standardize workflows for build-resources v4

[kernelsam]

Summary

• Rename reusable workflow secret keys for build-resources v4
• Replace .outputs.job-status with .result
• Add SLACK_CHANNEL secret to slack notification callers
• Bump all build-resources workflow refs to @v4
• Standardize dependabot config (cooldown, groups, assignees)
• Add kernelsam and cooldown to cspell dictionary

[github-actions]

🤖 Claude Code Review

Code Review Analysis

Code Quality ✅

✅ Code follows style guide

• The changes are primarily YAML configuration updates for GitHub Actions workflows
• YAML formatting follows proper conventions with consistent quoting and indentation
• Changes align with standardization to build-resources v4

✅ No commented-out code

• The diff removes a comment block from .github/dependabot.yml (lines about configuration documentation) which is appropriate as it's redundant

✅ Meaningful variable names

• Secret names are being standardized (e.g., SENZING_MEMBERS → MEMBERS, SENZING_GITHUB_CODEOWNER_PR_RW_TOKEN → CODEOWNER_PR_RW_TOKEN)
• These follow a more concise naming convention while remaining clear

✅ DRY principle followed

• Changes are systematic across multiple workflow files, applying the same patterns consistently

✅ No defects identified

• Changes are straightforward configuration updates
• Proper migration from needs.*.outputs.job-status to needs.*.result (which is the correct GitHub Actions syntax)
• Addition of missing SLACK_CHANNEL secret parameter

❌ Project memory (CLAUDE.md) consideration

• .github/dependabot.yml:5 - The assignees: - "kernelsam" hardcodes a specific GitHub username, which violates the principle stated in CLAUDE.md that configuration should be "general enough that it can be used for any local developer"
• This should ideally use a repository variable or be removed to keep the configuration generic

Testing ✅

✅ Unit tests not applicable

• This PR only modifies GitHub Actions workflow YAML files and configuration
• No code changes requiring unit tests

✅ Integration tests not applicable

• No functional code changes

✅ Edge cases not applicable

• Configuration changes only

✅ Test coverage not applicable

• No code requiring coverage

Documentation ✅

✅ README not affected

• Changes are internal workflow configuration

✅ API docs not applicable

• No API changes

✅ Inline comments

• Removal of documentation comment in dependabot.yml is acceptable as it pointed to external docs

✅ CHANGELOG.md

• Not updated, but this appears to be an infrastructure/workflow standardization change that may not warrant a CHANGELOG entry (depends on project policy)

✅ Markdown formatting

• No markdown file changes in this PR

Security ✅

✅ No hardcoded credentials

• All secrets properly referenced via ${{ secrets.* }}
• No credential values exposed

✅ Input validation not applicable

• Configuration files only

✅ Proper error handling

• Workflow error handling maintained with proper conditions

✅ No sensitive data in logs

• Secrets properly masked through GitHub Actions secret mechanism

❌ CRITICAL: No license files detected

• No .lic files or AQAAAD strings found in the diff

---

Summary

This PR successfully standardizes GitHub Actions workflows to use build-resources@v4 with consistent patterns. The changes are well-structured and follow best practices for GitHub Actions configuration.

Issues Found:

1. Minor Issue - .github/dependabot.yml:5 - Hardcoded username "kernelsam" in assignees violates the principle from CLAUDE.md that project configuration should be environment-agnostic. Consider using a repository variable or removing this to maintain genericity.

Recommendations:

• Consider documenting this infrastructure change in CHANGELOG.md if your project policy requires tracking workflow updates
• The standardization improves maintainability by using centralized workflow definitions

---

Automated code review analyzing defects and coding standards

[github-actions]

🤖 Claude Code Review

I'll analyze this PR diff against the provided checklist. This appears to be a workflow standardization update migrating from v3 to v4 of the build-resources workflows.

Code Review

Code Quality

✅ Code follows style guide: The changes are primarily to GitHub Actions workflow files and configuration. The YAML formatting follows proper conventions with consistent quoting and structure.

