Skip to content

[CI] Add changelog bot workflow#1272

Closed
pushpitkamboj wants to merge 27 commits into
openwisp:masterfrom
pushpitkamboj:ci/changelog-bot
Closed

[CI] Add changelog bot workflow#1272
pushpitkamboj wants to merge 27 commits into
openwisp:masterfrom
pushpitkamboj:ci/changelog-bot

Conversation

@pushpitkamboj

Copy link
Copy Markdown
Contributor

Checklist

Reference to Existing Issue

Closes #1271

Description of Changes

Added a changelog bot workflow to automatically update changelogs when PRs are approved.

Mahathi-s154 and others added 23 commits February 18, 2026 13:15
Chromium v126 auto-accepts beforeunload dialogs in classic WebDriver
sessions, causing Selenium tests waiting for alerts to fail.

This change updates the test strategy to reliably detect unsaved
changes without relying on deprecated beforeunload alert behavior.

Fixes openwisp#902

Co-authored-by: Federico Capoano <f.capoano@openwisp.io>
The first call to vpn.save() was generting a real HTTP request,
which failed in the CI of ansible-openwisp2.

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
Co-authored-by: Federico Capoano <f.capoano@openwisp.io>
Bug:

The `Vpn.auto_client` method was incorrectly using the Vpn.host field
when generating the client configuration for the OpenVPN backend.

This resulted in the `remote` directive being hardcoded in the
`Template.config`, instead of being rendered from the provided
context variables.

Fix:

The `Vpn.auto_client` method has been updated to use the correct
context-based values.

[backport 1.2]
Closes openwisp#1073

Signed-off-by: UltraBot05 <170253496+UltraBot05@users.noreply.github.com>
…ates

Co-authored-by: Alexandre Vincent <alexandre.vincent@stellar.tc>
…1033 openwisp#1037 openwisp#1045

Closes openwisp#1032
Closes openwisp#1033
Closes openwisp#1037
Closes openwisp#1045

Signed-off-by: DragnEmperor <dragnemperor@gmail.com>
Co-authored-by: Federico Capoano <f.capoano@openwisp.io>
Closes openwisp#1026

Signed-off-by: DragnEmperor <dragnemperor@gmail.com>
…enwisp#1034

- Estimated geographic location logic, closes openwisp#1034.
- Added notification and admin warning, closes openwisp#1035.
- Set location estimated flag to ``False`` on manual update,
  closes openwisp#1036.
- Added admin and API filters for estimated locations,
  closes openwisp#1028.

---------

Signed-off-by: DragnEmperor <dragnemperor@gmail.com>
Added required checks for ensuring WHOIS records
older than a certain configurable threshold will
be updated along with the coordinates.

Closes  openwisp#1058

Signed-off-by: DragnEmperor <dragnemperor@gmail.com>
Fixed multiple issues discovered during testing and review across WHOIS,
estimated location, and device IP handling, and consolidated QA and
maintenance changes.

Key changes:
- Ensure clear_last_ip command calls model save() to trigger signals and
  cache invalidation
- Fix WHOIS and estimated location bugs, including shared location
  recreation and modified timestamp updates
- Improve handling of unchanged IPs in DeviceChecksumView
- Rename and adjust migrations for estimated location settings
- Optimize queries and improve error handling (global HttpError handling)
- Improve UI (CSS/JS/templates) and documentation
- Improved efficiency of `manage_estimated_locations`
- Resolved N+1 query issue in `LocationListCreateView`
- Fixed HTTP request inside `transaction.atomic()`
- Shifted to Celery `send_task` to retain dependency flow
- Removed whois info from device list API to avoid N+1
- Simplified auto-naming of estimated locations
- Updated location update description messages
- Increased WHOIS refresh threshold to 90 days (~92% reduction in API calls)
- WHOIS data refresh now executes on transaction commit
- Skips `delete_whois_record` if `initial_ip_address` is None
- Fixed late-binding closure issue with `_initial_last_ip`
- Error notifications now only sent if `device_pk` is not None
- CIDR field length increased to accommodate IPv6
- Added `is_estimated` filter and column to admin
- Added `is_estimated` to `LocationSerializer` and API filter
- Improved test coverage
- Fixed parallel test 401 errors
- Several other improvements and fixes for problems found during testing

Co-authored-by: DragnEmperor <dragnemperor@gmail.com>
Co-authored-by: Gagan Deep <pandafy.dev@gmail.com>
The previous help texts were confusing and too technical.

