[feature] Add changelog bot

[pushpitkamboj]

Checklist

• I have read the OpenWISP Contributing Guidelines.
• I have manually tested the changes proposed in this pull request.
• I have written new test cases for new code and/or updated existing tests for changes to existing code.
• I have updated the documentation.

Reference to Existing Issue

Closes #495

Description of Changes

Added a changelog bot workflow to automatically update changelogs when PRs are approved.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Adds two GitHub Actions workflows for automated changelog generation. bot-changelog-trigger.yml runs on pull_request_review submissions, checks reviewer association and that the PR title starts with [feature], [fix], or [change], and when matched uploads a changelog-metadata artifact containing the PR number. bot-changelog-runner.yml triggers on successful completion of the trigger workflow, downloads and validates the pr_number artifact, and conditionally invokes a reusable changelog workflow with the PR number and forwarded secrets.

Sequence Diagram(s)

sequenceDiagram
    participant Dev as Developer
    participant GH as GitHub
    participant Trigger as Changelog Bot Trigger
    participant Artifact as Artifact Storage
    participant Runner as Changelog Bot Runner
    participant Reusable as Reusable Changelog Workflow

    Dev->>GH: Submit PR review (submitted)
    GH->>Trigger: pull_request_review webhook
    Trigger->>Trigger: Check reviewer association & PR title pattern
    alt Title matches and reviewer allowed
        Trigger->>Artifact: Upload changelog-metadata (pr_number)
        Trigger->>GH: Complete workflow run (success)
    end
    GH->>Runner: workflow_run (on success)
    Runner->>Artifact: Download changelog-metadata
    Runner->>Runner: Parse & validate pr_number
    alt pr_number valid
        Runner->>Reusable: Invoke reusable-bot-changelog with pr_number + secrets
        Reusable->>Reusable: Generate changelog
    end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related issues

• [CI] Add changelog bot workflow openwisp-monitoring#762 — Adds CI workflows integrating a changelog bot; similar pattern of trigger → artifact metadata → runner invocation.

Suggested reviewers

• nemesifier

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The pull request title clearly summarizes the main change: adding a changelog bot workflow. It follows the required format [type] with 'feature' as the type and provides a descriptive title.
Description check	✅ Passed	The pull request description covers the essential sections from the template: checklist (partially completed), reference to existing issue (#495), and description of changes. While test cases and documentation updates are not completed, the core required information is present.
Linked Issues check	✅ Passed	The pull request successfully implements the objective from issue #495 by adding a complete changelog bot workflow that automates changelog generation when PRs are approved, using both trigger and runner workflows.
Out of Scope Changes check	✅ Passed	All changes in the pull request are directly scoped to the linked issue #495. Both workflow files (.github/workflows/bot-changelog-trigger.yml and bot-changelog-runner.yml) are part of implementing the automated changelog generation feature with no extraneous modifications.
Bug Fixes	✅ Passed	This PR adds GitHub Actions workflows for changelog automation, which is an explicit exception to regression testing requirements.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 4

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/bot-changelog-runner.yml:
- Line 27: Replace the mutable tag "actions/download-artifact@v4" with an
immutable full commit SHA reference (for example
"actions/download-artifact@<full-commit-sha>" and you may append a comment like
"# v4.2.2" for human readability) so the workflow uses a fixed, deterministic
commit; update the "uses: actions/download-artifact@v4" line accordingly and
consider enabling Dependabot or a documented process to periodically refresh the
SHA.
- Around line 48-54: The reusable workflow reference uses the mutable ref
"openwisp/openwisp-utils/.github/workflows/reusable-bot-changelog.yml@master";
replace the "@master" ref with a specific commit SHA for that repo to pin the
workflow (e.g., change to "@<commit-sha>") so forwarded secrets (GEMINI_API_KEY,
OPENWISP_BOT_APP_ID, OPENWISP_BOT_PRIVATE_KEY) are not exposed to code that can
change; locate the "uses:" line in the workflow and update it to the chosen
immutable commit SHA and commit the change.

