[ci] Updated CI failure bot caller

- Fixed PR author info
- Scoped write permissions to the retry job, not the whole workflow.

Author: stktyagi

.github/workflows/bot-ci-failure.yml

@@ -7,7 +7,7 @@ on:
       - completed
 
 permissions:
-  pull-requests: write
+  pull-requests: read
   actions: read
   contents: read
 
@@ -18,7 +18,7 @@ concurrency:
 jobs:
   find-pr:
     runs-on: ubuntu-latest
-    if: ${{ github.event.workflow_run.conclusion == 'failure' }}
+    if: ${{ github.event.workflow_run.conclusion == 'failure' && github.event.workflow_run.event == 'pull_request' }}
     outputs:
       pr_number: ${{ steps.pr.outputs.number }}
       pr_author: ${{ steps.pr.outputs.author }}
@@ -35,9 +35,8 @@ jobs:
             local pr_number="$1"
             local pr_author
             pr_author=$(gh pr view "$pr_number" --repo "$REPO" --json author --jq '.author.login // empty' 2>/dev/null || echo "")
-            if [ -z "$pr_author" ]; then
-              pr_author="${{ github.event.workflow_run.actor.login }}"
-              echo "::warning::Could not fetch PR author for PR #$pr_number; falling back to @$pr_author"
+            if [ -z "$pr_author" ] || [ "$pr_author" = "null" ]; then
+              echo "::warning::Could not fetch PR author for PR #$pr_number"
             fi 
             echo "number=$pr_number" >> "$GITHUB_OUTPUT"
             echo "author=$pr_author" >> "$GITHUB_OUTPUT"
@@ -69,6 +68,10 @@ jobs:
   call-ci-failure-bot:
     needs: find-pr
     if: ${{ needs.find-pr.outputs.pr_number != '' }}
+    permissions:
+      pull-requests: write
+      actions: write
+      contents: read
     uses: openwisp/openwisp-utils/.github/workflows/reusable-bot-ci-failure.yml@master
     with:
       pr_number: ${{ needs.find-pr.outputs.pr_number }}