[backport 1.2]
Updates the requirements on [responses](https://github.com/getsentry/responses) to permit the latest version.
- [Release notes](https://github.com/getsentry/responses/releases)
- [Changelog](https://github.com/getsentry/responses/blob/master/CHANGES)
- [Commits](getsentry/responses@0.25.8...0.26.0)

---
updated-dependencies:
- dependency-name: responses
  dependency-version: 0.26.0
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Updates the requirements on [pytest-timeout](https://github.com/pytest-dev/pytest-timeout) to permit the latest version.
- [Commits](pytest-dev/pytest-timeout@2.3.0...2.4.0)

---
updated-dependencies:
- dependency-name: pytest-timeout
  dependency-version: 2.4.0
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@coderabbitai

coderabbitai Bot commented Mar 13, 2026

Copy link
Copy Markdown
Contributor

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review
📝 Walkthrough

Walkthrough

Adds two GitHub Actions workflows to automate changelog generation. bot-changelog-trigger runs on pull request review submissions, checks for titles prefixed with [feature], [fix], or [change], and uploads the PR number as an artifact changelog-metadata when matched. bot-changelog-runner triggers on the successful completion of the trigger workflow, downloads and validates the pr_number from the artifact, and invokes an external reusable workflow to generate the changelog with the validated PR number and forwarded secrets.

Sequence Diagram(s)

sequenceDiagram
    participant Reviewer as Reviewer
    participant GitHub as GitHub
    participant TriggerWF as Trigger Workflow
    participant Artifact as Artifact Storage
    participant RunnerWF as Runner Workflow
    participant ReusableWF as Reusable Changelog WF

    Reviewer->>GitHub: Approve PR (review submitted)
    GitHub->>TriggerWF: Trigger on pull_request_review (submitted)
    TriggerWF->>TriggerWF: Check title matches \[feature|fix|change\]
    alt Title matches
        TriggerWF->>Artifact: Upload artifact "changelog-metadata" (pr_number)
    end
    TriggerWF-->>GitHub: Complete workflow (success)
    GitHub->>RunnerWF: Trigger on workflow_run (success)
    RunnerWF->>Artifact: Download "changelog-metadata"
    Artifact-->>RunnerWF: Return pr_number
    RunnerWF->>RunnerWF: Validate pr_number (numeric)
    alt pr_number valid
        RunnerWF->>ReusableWF: Call reusable workflow with pr_number + secrets
        ReusableWF->>ReusableWF: Generate changelog
        ReusableWF-->>RunnerWF: Complete
    end
Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested reviewers

  • nemesifier
🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title follows the required format with [CI] prefix and clearly describes the main change: adding a changelog bot workflow.
Description check ✅ Passed The description covers key sections but omits test case updates and documentation updates mentioned in the template.
Linked Issues check ✅ Passed The pull request successfully implements the objective from issue #1271 by adding a changelog bot workflow to automate changelog generation.
Out of Scope Changes check ✅ Passed All changes (two new workflow files) are directly related to implementing the changelog bot workflow requirement from the linked issue.
Bug Fixes ✅ Passed PR adds GitHub Actions workflow automation with no core functionality changes; fixes affecting GitHub Actions workflows are valid exceptions.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/bot-changelog.yml:
- Around line 3-6: The workflow currently triggers on all review submissions
because it uses pull_request_review: types: [submitted]; restrict the job to run
only for approvals by adding a job-level condition that checks the review state
(e.g. use an if condition that evaluates github.event.review.state ==
'approved'); update the job definitions (within the workflow that contains
pull_request_review) to include this if check so only approved reviews will
execute the workflow.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 3efec7b0-7ede-4772-b0b2-edd2de2e1183

📥 Commits

Reviewing files that changed from the base of the PR and between d203490 and 4781572.