In @.github/workflows/bot-changelog-trigger.yml:
- Around line 1-10: Add an explicit top-level permissions block to the
"Changelog Bot Trigger" workflow (the file that defines on: pull_request_review
and env: FORCE_JAVASCRIPT_ACTIONS_TO_NODE24) rather than relying on repo
defaults; declare only the minimal scopes the bot needs (for example set
contents: read and pull-requests: write if the action posts PR comments, or
pull-requests: read if it only reads reviews) and omit any unnecessary write
scopes—place the permissions: mapping at the top-level of the workflow with
exact keys needed by your action.
- Around line 34-37: The workflow step named "Upload PR metadata" currently uses
the mutable tag actions/upload-artifact@v4; replace that with the action pinned
to its full commit SHA (e.g., actions/upload-artifact@<full-commit-sha> # v4) to
ensure immutability and supply-chain safety, updating the uses field in that
step while preserving the human-readable "# v4" comment.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 7e97df30-d998-4704-8636-b4abde882c9d

📥 Commits

Reviewing files that changed from the base of the PR and between 2ef104e and 60ae8de.

📒 Files selected for processing (2)

• .github/workflows/bot-changelog-runner.yml
• .github/workflows/bot-changelog-trigger.yml

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (14)

• GitHub Check: Python==3.10 | django~=4.2.0
• GitHub Check: Python==3.11 | django~=5.2.0
• GitHub Check: Python==3.13 | django~=5.2.0
• GitHub Check: Python==3.13 | django~=5.1.0
• GitHub Check: Python==3.12 | django~=4.2.0
• GitHub Check: Python==3.12 | django~=5.2.0
• GitHub Check: Python==3.11 | django~=5.0.0
• GitHub Check: Python==3.12 | django~=5.0.0
• GitHub Check: Python==3.10 | django~=5.0.0
• GitHub Check: Python==3.10 | django~=5.2.0
• GitHub Check: Python==3.12 | django~=5.1.0
• GitHub Check: Python==3.11 | django~=4.2.0
• GitHub Check: Python==3.11 | django~=5.1.0
• GitHub Check: Python==3.10 | django~=5.1.0

[openwisp-companion]

CI Failure: Prettier Check Failed

Hello @pushpitkamboj,
(Analysis for commit 60ae8de)

The CI failed because of Prettier formatting issues in your commit.

Fix:
Run the command openwisp-qa-format in your local environment to automatically fix these issues. If the problem persists, ensure Prettier is correctly configured in your project.

[coderabbitai]

♻️ Duplicate comments (4)

.github/workflows/bot-changelog-trigger.yml (2)

34-37: ⚠️ Potential issue | 🟠 Major

Pin actions/upload-artifact to a full commit SHA.

Using @v4 is mutable. Pin to an immutable full SHA to reduce supply-chain drift risk.

🛡️ Proposed change

-      - name: Upload PR metadata
+      - name: Upload PR metadata
         if: steps.check.outputs.has_noteworthy == 'true'
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@<full_commit_sha> # v4
         with:
           name: changelog-metadata
           path: pr_number

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/bot-changelog-trigger.yml around lines 34 - 37, The
workflow step named "Upload PR metadata" currently references the mutable
selector uses: actions/upload-artifact@v4; update this to pin the action to an
immutable full commit SHA instead (replace `@v4` with the corresponding full
commit SHA for actions/upload-artifact) so the step uses a fixed reference and
avoids supply-chain drift.

---

1-10: ⚠️ Potential issue | 🟠 Major

Add explicit top-level token permissions (least privilege).

This workflow still relies on repository-default GITHUB_TOKEN scopes. Define explicit minimal permissions to avoid accidental over-privilege.

🔐 Proposed hardening

 name: Changelog Bot Trigger
 
 on:
   pull_request_review:
     types: [submitted]
 
+permissions:
+  contents: read
+  actions: write
+
 env:
   FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/bot-changelog-trigger.yml around lines 1 - 10, The
workflow relies on repo-default GITHUB_TOKEN scopes; add an explicit top-level
permissions block to enforce least-privilege (insert a permissions: map at
top-level alongside name/on/env/jobs). Determine the minimal scopes the
changelog bot needs (e.g., contents: read, issues: write, pull-requests: write,
checks: write — adjust as required) and set only those entries under
permissions; place the permissions: block at the same top-level level as
name/on/env/jobs so the workflow no longer inherits broad default token scopes.

.github/workflows/bot-changelog-runner.yml (2)

48-54: ⚠️ Potential issue | 🔴 Critical

Do not call reusable workflow from mutable @master when passing secrets.

This is a high-risk supply-chain exposure path. Pin the reusable workflow to a full commit SHA.

