[CI] Add changelog bot workflow

[pushpitkamboj]

Checklist

• I have read the OpenWISP Contributing Guidelines.
• I have manually tested the changes proposed in this pull request.

Reference to Existing Issue

Closes #1271

Description of Changes

Added a changelog bot workflow to automatically update changelogs when PRs are approved.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Adds two GitHub Actions workflows to automate changelog generation. bot-changelog-trigger runs on pull request review submissions, checks for titles prefixed with [feature], [fix], or [change], and uploads the PR number as an artifact changelog-metadata when matched. bot-changelog-runner triggers on the successful completion of the trigger workflow, downloads and validates the pr_number from the artifact, and invokes an external reusable workflow to generate the changelog with the validated PR number and forwarded secrets.

Sequence Diagram(s)

sequenceDiagram
    participant Reviewer as Reviewer
    participant GitHub as GitHub
    participant TriggerWF as Trigger Workflow
    participant Artifact as Artifact Storage
    participant RunnerWF as Runner Workflow
    participant ReusableWF as Reusable Changelog WF

    Reviewer->>GitHub: Approve PR (review submitted)
    GitHub->>TriggerWF: Trigger on pull_request_review (submitted)
    TriggerWF->>TriggerWF: Check title matches \[feature|fix|change\]
    alt Title matches
        TriggerWF->>Artifact: Upload artifact "changelog-metadata" (pr_number)
    end
    TriggerWF-->>GitHub: Complete workflow (success)
    GitHub->>RunnerWF: Trigger on workflow_run (success)
    RunnerWF->>Artifact: Download "changelog-metadata"
    Artifact-->>RunnerWF: Return pr_number
    RunnerWF->>RunnerWF: Validate pr_number (numeric)
    alt pr_number valid
        RunnerWF->>ReusableWF: Call reusable workflow with pr_number + secrets
        ReusableWF->>ReusableWF: Generate changelog
        ReusableWF-->>RunnerWF: Complete
    end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested reviewers

• nemesifier

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title follows the required format with [CI] prefix and clearly describes the main change: adding a changelog bot workflow.
Description check	✅ Passed	The description covers key sections but omits test case updates and documentation updates mentioned in the template.
Linked Issues check	✅ Passed	The pull request successfully implements the objective from issue #1271 by adding a changelog bot workflow to automate changelog generation.
Out of Scope Changes check	✅ Passed	All changes (two new workflow files) are directly related to implementing the changelog bot workflow requirement from the linked issue.
Bug Fixes	✅ Passed	PR adds GitHub Actions workflow automation with no core functionality changes; fixes affecting GitHub Actions workflows are valid exceptions.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/bot-changelog.yml:
- Around line 3-6: The workflow currently triggers on all review submissions
because it uses pull_request_review: types: [submitted]; restrict the job to run
only for approvals by adding a job-level condition that checks the review state
(e.g. use an if condition that evaluates github.event.review.state ==
'approved'); update the job definitions (within the workflow that contains
pull_request_review) to include this if check so only approved reviews will
execute the workflow.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 3efec7b0-7ede-4772-b0b2-edd2de2e1183

📥 Commits

Reviewing files that changed from the base of the PR and between d203490 and 4781572.

📒 Files selected for processing (1)

• .github/workflows/bot-changelog.yml

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (9)

• GitHub Check: Python==3.12 | django~=5.1.0
• GitHub Check: Python==3.13 | django~=5.2.0
• GitHub Check: Python==3.12 | django~=4.2.0
• GitHub Check: Python==3.11 | django~=4.2.0
• GitHub Check: Python==3.10 | django~=5.2.0
• GitHub Check: Python==3.10 | django~=5.1.0
• GitHub Check: Python==3.10 | django~=4.2.0
• GitHub Check: Python==3.13 | django~=5.1.0
• GitHub Check: Python==3.11 | django~=5.2.0

🧰 Additional context used

🧠 Learnings (3)

📓 Common learnings

Learnt from: nemesifier
Repo: openwisp/openwisp-controller PR: 1233
File: .github/workflows/backport.yml:35-35
Timestamp: 2026-02-24T16:25:31.829Z
Learning: Repository: openwisp/openwisp-controller
File/Area: .github/workflows/backport.yml (backport-on-comment condition)
Learning: Project policy is to restrict the backport trigger via issue comments to users with author_association "MEMBER" or "OWNER" only; "COLLABORATOR" is intentionally excluded (per maintainer feedback on PR `#1233`).