📒 Files selected for processing (1)
  • .github/workflows/bot-changelog.yml
📜 Review details
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (9)
  • GitHub Check: Python==3.12 | django~=5.1.0
  • GitHub Check: Python==3.13 | django~=5.2.0
  • GitHub Check: Python==3.12 | django~=4.2.0
  • GitHub Check: Python==3.11 | django~=4.2.0
  • GitHub Check: Python==3.10 | django~=5.2.0
  • GitHub Check: Python==3.10 | django~=5.1.0
  • GitHub Check: Python==3.10 | django~=4.2.0
  • GitHub Check: Python==3.13 | django~=5.1.0
  • GitHub Check: Python==3.11 | django~=5.2.0
🧰 Additional context used
🧠 Learnings (3)
📓 Common learnings
Learnt from: nemesifier
Repo: openwisp/openwisp-controller PR: 1233
File: .github/workflows/backport.yml:35-35
Timestamp: 2026-02-24T16:25:31.829Z
Learning: Repository: openwisp/openwisp-controller
File/Area: .github/workflows/backport.yml (backport-on-comment condition)
Learning: Project policy is to restrict the backport trigger via issue comments to users with author_association "MEMBER" or "OWNER" only; "COLLABORATOR" is intentionally excluded (per maintainer feedback on PR `#1233`).
📚 Learning: 2026-02-24T16:24:55.443Z
Learnt from: nemesifier
Repo: openwisp/openwisp-controller PR: 1233
File: .github/workflows/backport.yml:22-22
Timestamp: 2026-02-24T16:24:55.443Z
Learning: In repositories within the OpenWISP organization, it is acceptable to reference reusable workflows from other OpenWISP-controlled repos using mutable refs (e.g., master) in .github/workflows. This is permissible due to the shared trust boundary within the organization. If applying this pattern, ensure the target repos are under the same organization and maintain awareness of potential breakages from upstream mutable refs; consider pinning to a tagged version for longer-term stability when appropriate.

Applied to files:

  • .github/workflows/bot-changelog.yml
📚 Learning: 2026-02-24T16:25:20.080Z
Learnt from: nemesifier
Repo: openwisp/openwisp-controller PR: 1233
File: .github/workflows/backport.yml:35-35
Timestamp: 2026-02-24T16:25:20.080Z
Learning: In .github/workflows/backport.yml, enforce that backport-on-comment triggers only for users with author_association MEMBE R or OWNER (COLLABORATOR excluded), reflecting maintainer feedback. Update the trigger condition to check author_association and restrict to MEMBERS/OWNERS; document rationale and PR `#1233` reference in code comments.

Applied to files:

  • .github/workflows/bot-changelog.yml
🔇 Additional comments (1)
.github/workflows/bot-changelog.yml (1)

8-15: LGTM on the reusable workflow reference and secrets.

Using the @master ref for the openwisp-utils reusable workflow is acceptable within the OpenWISP organization's shared trust boundary. The secrets passed (GEMINI_API_KEY, OPENWISP_BOT_APP_ID, OPENWISP_BOT_PRIVATE_KEY) appear appropriate for a bot workflow using Gemini API and GitHub App authentication. Based on learnings indicating mutable refs are permissible for OpenWISP-controlled repos.

Comment thread .github/workflows/bot-changelog.yml Outdated
@coveralls

coveralls commented Mar 13, 2026

Copy link
Copy Markdown

Coverage Status

coverage: 98.66%. remained the same
when pulling 80f7be6 on pushpitkamboj:ci/changelog-bot
into 0d17acd on openwisp:master.

@pushpitkamboj

Copy link
Copy Markdown
Contributor Author

added the pr approved checks

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/bot-changelog.yml:
- Around line 12-14: The workflow's review-author gating currently allows
github.event.review.author_association == 'COLLABORATOR' which grants privileged
secrets to collaborators; remove the 'COLLABORATOR' check so the condition only
permits 'OWNER' or 'MEMBER' (i.e., leave github.event.review.author_association
== 'OWNER' || github.event.review.author_association == 'MEMBER'), updating the
conditional expression around github.event.review.author_association accordingly
to prevent collaborators from triggering this job.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 3e2c0599-6789-419d-af50-8eb14b4f870b

📥 Commits

Reviewing files that changed from the base of the PR and between 4781572 and a6055ec.