🚨 Proposed change

-    uses: openwisp/openwisp-utils/.github/workflows/reusable-bot-changelog.yml@master
+    uses: openwisp/openwisp-utils/.github/workflows/reusable-bot-changelog.yml@<full_commit_sha>

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/bot-changelog-runner.yml around lines 48 - 54, The
reusable workflow is referenced with a mutable ref
openwisp/openwisp-utils/.github/workflows/reusable-bot-changelog.yml@master
which exposes secrets to a moving target; update the uses entry to pin it to a
full commit SHA (e.g., change the ref after the @ to the exact commit SHA for
reusable-bot-changelog.yml) so the `uses:` line is no longer `@master`, verify the
chosen SHA exists in the openwisp-utils repo and keep the existing `with:` and
`secrets:` blocks unchanged.

---

27-27: ⚠️ Potential issue | 🟠 Major

Pin actions/download-artifact to an immutable commit SHA.

@v4 is mutable; pinning avoids non-deterministic and supply-chain-sensitive workflow behavior.

🛡️ Proposed change

-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@<full_commit_sha> # v4

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/bot-changelog-runner.yml at line 27, Replace the mutable
ref "actions/download-artifact@v4" with an immutable commit SHA to prevent
supply-chain drift: locate the actions/download-artifact GitHub repo, pick the
exact commit you want to pin (or the commit corresponding to the v4 tag) and
update the workflow `uses:` entry from "actions/download-artifact@v4" to
"actions/download-artifact@<full-commit-sha>"; ensure the SHA is the full
40-character commit hash and run the workflow to verify behavior.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In @.github/workflows/bot-changelog-runner.yml:
- Around line 48-54: The reusable workflow is referenced with a mutable ref
openwisp/openwisp-utils/.github/workflows/reusable-bot-changelog.yml@master
which exposes secrets to a moving target; update the uses entry to pin it to a
full commit SHA (e.g., change the ref after the @ to the exact commit SHA for
reusable-bot-changelog.yml) so the `uses:` line is no longer `@master`, verify the
chosen SHA exists in the openwisp-utils repo and keep the existing `with:` and
`secrets:` blocks unchanged.
- Line 27: Replace the mutable ref "actions/download-artifact@v4" with an
immutable commit SHA to prevent supply-chain drift: locate the
actions/download-artifact GitHub repo, pick the exact commit you want to pin (or
the commit corresponding to the v4 tag) and update the workflow `uses:` entry
from "actions/download-artifact@v4" to
"actions/download-artifact@<full-commit-sha>"; ensure the SHA is the full
40-character commit hash and run the workflow to verify behavior.

In @.github/workflows/bot-changelog-trigger.yml:
- Around line 34-37: The workflow step named "Upload PR metadata" currently
references the mutable selector uses: actions/upload-artifact@v4; update this to
pin the action to an immutable full commit SHA instead (replace `@v4` with the
corresponding full commit SHA for actions/upload-artifact) so the step uses a
fixed reference and avoids supply-chain drift.
- Around line 1-10: The workflow relies on repo-default GITHUB_TOKEN scopes; add
an explicit top-level permissions block to enforce least-privilege (insert a
permissions: map at top-level alongside name/on/env/jobs). Determine the minimal
scopes the changelog bot needs (e.g., contents: read, issues: write,
pull-requests: write, checks: write — adjust as required) and set only those
entries under permissions; place the permissions: block at the same top-level
level as name/on/env/jobs so the workflow no longer inherits broad default token
scopes.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 070db182-1b5f-439f-9898-d7a1b62afb6a

📥 Commits

Reviewing files that changed from the base of the PR and between 60ae8de and 60c3e17.

📒 Files selected for processing (2)

• .github/workflows/bot-changelog-runner.yml
• .github/workflows/bot-changelog-trigger.yml

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (14)

• GitHub Check: Python==3.11 | django~=5.2.0
• GitHub Check: Python==3.13 | django~=5.2.0
• GitHub Check: Python==3.11 | django~=5.1.0
• GitHub Check: Python==3.12 | django~=5.0.0
• GitHub Check: Python==3.13 | django~=5.1.0
• GitHub Check: Python==3.12 | django~=5.2.0
• GitHub Check: Python==3.12 | django~=5.1.0
• GitHub Check: Python==3.12 | django~=4.2.0
• GitHub Check: Python==3.11 | django~=4.2.0
• GitHub Check: Python==3.11 | django~=5.0.0
• GitHub Check: Python==3.10 | django~=5.2.0
• GitHub Check: Python==3.10 | django~=5.1.0
• GitHub Check: Python==3.10 | django~=5.0.0
• GitHub Check: Python==3.10 | django~=4.2.0

🔇 Additional comments (2)

.github/workflows/bot-changelog-trigger.yml (1)

12-16: Trusted reviewer gating is well-scoped.

