.* }} and ${{ vars.* }}.

• ✅ Input validation implemented: N/A - configuration changes only.

• ✅ Proper error handling: The workflows include appropriate failure notifications via Slack.

• ✅ No sensitive data in logs: No sensitive data being logged.

• ✅ No license files (.lic) or AQAAAD strings: No license files or suspicious strings detected.

Summary

Overall Assessment: ✅ APPROVED WITH MINOR NOTE

This is a well-executed infrastructure update that:

1. Upgrades all workflow references from v3 to v4 of senzing-factory/build-resources
2. Fixes a bug where needs.<job>.outputs.job-status was incorrectly used instead of needs.<job>.result
3. Standardizes secret naming conventions for better clarity
4. Adds missing SLACK_CHANNEL secret references
5. Improves dependabot configuration with grouping and assignee features
6. Adds the kernelsam user to the cspell dictionary
7. Grants pull-requests: write permission to lint-workflows (.github/workflows/lint-workflows.yaml:18)

Minor Note:

• Consider adding a CHANGELOG.md entry if your project tracks infrastructure changes (though this may not be required for CI/CD updates per project conventions).

No blocking issues found. The changes improve maintainability and fix actual bugs in the GitHub Actions workflows.

Automated code review analyzing defects and coding standards

[github-actions]

Super-linter summary

Language	Validation result
CHECKOV	Pass ✅
GITHUB_ACTIONS	Pass ✅
GITHUB_ACTIONS_ZIZMOR	Pass ✅
GITLEAKS	Pass ✅
GIT_MERGE_CONFLICT_MARKERS	Pass ✅
JSCPD	Pass ✅
PRE_COMMIT	Pass ✅
SPELL_CODESPELL	Pass ✅
TRIVY	Pass ✅
YAML	Pass ✅
YAML_PRETTIER	Pass ✅

All files and directories linted successfully

For more information, see the GitHub Actions workflow run

Powered by Super-linter