📚 Learning: 2026-02-24T16:24:55.443Z

Learnt from: nemesifier
Repo: openwisp/openwisp-controller PR: 1233
File: .github/workflows/backport.yml:22-22
Timestamp: 2026-02-24T16:24:55.443Z
Learning: In repositories within the OpenWISP organization, it is acceptable to reference reusable workflows from other OpenWISP-controlled repos using mutable refs (e.g., master) in .github/workflows. This is permissible due to the shared trust boundary within the organization. If applying this pattern, ensure the target repos are under the same organization and maintain awareness of potential breakages from upstream mutable refs; consider pinning to a tagged version for longer-term stability when appropriate.

Applied to files:

• .github/workflows/bot-changelog.yml

📚 Learning: 2026-02-24T16:25:20.080Z

Learnt from: nemesifier
Repo: openwisp/openwisp-controller PR: 1233
File: .github/workflows/backport.yml:35-35
Timestamp: 2026-02-24T16:25:20.080Z
Learning: In .github/workflows/backport.yml, enforce that backport-on-comment triggers only for users with author_association MEMBE R or OWNER (COLLABORATOR excluded), reflecting maintainer feedback. Update the trigger condition to check author_association and restrict to MEMBERS/OWNERS; document rationale and PR `#1233` reference in code comments.

Applied to files:

• .github/workflows/bot-changelog.yml

🔇 Additional comments (1)

.github/workflows/bot-changelog.yml (1)

8-15: LGTM on the reusable workflow reference and secrets.

Using the @master ref for the openwisp-utils reusable workflow is acceptable within the OpenWISP organization's shared trust boundary. The secrets passed (GEMINI_API_KEY, OPENWISP_BOT_APP_ID, OPENWISP_BOT_PRIVATE_KEY) appear appropriate for a bot workflow using Gemini API and GitHub App authentication. Based on learnings indicating mutable refs are permissible for OpenWISP-controlled repos.

[coveralls]

coverage: 98.672%. remained the same
when pulling a6055ec on pushpitkamboj:ci/changelog-bot
into d203490 on openwisp:master.

[pushpitkamboj]

added the pr approved checks

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/bot-changelog.yml:
- Around line 12-14: The workflow's review-author gating currently allows
github.event.review.author_association == 'COLLABORATOR' which grants privileged
secrets to collaborators; remove the 'COLLABORATOR' check so the condition only
permits 'OWNER' or 'MEMBER' (i.e., leave github.event.review.author_association
== 'OWNER' || github.event.review.author_association == 'MEMBER'), updating the
conditional expression around github.event.review.author_association accordingly
to prevent collaborators from triggering this job.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 3e2c0599-6789-419d-af50-8eb14b4f870b

📥 Commits

Reviewing files that changed from the base of the PR and between 4781572 and a6055ec.

