Skip to content

[CI] Add changelog bot workflow #1272

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
pushpitkamboj wants to merge 5 commits into
base: master
Choose a base branch
from
+93 −0
Open

[CI] Add changelog bot workflow #1272

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
0041ee2
[CI] Add changelog bot workflow
Mar 13, 2026
4781572
Merge branch 'master' into ci/changelog-bot
pushpitkamboj Mar 13, 2026
a6055ec
[change] Add PR approved checks
Mar 14, 2026
2be8650
[ci] Remove old workflow with new trigger and runner yml files
Mar 27, 2026
b6f6572
[fix] QA checks
Mar 27, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
54 changes: 54 additions & 0 deletions .github/workflows/bot-changelog-runner.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
name: Changelog Bot Runner

on:
workflow_run:
workflows: ["Changelog Bot Trigger"]
types:
- completed

permissions:
actions: read
contents: read
pull-requests: write
issues: write

env:
FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true

jobs:
fetch-metadata:
runs-on: ubuntu-latest
if: github.event.workflow_run.conclusion == 'success'
outputs:
pr_number: ${{ steps.metadata.outputs.pr_number }}
steps:
- name: Download PR metadata
id: download
uses: actions/download-artifact@v4
with:
name: changelog-metadata
github-token: ${{ secrets.GITHUB_TOKEN }}
run-id: ${{ github.event.workflow_run.id }}
continue-on-error: true

- name: Read PR metadata
if: steps.download.outcome == 'success'
id: metadata
run: |
PR_NUMBER=$(cat pr_number)
if ! [[ "$PR_NUMBER" =~ ^[0-9]+$ ]]; then
echo "::error::Invalid PR number: $PR_NUMBER"
exit 1
fi
echo "pr_number=$PR_NUMBER" >> $GITHUB_OUTPUT

changelog:
needs: fetch-metadata
if: needs.fetch-metadata.outputs.pr_number != ''
uses: openwisp/openwisp-utils/.github/workflows/reusable-bot-changelog.yml@master
with:
pr_number: ${{ needs.fetch-metadata.outputs.pr_number }}
secrets:
GEMINI_API_KEY: ${{ secrets.GEMINI_API_KEY }}
OPENWISP_BOT_APP_ID: ${{ secrets.OPENWISP_BOT_APP_ID }}
OPENWISP_BOT_PRIVATE_KEY: ${{ secrets.OPENWISP_BOT_PRIVATE_KEY }}
39 changes: 39 additions & 0 deletions .github/workflows/bot-changelog-trigger.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
name: Changelog Bot Trigger

on:
pull_request_review:
types: [submitted]

env:
FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true

jobs:
check:
if: |
github.event.review.state == 'approved' &&
(github.event.review.author_association == 'OWNER' ||
github.event.review.author_association == 'MEMBER' ||
github.event.review.author_association == 'COLLABORATOR')
Comment on lines +12 to +16
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai bot Mar 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Tighten approval trust gate to members/owners only.

This gate currently allows COLLABORATOR, which broadens who can trigger the downstream changelog bot flow. Restricting to OWNER/MEMBER aligns better with established project policy for privileged bot triggers.

🔒 Proposed change 
     if: |
       github.event.review.state == 'approved' &&
       (github.event.review.author_association == 'OWNER' ||
-        github.event.review.author_association == 'MEMBER' ||
-        github.event.review.author_association == 'COLLABORATOR')
+        github.event.review.author_association == 'MEMBER')

Based on learnings: in .github/workflows/backport.yml, maintainer feedback requires restricting privileged triggers to MEMBER/OWNER and excluding COLLABORATOR (PR #1233).

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
if: |
github.event.review.state == 'approved' &&
(github.event.review.author_association == 'OWNER' ||
github.event.review.author_association == 'MEMBER' ||
github.event.review.author_association == 'COLLABORATOR')
if: |
github.event.review.state == 'approved' &&
(github.event.review.author_association == 'OWNER' ||
github.event.review.author_association == 'MEMBER')
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/bot-changelog-trigger.yml around lines 12 - 16, The
approval-trust gate currently allows github.event.review.author_association ==
'COLLABORATOR' which is too permissive; update the conditional used in the
workflow's if clause (the approval check that tests github.event.review.state
and github.event.review.author_association) to only permit 'OWNER' and 'MEMBER'
and remove the 'COLLABORATOR' alternative so only owners and members can trigger
the downstream changelog bot flow.

runs-on: ubuntu-latest
steps:
- name: Check for noteworthy PR
id: check
env:
PR_TITLE: ${{ github.event.pull_request.title }}
run: |
if echo "$PR_TITLE" | grep -qiE '^\[(feature|fix|change)\]'; then
echo "has_noteworthy=true" >> $GITHUB_OUTPUT
fi

- name: Save PR metadata
if: steps.check.outputs.has_noteworthy == 'true'
env:
PR_NUMBER: ${{ github.event.pull_request.number }}
run: echo "$PR_NUMBER" > pr_number

- name: Upload PR metadata
if: steps.check.outputs.has_noteworthy == 'true'
uses: actions/upload-artifact@v4
with:
name: changelog-metadata
path: pr_number
Loading