CI/changelog bot

[pushpitkamboj]

Checklist

• I have read the OpenWISP Contributing Guidelines.
• I have manually tested the changes proposed in this pull request.
• I have written new test cases for new code and/or updated existing tests for changes to existing code.
• I have updated the documentation.

Reference to Existing Issue

Closes #696

Description of Changes

• Add workflow template to run the bot changelog runner.
• Ensures the changelog bot executes on approved noteworthy PRs.

[coderabbitai]

📝 Walkthrough

Walkthrough

Two new GitHub Actions workflows were added to establish an automated changelog bot system. The first workflow (bot-changelog-trigger.yml) monitors pull request reviews and identifies noteworthy PRs using title pattern matching (feature/fix/change prefixes). When criteria are met, it stores the PR number as an artifact. The second workflow (bot-changelog-runner.yml) listens for the trigger workflow's completion, retrieves the stored PR number, and invokes a reusable external workflow to generate changelog entries with the necessary API credentials.

Sequence Diagram

sequenceDiagram
    actor Reviewer
    participant GitHub as GitHub Events
    participant TriggerWF as Changelog Bot<br/>Trigger Workflow
    participant Artifact as Artifact Storage
    participant RunnerWF as Changelog Bot<br/>Runner Workflow
    participant ReusableWF as Reusable<br/>Changelog Workflow

    Reviewer->>GitHub: Submits approved review
    GitHub->>TriggerWF: Triggers on pull_request_review
    TriggerWF->>TriggerWF: Check if approved &<br/>authorized reviewer
    TriggerWF->>TriggerWF: Match PR title pattern<br/>(feature|fix|change)
    alt Pattern matched
        TriggerWF->>Artifact: Upload pr_number artifact
        Artifact-->>TriggerWF: Artifact created
    end
    TriggerWF-->>GitHub: Trigger workflow completed
    GitHub->>RunnerWF: Triggers on workflow_run<br/>completion
    RunnerWF->>Artifact: Download changelog-metadata
    Artifact-->>RunnerWF: pr_number retrieved
    RunnerWF->>ReusableWF: Call reusable workflow<br/>with pr_number & secrets
    ReusableWF-->>RunnerWF: Changelog generation completed

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related issues

• [CI] Add changelog bot workflow openwisp-monitoring#762: Adds a GitHub Actions "changelog bot" workflow in a different repository for the same purpose of automating changelog generation on approved pull requests.

Suggested reviewers

• nemesifier

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The PR title does not follow the required format. It should be '[type] Descriptive title' where type is one of: fix, change, feature, qa, ci, chores, or docs.	Update the title to follow the format: '[ci] Add changelog bot workflow' or '[ci] Implement changelog bot automation for approved PRs'.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description check	✅ Passed	The pull request description includes the essential sections with issue reference (#696) and description of changes, meeting core requirements despite unchecked test/documentation items.
Linked Issues check	✅ Passed	The pull request successfully implements the objective from issue #696 by adding two GitHub Actions workflow files to enable automated changelog generation for approved noteworthy pull requests.
Out of Scope Changes check	✅ Passed	All changes in the pull request are directly scoped to the linked issue #696, adding only the necessary GitHub Actions workflows for changelog bot automation.
Bug Fixes	✅ Passed	PR adds new GitHub Actions workflow functionality for a changelog bot, not fixing a bug in core user-facing functionality, so the custom check requirements do not apply.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/bot-changelog-trigger.yml:
- Around line 34-39: The Upload PR metadata step uses actions/upload-artifact@v4
to store changelog-metadata but relies on the default 90-day retention; add the
retention-days input to the step (e.g., retention-days: 1 or 3) so the artifact
named "changelog-metadata" uploaded from path "pr_number" is retained only
briefly for the downstream runner workflow to consume.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 3b72ae83-ce0f-4ceb-81c3-2da8d7f59f84

📥 Commits

Reviewing files that changed from the base of the PR and between b512f3a and 0d29a3c.

📒 Files selected for processing (2)

• .github/workflows/bot-changelog-runner.yml
• .github/workflows/bot-changelog-trigger.yml

📜 Review details

🧰 Additional context used

🧠 Learnings (2)

📓 Common learnings

Learnt from: stktyagi
Repo: openwisp/openwisp-radius PR: 689
File: .github/workflows/bot-ci-failure.yml:60-60
Timestamp: 2026-03-06T08:48:01.200Z
Learning: In the openwisp/openwisp-radius repository (and other openwisp repositories), reusable workflow caller files (e.g., `.github/workflows/bot-ci-failure.yml`) intentionally reference upstream reusable workflows with `master` (e.g., `openwisp/openwisp-utils/.github/workflows/reusable-bot-ci-failure.ymlmaster`). This is by design so callers always use the latest changes from the master branch of openwisp-utils. Do not flag this as a security or pinning issue in code reviews.