📒 Files selected for processing (1)

• .github/workflows/bot-changelog.yml

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (10)

• GitHub Check: Python==3.12 | django~=5.2.0
• GitHub Check: Python==3.13 | django~=5.1.0
• GitHub Check: Python==3.10 | django~=5.1.0
• GitHub Check: Python==3.12 | django~=5.1.0
• GitHub Check: Python==3.11 | django~=5.1.0
• GitHub Check: Python==3.13 | django~=5.2.0
• GitHub Check: Python==3.12 | django~=4.2.0
• GitHub Check: Python==3.11 | django~=5.2.0
• GitHub Check: Python==3.10 | django~=5.2.0
• GitHub Check: Python==3.11 | django~=4.2.0

🧰 Additional context used

🧠 Learnings (3)

📓 Common learnings

Learnt from: nemesifier
Repo: openwisp/openwisp-controller PR: 1233
File: .github/workflows/backport.yml:35-35
Timestamp: 2026-02-24T16:25:31.829Z
Learning: Repository: openwisp/openwisp-controller
File/Area: .github/workflows/backport.yml (backport-on-comment condition)
Learning: Project policy is to restrict the backport trigger via issue comments to users with author_association "MEMBER" or "OWNER" only; "COLLABORATOR" is intentionally excluded (per maintainer feedback on PR `#1233`).

Learnt from: nemesifier
Repo: openwisp/openwisp-controller PR: 1233
File: .github/workflows/backport.yml:22-22
Timestamp: 2026-02-24T16:25:03.810Z
Learning: In the openwisp organization repositories, it is acceptable to use mutable refs like `master` when referencing reusable workflows from other openwisp-controlled repositories (e.g., `openwisp/openwisp-utils/.github/workflows/reusable-backport.ymlmaster`) because these repositories are under the same organizational control and trust boundary.

📚 Learning: 2026-02-24T16:25:20.080Z

Learnt from: nemesifier
Repo: openwisp/openwisp-controller PR: 1233
File: .github/workflows/backport.yml:35-35
Timestamp: 2026-02-24T16:25:20.080Z
Learning: In .github/workflows/backport.yml, enforce that backport-on-comment triggers only for users with author_association MEMBE R or OWNER (COLLABORATOR excluded), reflecting maintainer feedback. Update the trigger condition to check author_association and restrict to MEMBERS/OWNERS; document rationale and PR `#1233` reference in code comments.

Applied to files:

• .github/workflows/bot-changelog.yml

📚 Learning: 2026-02-24T16:24:55.443Z

Learnt from: nemesifier
Repo: openwisp/openwisp-controller PR: 1233
File: .github/workflows/backport.yml:22-22
Timestamp: 2026-02-24T16:24:55.443Z
Learning: In repositories within the OpenWISP organization, it is acceptable to reference reusable workflows from other OpenWISP-controlled repos using mutable refs (e.g., master) in .github/workflows. This is permissible due to the shared trust boundary within the organization. If applying this pattern, ensure the target repos are under the same organization and maintain awareness of potential breakages from upstream mutable refs; consider pinning to a tagged version for longer-term stability when appropriate.

Applied to files:

• .github/workflows/bot-changelog.yml

🔇 Additional comments (2)

.github/workflows/bot-changelog.yml (2)

10-11: Approval-only gate is correctly enforced.

Good call adding the approved state filter at job level; this keeps non-approval review submissions from executing the reusable workflow.

---

15-19: Reusable workflow wiring and secret forwarding look good.

@master usage for an internal OpenWISP reusable workflow is acceptable here, and the forwarded secret names align with existing bot workflows.

Based on learnings: Using mutable refs like @master for reusable workflows across OpenWISP-controlled repositories is acceptable within this trust boundary.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Remove COLLABORATOR from the privileged trigger condition.

Line 14 currently allows COLLABORATOR to trigger this bot workflow. Given this job uses privileged secrets, this should be restricted to OWNER/MEMBER for consistency with established repository policy.