📒 Files selected for processing (1)
  • .github/workflows/bot-changelog.yml
📜 Review details
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (10)
  • GitHub Check: Python==3.12 | django~=5.2.0
  • GitHub Check: Python==3.13 | django~=5.1.0
  • GitHub Check: Python==3.10 | django~=5.1.0
  • GitHub Check: Python==3.12 | django~=5.1.0
  • GitHub Check: Python==3.11 | django~=5.1.0
  • GitHub Check: Python==3.13 | django~=5.2.0
  • GitHub Check: Python==3.12 | django~=4.2.0
  • GitHub Check: Python==3.11 | django~=5.2.0
  • GitHub Check: Python==3.10 | django~=5.2.0
  • GitHub Check: Python==3.11 | django~=4.2.0
🧰 Additional context used
🧠 Learnings (3)
📓 Common learnings
Learnt from: nemesifier
Repo: openwisp/openwisp-controller PR: 1233
File: .github/workflows/backport.yml:35-35
Timestamp: 2026-02-24T16:25:31.829Z
Learning: Repository: openwisp/openwisp-controller
File/Area: .github/workflows/backport.yml (backport-on-comment condition)
Learning: Project policy is to restrict the backport trigger via issue comments to users with author_association "MEMBER" or "OWNER" only; "COLLABORATOR" is intentionally excluded (per maintainer feedback on PR `#1233`).
Learnt from: nemesifier
Repo: openwisp/openwisp-controller PR: 1233
File: .github/workflows/backport.yml:22-22
Timestamp: 2026-02-24T16:25:03.810Z
Learning: In the openwisp organization repositories, it is acceptable to use mutable refs like `master` when referencing reusable workflows from other openwisp-controlled repositories (e.g., `openwisp/openwisp-utils/.github/workflows/reusable-backport.ymlmaster`) because these repositories are under the same organizational control and trust boundary.
📚 Learning: 2026-02-24T16:25:20.080Z
Learnt from: nemesifier
Repo: openwisp/openwisp-controller PR: 1233
File: .github/workflows/backport.yml:35-35
Timestamp: 2026-02-24T16:25:20.080Z
Learning: In .github/workflows/backport.yml, enforce that backport-on-comment triggers only for users with author_association MEMBE R or OWNER (COLLABORATOR excluded), reflecting maintainer feedback. Update the trigger condition to check author_association and restrict to MEMBERS/OWNERS; document rationale and PR `#1233` reference in code comments.

Applied to files:

  • .github/workflows/bot-changelog.yml
📚 Learning: 2026-02-24T16:24:55.443Z
Learnt from: nemesifier
Repo: openwisp/openwisp-controller PR: 1233
File: .github/workflows/backport.yml:22-22
Timestamp: 2026-02-24T16:24:55.443Z
Learning: In repositories within the OpenWISP organization, it is acceptable to reference reusable workflows from other OpenWISP-controlled repos using mutable refs (e.g., master) in .github/workflows. This is permissible due to the shared trust boundary within the organization. If applying this pattern, ensure the target repos are under the same organization and maintain awareness of potential breakages from upstream mutable refs; consider pinning to a tagged version for longer-term stability when appropriate.

Applied to files:

  • .github/workflows/bot-changelog.yml
🔇 Additional comments (2)
.github/workflows/bot-changelog.yml (2)

10-11: Approval-only gate is correctly enforced.

Good call adding the approved state filter at job level; this keeps non-approval review submissions from executing the reusable workflow.


15-19: Reusable workflow wiring and secret forwarding look good.

@master usage for an internal OpenWISP reusable workflow is acceptable here, and the forwarded secret names align with existing bot workflows.

Based on learnings: Using mutable refs like @master for reusable workflows across OpenWISP-controlled repositories is acceptable within this trust boundary.