📚 Learning: 2026-03-06T08:47:54.428Z

Learnt from: stktyagi
Repo: openwisp/openwisp-radius PR: 689
File: .github/workflows/bot-ci-failure.yml:60-60
Timestamp: 2026-03-06T08:47:54.428Z
Learning: In openwisp/openwisp-radius and similar OpenWISP repos, reusable workflow caller files intentionally reference upstream reusable workflows with master (e.g., openwisp/openwisp-utils/.github/workflows/reusable-bot-ci-failure.ymlmaster). This is by design to ensure callers always use the latest changes from the master branch of the upstream project. Do not flag such references as security or pinning issues during code reviews. If applying this pattern broadly, treat any workflow call that uses a remote reusable workflow from a different repository with master as an intentional design choice rather than a vulnerability.

Applied to files:

• .github/workflows/bot-changelog-trigger.yml
• .github/workflows/bot-changelog-runner.yml

🔇 Additional comments (5)

.github/workflows/bot-changelog-trigger.yml (2)

1-17: LGTM!

The workflow trigger and job conditional are well-structured. The check for approved reviews from authorized contributors (OWNER, MEMBER, COLLABORATOR) is appropriate for gating changelog generation.

---

18-26: LGTM!

The regex pattern ^\[(feature|fix|change)\] with case-insensitive matching correctly identifies noteworthy PRs. Using an environment variable for PR_TITLE avoids shell injection concerns.

.github/workflows/bot-changelog-runner.yml (3)

1-17: LGTM!

The workflow_run trigger correctly chains to the trigger workflow, and the permissions are appropriately scoped for the changelog operations.

---

18-43: LGTM!

Good defensive programming:

• continue-on-error: true on artifact download gracefully handles cases where no artifact exists (non-noteworthy PRs).
• Numeric validation of pr_number prevents injection of malicious input into downstream workflows.

---

51-54: Verify parameter names match the reusable workflow expectations.

The workflow passes secrets with parameter names OPENWISP_BOT_APP_ID and OPENWISP_BOT_PRIVATE_KEY, which differ from the naming conventions in other workflows that call different reusable workflows:

• bot-ci-failure.yml calls reusable-bot-ci-failure.yml and uses: APP_ID, PRIVATE_KEY
• backport.yml calls reusable-backport.yml and uses: app_id, private_key
• bot-changelog-runner.yml calls reusable-bot-changelog.yml and uses: OPENWISP_BOT_APP_ID, OPENWISP_BOT_PRIVATE_KEY

Since different reusable workflows may have different parameter expectations, confirm that reusable-bot-changelog.yml in openwisp-utils expects parameters named OPENWISP_BOT_APP_ID and OPENWISP_BOT_PRIVATE_KEY rather than APP_ID and PRIVATE_KEY or their lowercase variants.

[coderabbitai]

🧹 Nitpick | 🔵 Trivial

Consider reducing artifact retention.

The artifact is only needed briefly until the runner workflow consumes it. The default 90-day retention is excessive for this temporary handoff.

♻️ Suggested improvement

       - name: Upload PR metadata
         if: steps.check.outputs.has_noteworthy == 'true'
         uses: actions/upload-artifact@v4
         with:
           name: changelog-metadata
           path: pr_number
+          retention-days: 1

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- name: Upload PR metadata
	if: steps.check.outputs.has_noteworthy == 'true'
	uses: actions/upload-artifact@v4
	with:
	name: changelog-metadata
	path: pr_number
	- name: Upload PR metadata
	if: steps.check.outputs.has_noteworthy == 'true'
	uses: actions/upload-artifact@v4
	with:
	name: changelog-metadata
	path: pr_number
	retention-days: 1

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/bot-changelog-trigger.yml around lines 34 - 39, The Upload
PR metadata step uses actions/upload-artifact@v4 to store changelog-metadata but
relies on the default 90-day retention; add the retention-days input to the step
(e.g., retention-days: 1 or 3) so the artifact named "changelog-metadata"
uploaded from path "pr_number" is retained only briefly for the downstream
runner workflow to consume.

[openwisp-companion]

QA and Commit Message Failures

```

Hello @pushpitkamboj,
(Analysis for commit 0d29a3c)

• Code Style/QA: The CI failed due to Prettier issues in .github/workflows/bot-changelog-runner.yml and .github/workflows/bot-changelog-trigger.yml. Please run openwisp-qa-format to fix these.

• Commit Message: The commit message is invalid. Please ensure your commit messages follow the OpenWISP convention:

[tag] Capitalized short title #<issue>

<description>

Fixes #<issue>

For example:

[feature] Add user profile page #123

This commit introduces the user profile page, allowing users to view and edit
their personal information.

Fixes #123