🔧 Proposed fix

     if: |
       github.event.review.state == 'approved' &&
       (github.event.review.author_association == 'OWNER' ||
-       github.event.review.author_association == 'MEMBER' ||
-       github.event.review.author_association == 'COLLABORATOR')
+       github.event.review.author_association == 'MEMBER')

Based on learnings: Project policy in this repository’s bot-trigger gating (see .github/workflows/backport.yml maintainer decision in PR #1233) intentionally excludes COLLABORATOR and allows only MEMBER/OWNER.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	(github.event.review.author_association == 'OWNER' ||
	github.event.review.author_association == 'MEMBER' ||
	github.event.review.author_association == 'COLLABORATOR')
	(github.event.review.author_association == 'OWNER' ||
	github.event.review.author_association == 'MEMBER')

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/bot-changelog.yml around lines 12 - 14, The workflow's
review-author gating currently allows github.event.review.author_association ==
'COLLABORATOR' which grants privileged secrets to collaborators; remove the
'COLLABORATOR' check so the condition only permits 'OWNER' or 'MEMBER' (i.e.,
leave github.event.review.author_association == 'OWNER' ||
github.event.review.author_association == 'MEMBER'), updating the conditional
expression around github.event.review.author_association accordingly to prevent
collaborators from triggering this job.

[pushpitkamboj]

also added it in utils repos

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/bot-changelog-trigger.yml:
- Around line 12-16: The approval-trust gate currently allows
github.event.review.author_association == 'COLLABORATOR' which is too
permissive; update the conditional used in the workflow's if clause (the
approval check that tests github.event.review.state and
github.event.review.author_association) to only permit 'OWNER' and 'MEMBER' and
remove the 'COLLABORATOR' alternative so only owners and members can trigger the
downstream changelog bot flow.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 5d3c2f2e-19a3-412d-bc37-f7ff35f7ef44

📥 Commits

Reviewing files that changed from the base of the PR and between a6055ec and 2be8650.

📒 Files selected for processing (2)

• .github/workflows/bot-changelog-runner.yml
• .github/workflows/bot-changelog-trigger.yml

📜 Review details

🧰 Additional context used

🧠 Learnings (4)

📓 Common learnings

Learnt from: stktyagi
Repo: openwisp/openwisp-controller PR: 1289
File: .github/workflows/bot-ci-failure.yml:21-21
Timestamp: 2026-03-19T16:14:32.435Z
Learning: In openwisp/openwisp-controller, the CI Failure Bot workflow (`.github/workflows/bot-ci-failure.yml`) is intentionally gated on `github.event.workflow_run.event == 'pull_request'`. It should NOT be triggered for push events to master (i.e., post-merge CI runs). Suggesting to add a `push` branch condition is wrong; the bot is only meant to run for open PR failures.

Learnt from: nemesifier
Repo: openwisp/openwisp-controller PR: 1233
File: .github/workflows/backport.yml:35-35
Timestamp: 2026-02-24T16:25:31.829Z
Learning: Repository: openwisp/openwisp-controller
File/Area: .github/workflows/backport.yml (backport-on-comment condition)
Learning: Project policy is to restrict the backport trigger via issue comments to users with author_association "MEMBER" or "OWNER" only; "COLLABORATOR" is intentionally excluded (per maintainer feedback on PR `#1233`).

📚 Learning: 2026-03-19T16:14:32.435Z

Learnt from: stktyagi
Repo: openwisp/openwisp-controller PR: 1289
File: .github/workflows/bot-ci-failure.yml:21-21
Timestamp: 2026-03-19T16:14:32.435Z
Learning: In openwisp/openwisp-controller, the CI Failure Bot workflow (`.github/workflows/bot-ci-failure.yml`) is intentionally gated on `github.event.workflow_run.event == 'pull_request'`. It should NOT be triggered for push events to master (i.e., post-merge CI runs). Suggesting to add a `push` branch condition is wrong; the bot is only meant to run for open PR failures.

Applied to files:

• .github/workflows/bot-changelog-trigger.yml
• .github/workflows/bot-changelog-runner.yml

📚 Learning: 2026-02-24T16:25:20.080Z

Learnt from: nemesifier
Repo: openwisp/openwisp-controller PR: 1233
File: .github/workflows/backport.yml:35-35
Timestamp: 2026-02-24T16:25:20.080Z
Learning: In .github/workflows/backport.yml, enforce that backport-on-comment triggers only for users with author_association MEMBE R or OWNER (COLLABORATOR excluded), reflecting maintainer feedback. Update the trigger condition to check author_association and restrict to MEMBERS/OWNERS; document rationale and PR `#1233` reference in code comments.

