standardize workflows for build-resources v4

[kernelsam]

Summary

• Rename reusable workflow secret keys for build-resources v4
• Replace .outputs.job-status with .result
• Add SLACK_CHANNEL secret to slack notification callers
• Bump all build-resources workflow refs to @v4
• Standardize dependabot config (cooldown, groups, assignees)
• Add kernelsam and cooldown to cspell dictionary

[github-actions]

🤖 Claude Code Review

I'll perform a comprehensive code review of this pull request against the provided checklist.

Code Review Analysis

Code Quality

✅ Code follows style guide: The changes align with the referenced style guide. The modifications are primarily configuration files (YAML) that have been standardized.

✅ No commented-out code: All commented-out code has been removed. The old commented documentation in .github/dependabot.yml:1-2 was replaced with proper YAML structure.

✅ Meaningful variable names: All variable and parameter names are clear and descriptive (e.g., PROJECT_RW_TOKEN, CODEOWNER_PR_RW_TOKEN, SLACK_CHANNEL).

✅ DRY principle followed: The changes actually improve DRY by standardizing the workflow patterns across multiple files, using consistent secret names and workflow references.

✅ Identify Defects: No bugs, logic errors, or security vulnerabilities detected. The changes are configuration updates that:

• Upgrade workflow versions from v3 to v4
• Standardize secret naming conventions
• Add missing SLACK_CHANNEL secret references
• Update job status references from needs.<job>.outputs.job-status to needs.<job>.result (correct GitHub Actions syntax)
• Add proper dependabot grouping and cooldown exclusions

✅ Project memory (./.claude/CLAUDE.md): The changes don't modify the CLAUDE.md file and are general infrastructure updates applicable to any developer environment.

Testing

⚠️ Unit tests for new functions: N/A - This PR only modifies CI/CD configuration files, no code changes requiring unit tests.

⚠️ Integration tests for new endpoints: N/A - No new endpoints added.

⚠️ Edge cases covered: N/A - Configuration changes only.

⚠️ Test coverage > 80%: N/A - No code changes affecting coverage.

Documentation

✅ Readme updated if needed: No README updates needed - these are internal CI/CD configuration changes.

✅ API docs updated: N/A - No API changes.

✅ Inline comments for complex logic: N/A - YAML configuration files are self-documenting.

⚠️ CHANGELOG.md updated: Not present in this diff. Should consider whether workflow version bumps warrant a CHANGELOG entry (typically not, but depends on project conventions).

✅ Markdown files follow CommonMark: Only one markdown file changed (.vscode/cspell.json is JSON, not markdown). No markdown formatting issues detected.

Security

✅ No hardcoded credentials: All credentials properly referenced via GitHub secrets (${{ secrets.* }}).

✅ Input validation implemented: N/A - Configuration files.

✅ Proper error handling: The workflows include failure notifications via Slack, which is appropriate error handling for CI/CD.

✅ No sensitive data in logs: No sensitive data exposed.

✅ No license files (.lic) or AQAAAD strings: No license files or sensitive license strings detected in the diff.

---

Summary

Overall Assessment: ✅ APPROVED

This PR represents a clean infrastructure upgrade with the following positive changes:

Key Improvements:

1. Standardization (.github/dependabot.yml:1-23):

   • Added proper YAML document marker (---)
   • Added assignee configuration (kernelsam)
   • Added grouping for senzing-factory dependencies
   • Added cooldown exclusions for senzing-factory updates
   • Quoted all string values for YAML best practices

2. Secret Name Normalization (multiple workflow files):

   • SENZING_MEMBERS → MEMBERS
   • SENZING_GITHUB_PROJECT_RW_TOKEN → PROJECT_RW_TOKEN
   • SENZING_GITHUB_CODEOWNER_PR_RW_TOKEN → CODEOWNER_PR_RW_TOKEN
   • Added missing SLACK_CHANNEL secret references

3. Workflow Version Updates: Consistent upgrade from v3 to v4 across all senzing-factory/build-resources workflow references.

4. GitHub Actions Syntax Correction: Changed needs.<job>.outputs.job-status to needs.<job>.result, which is the correct GitHub Actions syntax for accessing job results.

5. Permission Updates (.github/workflows/lint-workflows.yaml:18):

   • Changed pull-requests: read to pull-requests: write, likely required for v4 workflows to post comments.

No Issues Found

All checklist items passed or are not applicable. The changes are well-structured, secure, and follow best practices for GitHub Actions workflows.

Automated code review analyzing defects and coding standards

[github-actions]

Super-linter summary

Language	Validation result
CHECKOV	Pass ✅
GITHUB_ACTIONS	Pass ✅
GITHUB_ACTIONS_ZIZMOR	Pass ✅
GITLEAKS	Pass ✅
GIT_MERGE_CONFLICT_MARKERS	Pass ✅
JSCPD	Pass ✅
PRE_COMMIT	Pass ✅
SPELL_CODESPELL	Pass ✅
TRIVY	Pass ✅
YAML	Pass ✅
YAML_PRETTIER	Pass ✅

All files and directories linted successfully

For more information, see the GitHub Actions workflow run

Powered by Super-linter