Comment thread .github/workflows/bot-changelog.yml Outdated
@pushpitkamboj

Copy link
Copy Markdown
Contributor Author

also added it in utils repos

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/bot-changelog-trigger.yml:
- Around line 12-16: The approval-trust gate currently allows
github.event.review.author_association == 'COLLABORATOR' which is too
permissive; update the conditional used in the workflow's if clause (the
approval check that tests github.event.review.state and
github.event.review.author_association) to only permit 'OWNER' and 'MEMBER' and
remove the 'COLLABORATOR' alternative so only owners and members can trigger the
downstream changelog bot flow.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 5d3c2f2e-19a3-412d-bc37-f7ff35f7ef44

📥 Commits

Reviewing files that changed from the base of the PR and between a6055ec and 2be8650.

📒 Files selected for processing (2)
  • .github/workflows/bot-changelog-runner.yml
  • .github/workflows/bot-changelog-trigger.yml
📜 Review details
🧰 Additional context used
🧠 Learnings (4)
📓 Common learnings
Learnt from: stktyagi
Repo: openwisp/openwisp-controller PR: 1289
File: .github/workflows/bot-ci-failure.yml:21-21
Timestamp: 2026-03-19T16:14:32.435Z
Learning: In openwisp/openwisp-controller, the CI Failure Bot workflow (`.github/workflows/bot-ci-failure.yml`) is intentionally gated on `github.event.workflow_run.event == 'pull_request'`. It should NOT be triggered for push events to master (i.e., post-merge CI runs). Suggesting to add a `push` branch condition is wrong; the bot is only meant to run for open PR failures.
Learnt from: nemesifier
Repo: openwisp/openwisp-controller PR: 1233
File: .github/workflows/backport.yml:35-35
Timestamp: 2026-02-24T16:25:31.829Z
Learning: Repository: openwisp/openwisp-controller
File/Area: .github/workflows/backport.yml (backport-on-comment condition)
Learning: Project policy is to restrict the backport trigger via issue comments to users with author_association "MEMBER" or "OWNER" only; "COLLABORATOR" is intentionally excluded (per maintainer feedback on PR `#1233`).
📚 Learning: 2026-03-19T16:14:32.435Z
Learnt from: stktyagi
Repo: openwisp/openwisp-controller PR: 1289
File: .github/workflows/bot-ci-failure.yml:21-21
Timestamp: 2026-03-19T16:14:32.435Z
Learning: In openwisp/openwisp-controller, the CI Failure Bot workflow (`.github/workflows/bot-ci-failure.yml`) is intentionally gated on `github.event.workflow_run.event == 'pull_request'`. It should NOT be triggered for push events to master (i.e., post-merge CI runs). Suggesting to add a `push` branch condition is wrong; the bot is only meant to run for open PR failures.

Applied to files:

  • .github/workflows/bot-changelog-trigger.yml
  • .github/workflows/bot-changelog-runner.yml
📚 Learning: 2026-02-24T16:25:20.080Z
Learnt from: nemesifier
Repo: openwisp/openwisp-controller PR: 1233
File: .github/workflows/backport.yml:35-35
Timestamp: 2026-02-24T16:25:20.080Z
Learning: In .github/workflows/backport.yml, enforce that backport-on-comment triggers only for users with author_association MEMBE R or OWNER (COLLABORATOR excluded), reflecting maintainer feedback. Update the trigger condition to check author_association and restrict to MEMBERS/OWNERS; document rationale and PR `#1233` reference in code comments.

Applied to files:

  • .github/workflows/bot-changelog-trigger.yml
  • .github/workflows/bot-changelog-runner.yml
📚 Learning: 2026-02-24T16:24:55.443Z
Learnt from: nemesifier
Repo: openwisp/openwisp-controller PR: 1233
File: .github/workflows/backport.yml:22-22
Timestamp: 2026-02-24T16:24:55.443Z
Learning: In repositories within the OpenWISP organization, it is acceptable to reference reusable workflows from other OpenWISP-controlled repos using mutable refs (e.g., master) in .github/workflows. This is permissible due to the shared trust boundary within the organization. If applying this pattern, ensure the target repos are under the same organization and maintain awareness of potential breakages from upstream mutable refs; consider pinning to a tagged version for longer-term stability when appropriate.