Applied to files:

• .github/workflows/bot-changelog-trigger.yml
• .github/workflows/bot-changelog-runner.yml

📚 Learning: 2026-02-24T16:24:55.443Z

Learnt from: nemesifier
Repo: openwisp/openwisp-controller PR: 1233
File: .github/workflows/backport.yml:22-22
Timestamp: 2026-02-24T16:24:55.443Z
Learning: In repositories within the OpenWISP organization, it is acceptable to reference reusable workflows from other OpenWISP-controlled repos using mutable refs (e.g., master) in .github/workflows. This is permissible due to the shared trust boundary within the organization. If applying this pattern, ensure the target repos are under the same organization and maintain awareness of potential breakages from upstream mutable refs; consider pinning to a tagged version for longer-term stability when appropriate.

Applied to files:

• .github/workflows/bot-changelog-trigger.yml
• .github/workflows/bot-changelog-runner.yml

🔇 Additional comments (3)

.github/workflows/bot-changelog-trigger.yml (1)

24-39: Good filtering and metadata handoff flow.

The title-prefix gate plus conditional artifact upload keeps downstream execution narrowly scoped and avoids unnecessary runner work.

.github/workflows/bot-changelog-runner.yml (2)

34-43: Solid metadata validation before invoking downstream workflow.

Numeric validation of pr_number and explicit failure on invalid data is the right safeguard here.

---

45-54: Guarded reusable-workflow invocation is well structured.

Conditioning the job on a non-empty extracted PR number cleanly prevents unintended changelog runs when metadata is absent.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Tighten approval trust gate to members/owners only.

This gate currently allows COLLABORATOR, which broadens who can trigger the downstream changelog bot flow. Restricting to OWNER/MEMBER aligns better with established project policy for privileged bot triggers.

🔒 Proposed change

     if: |
       github.event.review.state == 'approved' &&
       (github.event.review.author_association == 'OWNER' ||
-        github.event.review.author_association == 'MEMBER' ||
-        github.event.review.author_association == 'COLLABORATOR')
+        github.event.review.author_association == 'MEMBER')

Based on learnings: in .github/workflows/backport.yml, maintainer feedback requires restricting privileged triggers to MEMBER/OWNER and excluding COLLABORATOR (PR #1233).

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	if: |
	github.event.review.state == 'approved' &&
	(github.event.review.author_association == 'OWNER' ||
	github.event.review.author_association == 'MEMBER' ||
	github.event.review.author_association == 'COLLABORATOR')
	if: |
	github.event.review.state == 'approved' &&
	(github.event.review.author_association == 'OWNER' ||
	github.event.review.author_association == 'MEMBER')

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/bot-changelog-trigger.yml around lines 12 - 16, The
approval-trust gate currently allows github.event.review.author_association ==
'COLLABORATOR' which is too permissive; update the conditional used in the
workflow's if clause (the approval check that tests github.event.review.state
and github.event.review.author_association) to only permit 'OWNER' and 'MEMBER'
and remove the 'COLLABORATOR' alternative so only owners and members can trigger
the downstream changelog bot flow.

[openwisp-companion]

Prettier Formatting Failure

Hello @pushpitkamboj,
(Analysis for commit 2be8650)

The CI failed due to a Prettier formatting issue. Please run openwisp-qa-format to automatically fix the code style.

[openwisp-companion]

Test Failures in OpenWISP Controller CI

Hello @pushpitkamboj,
(Analysis for commit 7100e05)

There are two test failures reported in the CI logs:

1. test_multiple_vpn_client_templates_same_vpn failed with AssertionError: 401 != 400:
   This indicates that the API endpoint returned a 401 Unauthorized status code when a 400 Bad Request was expected. This suggests an issue with authentication or authorization logic when handling multiple VPN client templates for the same VPN.