✅ No commented-out code: No commented code found. The removed comment in .github/dependabot.yml:1-2 is appropriate - replaced with proper YAML document separator ---.

✅ Meaningful variable names: All variable and secret names are clear and descriptive (e.g., PROJECT_RW_TOKEN, CODEOWNER_PR_RW_TOKEN, SLACK_CHANNEL).

✅ DRY principle followed: Changes are systematic and consistent across all workflow files. The migration from v3 to v4 follows the same pattern throughout.

✅ Identify Defects:

• No critical defects found
• The changes are internally consistent
• All secret renames are applied uniformly (e.g., SENZING_GITHUB_PROJECT_RW_TOKEN → PROJECT_RW_TOKEN, SENZING_MEMBERS → MEMBERS)
• The change from needs.*.outputs.job-status to needs.*.result is correct for GitHub Actions
• New SLACK_CHANNEL secret is added consistently across all Slack notification jobs

✅ Project memory consideration: The changes align with the project's build and development practices. No environment-specific configurations are introduced.

Testing

⚠️ Unit tests for new functions: N/A - This PR only modifies CI/CD workflow configurations, not application code.

⚠️ Integration tests for new endpoints: N/A - No application endpoints modified.

⚠️ Edge cases covered: N/A - No code logic changes.

⚠️ Test coverage > 80%: N/A - No code changes affecting test coverage.

Documentation

✅ Readme updated if needed: Not required - workflow changes don't need README updates.

✅ API docs updated: N/A - No API changes.

✅ Inline comments for complex logic: Appropriate for workflow files. The removal of the redundant comment in dependabot.yml is correct.

⚠️ CHANGELOG.md updated: Not updated in this PR. Consider whether workflow infrastructure changes should be documented.

✅ Markdown files follow CommonMark: The only markdown change is in .vscode/cspell.json (adding "kernelsam"), which is not a markdown file. No markdown files were modified.

Security

✅ No hardcoded credentials: All credentials properly use GitHub secrets.

✅ Input validation implemented: N/A - Workflow configuration files.

✅ Proper error handling: The workflows properly check job status with if: ${{ always() && contains(fromJSON('["failure", "cancelled"]'), needs.*.result) }}.

✅ No sensitive data in logs: No sensitive data exposure risk.

✅ No checked-in license files: No .lic files or AQAAAD strings present in the diff.

---

Summary

Issues Found: 0 Critical, 0 Major, 1 Minor

Minor:

1. CHANGELOG.md not updated - Consider documenting infrastructure changes (.github/dependabot.yml:1-23, all workflow files)
   • While workflow updates may not always warrant CHANGELOG entries, this is a significant migration from v3→v4 across all workflows

Strengths:

• Systematic and consistent migration across all workflow files
• Proper secret renaming with correct mappings
• Correct GitHub Actions syntax changes (outputs.job-status → result)
• Enhanced dependabot configuration with assignees and groups (.github/dependabot.yml:4-14)
• Proper YAML formatting improvements

Recommendation: ✅ APPROVE

This is a clean infrastructure update with no defects. The changes are well-structured, consistent, and follow GitHub Actions best practices. The only consideration is whether to document this in CHANGELOG.md, which is a minor issue that doesn't block approval.

Automated code review analyzing defects and coding standards

[github-actions]

Super-linter summary

Language	Validation result
CHECKOV	Pass ✅
GITHUB_ACTIONS	Pass ✅
GITHUB_ACTIONS_ZIZMOR	Pass ✅
GITLEAKS	Pass ✅
GIT_MERGE_CONFLICT_MARKERS	Pass ✅
JSCPD	Pass ✅
PRE_COMMIT	Pass ✅
SPELL_CODESPELL	Pass ✅
TRIVY	Pass ✅
YAML	Pass ✅
YAML_PRETTIER	Pass ✅

All files and directories linted successfully

For more information, see the GitHub Actions workflow run

Powered by Super-linter