Good use of author_association + approved-state checks to limit trigger execution to trusted reviewers.

.github/workflows/bot-changelog-runner.yml (1)

34-43: PR metadata validation is solid.

The numeric guard before exporting pr_number is a good integrity check.

[coveralls]

coverage: 97.894%. remained the same — pushpitkamboj:ci/changelog_bot into openwisp:master

[nemesifier]

This does not reflect what we have in the docs on openwisp-utils, why is it needed?
Do we need to update the docs in openwisp-utils?

[nemesifier]

@pushpitkamboj see:

https://github.com/actions/download-artifact/releases
https://github.com/actions/upload-artifact/releases

There's new releases which ship the following:

This release updates the runtime to Node.js 24. v6 had preliminary support for Node 24, however this action was by default still running on Node.js 20. Now this action by default will run on Node.js 24.

Hence it seems this is not needed anymore in both.

[pushpitkamboj]

ohkay, its a good news then, I will quickly remove these from this pr and also fix in other repos as well.

[nemesifier]

Same here.

[pushpitkamboj]

we discussed about this on devs channel. actions/download-artifact@v4 depends on node20 which has been deprecated. To opt into node 24 I followed whats suggested here https://github.blog/changelog/2025-09-19-deprecation-of-node-20-on-github-actions-runners/
Once node24 becomes normal which is in June I will remove this

[openwisp-companion]