2. test_add_mobile_location failed with AttributeError: Can't pickle local object 'convert_exception_to_response.<locals>.inner':
   This error occurs during test execution when trying to pickle a local object. This is often related to how exceptions are handled or serialized within the test environment, potentially indicating an issue in the test setup or the code being tested that interacts with exception handling.

To resolve these issues, please review the test cases and the corresponding code that handles VPN client templates and exception serialization.

[coderabbitai]

♻️ Duplicate comments (1)

.github/workflows/bot-changelog-trigger.yml (1)

12-16: ⚠️ Potential issue | 🟠 Major

Restrict privileged approval gate to OWNER/MEMBER only.

Line 16 still permits COLLABORATOR, which is too permissive for triggering the downstream bot workflow.

🔒 Proposed fix

     if: |
       github.event.review.state == 'approved' &&
       (github.event.review.author_association == 'OWNER' ||
-        github.event.review.author_association == 'MEMBER' ||
-        github.event.review.author_association == 'COLLABORATOR')
+        github.event.review.author_association == 'MEMBER')

Based on learnings: in .github/workflows/backport.yml, maintainer feedback requires privileged triggers to be restricted to MEMBER/OWNER, excluding COLLABORATOR (PR #1233).

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/bot-changelog-trigger.yml around lines 12 - 16, The
approval gate currently allows reviews by 'COLLABORATOR' to trigger the
workflow; update the if-condition that checks
github.event.review.author_association so it only permits 'OWNER' or 'MEMBER'
(remove 'COLLABORATOR') in the boolean expression that guards the workflow run;
locate the conditional using the token github.event.review.author_association in
the bot-changelog-trigger.yml workflow and restrict the allowed values to just
'OWNER' and 'MEMBER'.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In @.github/workflows/bot-changelog-trigger.yml:
- Around line 12-16: The approval gate currently allows reviews by
'COLLABORATOR' to trigger the workflow; update the if-condition that checks
github.event.review.author_association so it only permits 'OWNER' or 'MEMBER'
(remove 'COLLABORATOR') in the boolean expression that guards the workflow run;
locate the conditional using the token github.event.review.author_association in
the bot-changelog-trigger.yml workflow and restrict the allowed values to just
'OWNER' and 'MEMBER'.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 65e63af1-2fc2-4787-9f93-1f56132450a0

📥 Commits

Reviewing files that changed from the base of the PR and between 7100e05 and b6f6572.

📒 Files selected for processing (2)

• .github/workflows/bot-changelog-runner.yml
• .github/workflows/bot-changelog-trigger.yml

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (9)

• GitHub Check: Python==3.13 | django~=5.2.0
• GitHub Check: Python==3.11 | django~=5.2.0
• GitHub Check: Python==3.12 | django~=5.2.0
• GitHub Check: Python==3.10 | django~=5.2.0
• GitHub Check: Python==3.13 | django~=5.1.0
• GitHub Check: Python==3.11 | django~=5.1.0
• GitHub Check: Python==3.10 | django~=5.1.0
• GitHub Check: Python==3.12 | django~=5.1.0
• GitHub Check: Python==3.12 | django~=4.2.0

🧰 Additional context used

🧠 Learnings (4)

📓 Common learnings

Learnt from: stktyagi
Repo: openwisp/openwisp-controller PR: 1289
File: .github/workflows/bot-ci-failure.yml:21-21
Timestamp: 2026-03-19T16:14:32.435Z
Learning: In openwisp/openwisp-controller, the CI Failure Bot workflow (`.github/workflows/bot-ci-failure.yml`) is intentionally gated on `github.event.workflow_run.event == 'pull_request'`. It should NOT be triggered for push events to master (i.e., post-merge CI runs). Suggesting to add a `push` branch condition is wrong; the bot is only meant to run for open PR failures.

