[ci] Enabled changelog bot from openwisp-utils

[pushpitkamboj]

Checklist

• I have read the OpenWISP Contributing Guidelines.
• I have manually tested the changes proposed in this pull request.
• I have written new test cases for new code and/or updated existing tests for changes to existing code.
• I have updated the documentation.

Reference to Existing Issue

Closes #356

Description of Changes

Added a changelog bot workflow to automatically update changelogs when PRs are approved.

[coderabbitai]

📝 Walkthrough

Walkthrough

Two new GitHub Actions workflows were added to automate changelog generation. The "Changelog Bot Trigger" workflow activates when a pull request receives an approved review, checks if the PR title contains noteworthy tags ([feature], [fix], or [change]), and uploads the PR number as an artifact. The "Changelog Bot Runner" workflow then retrieves this metadata upon the trigger workflow's completion, validates the PR number, and invokes a reusable changelog workflow with appropriate secrets for processing.

Sequence Diagram

sequenceDiagram
    actor Developer
    participant GitHub as GitHub
    participant TriggerWF as Changelog Bot Trigger
    participant Artifact as Artifact Storage
    participant RunnerWF as Changelog Bot Runner
    participant ReusableWF as Reusable Bot Changelog<br/>(openwisp-utils)

    Developer->>GitHub: Submit approved review
    GitHub->>TriggerWF: Trigger on pull_request_review
    activate TriggerWF
    TriggerWF->>TriggerWF: Check PR title for noteworthy tags<br/>([feature], [fix], [change])
    alt Title contains tag
        TriggerWF->>TriggerWF: Extract & validate PR number
        TriggerWF->>Artifact: Upload pr_number artifact<br/>(changelog-metadata)
    end
    deactivate TriggerWF
    
    Artifact->>RunnerWF: Trigger on workflow_run completed
    activate RunnerWF
    RunnerWF->>Artifact: Download changelog-metadata artifact
    RunnerWF->>RunnerWF: Parse & validate pr_number
    RunnerWF->>ReusableWF: Invoke with pr_number + secrets
    activate ReusableWF
    ReusableWF->>ReusableWF: Generate changelog
    deactivate ReusableWF
    deactivate RunnerWF

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Suggested reviewers

• nemesifier

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The pull request title follows the required format [ci] and accurately describes the main change of enabling a changelog bot workflow.
Description check	✅ Passed	The PR description covers the essential sections including checklist, reference to issue #356, and a clear description of changes, though test and documentation updates are marked as incomplete.
Linked Issues check	✅ Passed	The pull request successfully implements the objective from issue #356 by adding two GitHub Actions workflows (bot-changelog-trigger and bot-changelog-runner) that enable the changelog bot from openwisp-utils.
Out of Scope Changes check	✅ Passed	All changes in the pull request are within scope, consisting only of the two GitHub Actions workflow files required to enable the changelog bot functionality as specified in issue #356.
Bug Fixes	✅ Passed	This PR is a feature addition (changelog bot workflows), not a bug fix. The "Bug Fixes" check only applies to PRs fixing bugs. Per instructions, non-applicable checks are passed.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[kilo-code-bot]

Code Review Summary

Status: No Issues Found | Recommendation: Merge

Files Reviewed (2 files)

• .github/workflows/bot-changelog-runner.yml
• .github/workflows/bot-changelog-trigger.yml

The workflow implementation correctly:

• Uses appropriate artifact action versions (upload-artifact@v7, download-artifact@v8)
• Validates PR numbers with regex before passing to reusable workflow
• Has proper permission scoping at workflow and job levels
• Implements security checks for reviewer authorization (OWNER/MEMBER/COLLABORATOR)
• Fulfills the requirement from issue add changelot bot workflow #356

---

_{Reviewed by kimi-k2.5-0127 · 81,514 tokens}

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/bot-changelog-trigger.yml (1)

27-39: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Potential duplicate changelog entries when multiple qualified reviewers approve.

Each time an OWNER/MEMBER/COLLABORATOR submits an approved review on a noteworthy PR, a new trigger run fires and uploads its own changelog-metadata artifact (scoped to that run). The runner then executes independently for each trigger run, calling the reusable changelog workflow once per approval. If two qualified reviewers approve the same PR, the changelog bot runs twice.

Depending on whether reusable-bot-changelog.yml is idempotent, this can result in duplicate changelog entries. Consider adding a deduplication guard — for example, checking whether the bot has already commented or already updated the changelog for a given PR before proceeding:

💡 Suggested mitigation in the trigger

      - name: Save PR metadata
        if: steps.check.outputs.has_noteworthy == 'true'
        env:
          PR_NUMBER: ${{ github.event.pull_request.number }}
+         # Guard: only upload if this is the first approval on the PR.
+         # Remove the artifact check if the reusable workflow is already idempotent.
        run: echo "$PR_NUMBER" > pr_number

