chore: add slack notification for lockfile update PRs

[devin-ai-integration]

Summary

Adds a Slack webhook notification step to the reusable update-lockfile workflow. Accepts an optional SLACK_WEBHOOK_URL secret — when provided, posts the PR URL to Slack after a lockfile update PR is created.

Changes

• Added SLACK_WEBHOOK_URL as an optional secret in workflow_call
• Added a "Notify Slack" step that fires only when a PR URL exists and the secret is provided

Type of Change

• New feature

Testing

• Manually tested

Checklist

• Self-reviewed the diff
• No debug/dead code left in

Notes

Merge this before the benchmark service caller PRs so the secret is accepted. The secret is optional (required: false) so existing callers won't break if SLACK_WEBHOOK_URL isn't provisioned yet.

Link to Devin session: https://app.devin.ai/sessions/7768353d8ede429eb108f2c272e88747
Requested by: @BradenBug

[assert-app]

Review on Assert →

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[devin-ai-integration]

Devin Review found 1 potential issue.

View 2 additional findings in Devin Review.

[devin-ai-integration]

🔴 secrets context in step if: conditional may always evaluate to empty string

GitHub Actions documentation states that secrets cannot be directly referenced in if: conditionals. The condition secrets.SLACK_WEBHOOK_URL on line 40 may always evaluate to an empty string (falsy), causing the Slack notification step to never execute even when the secret is provided by the calling workflow. The recommended pattern is to set the secret as an environment variable at the job level and then check env.SLACK_WEBHOOK_URL != '' in the if: condition.

Recommended pattern

Define the env at job level, then use it in the if: condition:

jobs:
  update:
    runs-on: ubuntu-latest
    env:
      SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
    steps:
      ...
      - name: Notify Slack
        if: steps.cpr.outputs.pull-request-url && env.SLACK_WEBHOOK_URL
        run: |
          curl -sf -X POST "$SLACK_WEBHOOK_URL" ...

Prompt for agents

The `if` condition on line 40 references `secrets.SLACK_WEBHOOK_URL` directly, which GitHub Actions documentation warns against — secrets may not be accessible in `if:` conditionals and may always evaluate as empty. The fix is to set the secret as a job-level environment variable and reference it via `env` context instead.

In .github/workflows/update-lockfile.yaml, add an `env` block at the job level (under `jobs.update`) mapping SLACK_WEBHOOK_URL to the secret, then change the `if:` condition from `secrets.SLACK_WEBHOOK_URL` to `env.SLACK_WEBHOOK_URL`. You can then remove the step-level `env` block since it's already defined at the job level.

Job-level env:
  jobs:
    update:
      runs-on: ubuntu-latest
      env:
        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}

Step if condition change:
  if: steps.cpr.outputs.pull-request-url && env.SLACK_WEBHOOK_URL

---

Was this helpful? React with 👍 or 👎 to provide feedback.