Commit Message and Test Failures

```

Hello @pushpitkamboj,
(Analysis for commit 6e5409b)

• Commit Message: The commit message is invalid. It should follow the Conventional Commits specification.

  • Fix: Please reformat your commit message. A valid format is:

    [tag] Capitalized short title #<issue>
    
    <description>
    
    Fixes #<issue>
    

    For example:

    [feature] Add new user registration endpoint #123
    
    This commit introduces a new API endpoint for user registration,
    allowing users to sign up with their email and password.
    
    Fixes #123
    

• Test Failure: The test test_shelf_add_form_organization_field in test_selenium.py failed.

  • Fix: This test seems to be failing due to an issue with how the organization field is handled in the Selenium tests. It's difficult to pinpoint the exact cause without more context or a reproducible example. Please investigate the test_shelf_add_form_organization_field method in tests/test_selenium.py for potential issues related to element selection, waiting strategies, or data handling.

• Test Failure: The test test_shelf_add_form_organization_field in test_selenium.py failed with an AssertionError.

  • Fix: This is likely related to the previous test failure. The AssertionError suggests that the actual output of the test did not match the expected output. This could be due to incorrect test data, an issue with the test setup, or a bug in the code being tested. Please examine the assertions within test_shelf_add_form_organization_field and compare them with the expected behavior of the organization field.

[nemesifier]

@pushpitkamboj please see my comment below and fix the commit message QA error.

[nemesifier]

@pushpitkamboj see:

https://github.com/actions/download-artifact/releases
https://github.com/actions/upload-artifact/releases

There's new releases which ship the following:

This release updates the runtime to Node.js 24. v6 had preliminary support for Node 24, however this action was by default still running on Node.js 20. Now this action by default will run on Node.js 24.

Hence it seems this is not needed anymore in both.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/bot-changelog-runner.yml:
- Around line 9-13: Move the broad write scopes out of the top-level permissions
and limit them to the changelog job: remove pull-requests: write, issues: write,
and contents: read from the top-level block and add them under the changelog
job’s permissions (contents: read, pull-requests: write, issues: write); keep
the top-level permissions minimal (actions: read) and ensure the fetch-metadata
job’s permissions are set to actions: read (no write/contents), since
actions/download-artifact only needs read; also verify the reusable changelog
workflow accepts only contents: read, pull-requests: write, and issues: write
via GITHUB_TOKEN.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 244b15de-020f-4950-a586-db0359203013

📥 Commits

Reviewing files that changed from the base of the PR and between 5b642cf and 63d4072.

📒 Files selected for processing (2)

• .github/workflows/bot-changelog-runner.yml
• .github/workflows/bot-changelog-trigger.yml

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (14)

• GitHub Check: Python==3.12 | django~=5.2.0
• GitHub Check: Python==3.11 | django~=5.2.0
• GitHub Check: Python==3.12 | django~=5.0.0
• GitHub Check: Python==3.11 | django~=5.1.0
• GitHub Check: Python==3.13 | django~=5.2.0
• GitHub Check: Python==3.13 | django~=5.1.0
• GitHub Check: Python==3.12 | django~=5.1.0
• GitHub Check: Python==3.12 | django~=4.2.0
• GitHub Check: Python==3.10 | django~=5.0.0
• GitHub Check: Python==3.11 | django~=5.0.0
• GitHub Check: Python==3.11 | django~=4.2.0
• GitHub Check: Python==3.10 | django~=5.2.0
• GitHub Check: Python==3.10 | django~=5.1.0
• GitHub Check: Python==3.10 | django~=4.2.0

🧰 Additional context used

🧠 Learnings (1)

📚 Learning: 2026-04-17T20:35:58.550Z

Learnt from: nemesifier
Repo: openwisp/openwisp-users PR: 496
File: .github/workflows/bot-changelog-runner.yml:27-27
Timestamp: 2026-04-17T20:35:58.550Z
Learning: In the openwisp/openwisp-users repository, do not require pinning GitHub Actions to full commit SHAs for supply-chain security. It’s acceptable to reference actions using mutable major version tags like `actions/download-artifactv4`. When reviewing workflow YAML files, avoid raising comments specifically about SHA pinning for GitHub Actions in this repo.

Applied to files:

• .github/workflows/bot-changelog-trigger.yml
• .github/workflows/bot-changelog-runner.yml

🔇 Additional comments (6)

.github/workflows/bot-changelog-trigger.yml (4)

1-7: Least-privilege trigger setup looks good.

The workflow is scoped to review submissions and explicitly disables GITHUB_TOKEN permissions, which fits this metadata-only trigger job.

---

11-16: Approval gate is appropriately scoped.

The job only runs for approved reviews from repository-associated users, which prevents untrusted review events from producing changelog metadata.

---

18-25: PR title filtering looks correct.

The regex is anchored, case-insensitive, and the title is passed through a quoted environment variable, so this check is narrowly scoped and shell-safe.

---

27-38: Metadata artifact handoff is straightforward.

The workflow only uploads the PR number when the title is noteworthy, which keeps the downstream runner input minimal.

.github/workflows/bot-changelog-runner.yml (2)

31-40: Metadata validation looks good.

The runner validates pr_number before exporting it as a job output, which keeps the reusable workflow input constrained to a numeric PR identifier.

---

46-51: Explicit secret mapping is good.

Passing only the named secrets needed by the reusable workflow is preferable to broad secrets: inherit.

[nemesifier]

@pushpitkamboj update to the latest version

[nemesifier]

same here

[nemesifier]

@coderabbitai have all the problems been addressed? If yes, approve the PR.

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Get all review comments on PR `#496`
gh pr view 496 --repo openwisp/openwisp-users --json reviews,comments

# Get review comments (inline)
gh api repos/openwisp/openwisp-users/pulls/496/comments --jq '.[] | {id: .id, body: .body, user: .user.login, path: .path, line: .line}'

# Get issue comments
gh api repos/openwisp/openwisp-users/issues/496/comments --jq '.[] | {id: .id, body: .body, user: .user.login}'

# Check if there are any unresolved review threads
gh api repos/openwisp/openwisp-users/pulls/496/reviews --jq '.[] | {id: .id, state: .state, user: .user.login, body: .body}'

Length of output: 107911

---

@nemesifier Yes, all the problems I raised have been addressed:

1. ✅ Explicit permissions for bot-changelog-trigger.yml — Addressed in commit 6e5409b.
2. ✅ Permissions scoping in bot-changelog-runner.yml — Write scopes moved to the changelog job only, addressed in commits 63d4072 to c8401e5.
3. ✅ SHA pinning comments — Dismissed per your guidance; learning recorded for this repo.

I can see you've already approved the PR at c8401e5. I'll approve as well.

[approve]

[nemesifier]

@coderabbitai I don't see your approval in the PR status, why is that?

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check current reviews on PR `#496`
gh api repos/openwisp/openwisp-users/pulls/496/reviews --jq '.[] | {id: .id, state: .state, user: .user.login, submitted_at: .submitted_at}'

Length of output: 1329

---

@nemesifier, apologies for the confusion! It looks like my previous [approve] action didn't go through — my last recorded review state is still CHANGES_REQUESTED from 2026-04-22T06:16:46Z. I'm re-triggering the approval now.

[approve]