Alternatively, verify whether openwisp/openwisp-utils/.github/workflows/reusable-bot-changelog.yml already handles re-entrancy, and document that assumption if so.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/bot-changelog-trigger.yml around lines 27 - 39, Multiple
approval-triggered runs can cause duplicate changelog processing; add a
deduplication guard so the reusable workflow (reusable-bot-changelog.yml) exits
early if the PR was already handled. In the trigger flow around the "Save PR
metadata" / "Upload PR metadata" steps (artifact name changelog-metadata) either
(a) add a pre-check step in the reusable-bot-changelog.yml to query GitHub for
an existing bot comment or a prior changelog entry for the same PR_NUMBER and
skip processing if found, or (b) implement an atomic check/update (e.g.,
create/update a repo file or a label) before doing the changelog write and abort
if the marker exists; ensure the guard uses PR_NUMBER to identify the PR and
that the check is performed before any changelog mutation.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/bot-changelog-runner.yml:
- Around line 41-54: The reusable workflow reference under the changelog job
currently uses a branch ref
("openwisp/openwisp-utils/.github/workflows/reusable-bot-changelog.yml@master");
replace the "@master" suffix with a specific commit SHA (the full 40-character
commit hash) for the commit you have verified in openwisp-utils so the line
becomes ".../reusable-bot-changelog.yml@<commit-sha>"; ensure you update any
docs or comments indicating which upstream commit was pinned and why, and verify
the three forwarded secrets (GEMINI_API_KEY, OPENWISP_BOT_APP_ID,
OPENWISP_BOT_PRIVATE_KEY) are intentionally provided to that pinned commit.

---

Outside diff comments:
In @.github/workflows/bot-changelog-trigger.yml:
- Around line 27-39: Multiple approval-triggered runs can cause duplicate
changelog processing; add a deduplication guard so the reusable workflow
(reusable-bot-changelog.yml) exits early if the PR was already handled. In the
trigger flow around the "Save PR metadata" / "Upload PR metadata" steps
(artifact name changelog-metadata) either (a) add a pre-check step in the
reusable-bot-changelog.yml to query GitHub for an existing bot comment or a
prior changelog entry for the same PR_NUMBER and skip processing if found, or
(b) implement an atomic check/update (e.g., create/update a repo file or a
label) before doing the changelog write and abort if the marker exists; ensure
the guard uses PR_NUMBER to identify the PR and that the check is performed
before any changelog mutation.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: b642d8b1-3926-4a01-b9d0-8b62e81c2c28

📥 Commits

Reviewing files that changed from the base of the PR and between 0144f15 and f525851.

📒 Files selected for processing (2)

• .github/workflows/bot-changelog-runner.yml
• .github/workflows/bot-changelog-trigger.yml

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (20)

• GitHub Check: Python==3.10 | py310-django51-djangorestframework315
• GitHub Check: Python==3.11 | py311-django52-djangorestframework315
• GitHub Check: Python==3.12 | py312-django50-djangorestframework316
• GitHub Check: Python==3.13 | py313-django60-djangorestframework317
• GitHub Check: Python==3.12 | py312-django52-djangorestframework317
• GitHub Check: Python==3.12 | py312-django51-djangorestframework317
• GitHub Check: Python==3.13 | py313-django52-djangorestframework315
• GitHub Check: Python==3.13 | py313-django50-djangorestframework316
• GitHub Check: Python==3.13 | py313-django51-djangorestframework317
• GitHub Check: Python==3.12 | py312-django50-djangorestframework315
• GitHub Check: Python==3.10 | py310-django52-djangorestframework315
• GitHub Check: Python==3.12 | py312-django52-djangorestframework316
• GitHub Check: Python==3.11 | py311-django42-djangorestframework314
• GitHub Check: Python==3.12 | py312-django52-djangorestframework315
• GitHub Check: Python==3.9 | py39-django42-djangorestframework314
• GitHub Check: Python==3.12 | py312-django51-djangorestframework316
• GitHub Check: Python==3.11 | py311-django51-djangorestframework315
• GitHub Check: Python==3.10 | py310-django42-djangorestframework314
• GitHub Check: Python==3.10 | py310-django50-djangorestframework315
• GitHub Check: Python==3.13 | py313-django51-djangorestframework315

🔇 Additional comments (4)

.github/workflows/bot-changelog-trigger.yml (2)

1-16: LGTM — trigger configuration and permissions are correct.

permissions: {} correctly grants no GITHUB_TOKEN access for the trigger workflow. The pull_request_review: types: [submitted] trigger and the multiline if: condition (using |) filtering on review.state == 'approved' and author_association are both valid and widely supported by the GitHub Actions expression evaluator.

---

17-25: LGTM — injection-safe PR title check.

Passing PR_TITLE through env: before using it in the shell script is the correct approach to avoid injection from untrusted user input in run: steps.

.github/workflows/bot-changelog-runner.yml (2)

1-28: LGTM — runner trigger, permissions, and artifact download are correctly structured.

workflow_run on completed with the conclusion == 'success' guard, cross-run artifact download via github-token + run-id, and continue-on-error: true on the download step are all correct patterns for this use case. actions/download-artifact@v8 supports downloading from a specified run and is compatible with artifacts produced by actions/upload-artifact@v4+ (including v7).

---

30-39: LGTM — PR number validation is solid.

The ^[0-9]+$ guard rejects empty strings and non-numeric content, and exit 1 cleanly fails the job on invalid input, preventing the changelog job from running with bad data.