Learnt from: nemesifier
Repo: openwisp/openwisp-controller PR: 1233
File: .github/workflows/backport.yml:35-35
Timestamp: 2026-02-24T16:25:31.829Z
Learning: Repository: openwisp/openwisp-controller
File/Area: .github/workflows/backport.yml (backport-on-comment condition)
Learning: Project policy is to restrict the backport trigger via issue comments to users with author_association "MEMBER" or "OWNER" only; "COLLABORATOR" is intentionally excluded (per maintainer feedback on PR `#1233`).

📚 Learning: 2026-03-19T16:14:32.435Z

Learnt from: stktyagi
Repo: openwisp/openwisp-controller PR: 1289
File: .github/workflows/bot-ci-failure.yml:21-21
Timestamp: 2026-03-19T16:14:32.435Z
Learning: In openwisp/openwisp-controller, the CI Failure Bot workflow (`.github/workflows/bot-ci-failure.yml`) is intentionally gated on `github.event.workflow_run.event == 'pull_request'`. It should NOT be triggered for push events to master (i.e., post-merge CI runs). Suggesting to add a `push` branch condition is wrong; the bot is only meant to run for open PR failures.

Applied to files:

• .github/workflows/bot-changelog-trigger.yml
• .github/workflows/bot-changelog-runner.yml

📚 Learning: 2026-02-24T16:25:20.080Z

Learnt from: nemesifier
Repo: openwisp/openwisp-controller PR: 1233
File: .github/workflows/backport.yml:35-35
Timestamp: 2026-02-24T16:25:20.080Z
Learning: In .github/workflows/backport.yml, enforce that backport-on-comment triggers only for users with author_association MEMBE R or OWNER (COLLABORATOR excluded), reflecting maintainer feedback. Update the trigger condition to check author_association and restrict to MEMBERS/OWNERS; document rationale and PR `#1233` reference in code comments.

Applied to files:

• .github/workflows/bot-changelog-trigger.yml
• .github/workflows/bot-changelog-runner.yml

📚 Learning: 2026-02-24T16:24:55.443Z

Learnt from: nemesifier
Repo: openwisp/openwisp-controller PR: 1233
File: .github/workflows/backport.yml:22-22
Timestamp: 2026-02-24T16:24:55.443Z
Learning: In repositories within the OpenWISP organization, it is acceptable to reference reusable workflows from other OpenWISP-controlled repos using mutable refs (e.g., master) in .github/workflows. This is permissible due to the shared trust boundary within the organization. If applying this pattern, ensure the target repos are under the same organization and maintain awareness of potential breakages from upstream mutable refs; consider pinning to a tagged version for longer-term stability when appropriate.

Applied to files:

• .github/workflows/bot-changelog-trigger.yml
• .github/workflows/bot-changelog-runner.yml

🔇 Additional comments (3)

.github/workflows/bot-changelog-trigger.yml (1)

24-39: Noteworthy-title check and artifact handoff are clean.

Regex gating plus conditional artifact upload keeps downstream execution scoped to relevant PRs.

.github/workflows/bot-changelog-runner.yml (2)

21-44: Metadata retrieval + PR number validation is robust.

The success gate, artifact read guard, and numeric validation provide a solid safety check before invoking the bot workflow.

---

45-54: Downstream reusable-workflow invocation is correctly guarded.

Conditioning on non-empty pr_number avoids unnecessary privileged runs and keeps execution deterministic.

[openwisp-companion]

Test Failure in test_add_mobile_location

Hello @pushpitkamboj,
(Analysis for commit b6f6572)

The test test_add_mobile_location failed with an AssertionError: 0 != 1. This indicates that the count of locations with is_mobile=True was 0, but the test expected it to be 1.

Fix:

This failure suggests that a location marked as mobile was not correctly created or counted. To resolve this, ensure that when a mobile location is added, its is_mobile attribute is set to True and that it is correctly persisted in the database. You might need to review the logic in test_add_mobile_location and the related model/view code to ensure the is_mobile flag is handled correctly during location creation.