Applied to files:

  • .github/workflows/bot-changelog-trigger.yml
  • .github/workflows/bot-changelog-runner.yml
🔇 Additional comments (3)
.github/workflows/bot-changelog-trigger.yml (1)

24-39: Good filtering and metadata handoff flow.

The title-prefix gate plus conditional artifact upload keeps downstream execution narrowly scoped and avoids unnecessary runner work.

.github/workflows/bot-changelog-runner.yml (2)

34-43: Solid metadata validation before invoking downstream workflow.

Numeric validation of pr_number and explicit failure on invalid data is the right safeguard here.


45-54: Guarded reusable-workflow invocation is well structured.

Conditioning the job on a non-empty extracted PR number cleanly prevents unintended changelog runs when metadata is absent.

Comment thread .github/workflows/bot-changelog-trigger.yml
@openwisp-companion

Copy link
Copy Markdown

Prettier Formatting Failure

Hello @pushpitkamboj,
(Analysis for commit 2be8650)

The CI failed due to a Prettier formatting issue. Please run openwisp-qa-format to automatically fix the code style.

@openwisp-companion

Copy link
Copy Markdown

Test Failures in OpenWISP Controller CI

Hello @pushpitkamboj,
(Analysis for commit 7100e05)

There are two test failures reported in the CI logs:

  1. test_multiple_vpn_client_templates_same_vpn failed with AssertionError: 401 != 400:
    This indicates that the API endpoint returned a 401 Unauthorized status code when a 400 Bad Request was expected. This suggests an issue with authentication or authorization logic when handling multiple VPN client templates for the same VPN.

  2. test_add_mobile_location failed with AttributeError: Can't pickle local object 'convert_exception_to_response.<locals>.inner':
    This error occurs during test execution when trying to pickle a local object. This is often related to how exceptions are handled or serialized within the test environment, potentially indicating an issue in the test setup or the code being tested that interacts with exception handling.

To resolve these issues, please review the test cases and the corresponding code that handles VPN client templates and exception serialization.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

♻️ Duplicate comments (1)
.github/workflows/bot-changelog-trigger.yml (1)

12-16: ⚠️ Potential issue | 🟠 Major

Restrict privileged approval gate to OWNER/MEMBER only.

Line 16 still permits COLLABORATOR, which is too permissive for triggering the downstream bot workflow.

🔒 Proposed fix
     if: |
       github.event.review.state == 'approved' &&
       (github.event.review.author_association == 'OWNER' ||
-        github.event.review.author_association == 'MEMBER' ||
-        github.event.review.author_association == 'COLLABORATOR')
+        github.event.review.author_association == 'MEMBER')

Based on learnings: in .github/workflows/backport.yml, maintainer feedback requires privileged triggers to be restricted to MEMBER/OWNER, excluding COLLABORATOR (PR #1233).

🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/bot-changelog-trigger.yml around lines 12 - 16, The
approval gate currently allows reviews by 'COLLABORATOR' to trigger the
workflow; update the if-condition that checks
github.event.review.author_association so it only permits 'OWNER' or 'MEMBER'
(remove 'COLLABORATOR') in the boolean expression that guards the workflow run;
locate the conditional using the token github.event.review.author_association in
the bot-changelog-trigger.yml workflow and restrict the allowed values to just
'OWNER' and 'MEMBER'.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In @.github/workflows/bot-changelog-trigger.yml:
- Around line 12-16: The approval gate currently allows reviews by
'COLLABORATOR' to trigger the workflow; update the if-condition that checks
github.event.review.author_association so it only permits 'OWNER' or 'MEMBER'
(remove 'COLLABORATOR') in the boolean expression that guards the workflow run;
locate the conditional using the token github.event.review.author_association in
the bot-changelog-trigger.yml workflow and restrict the allowed values to just
'OWNER' and 'MEMBER'.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 65e63af1-2fc2-4787-9f93-1f56132450a0

📥 Commits

Reviewing files that changed from the base of the PR and between 7100e05 and b6f6572.

📒 Files selected for processing (2)
  • .github/workflows/bot-changelog-runner.yml
  • .github/workflows/bot-changelog-trigger.yml
📜 Review details
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (9)
  • GitHub Check: Python==3.13 | django~=5.2.0
  • GitHub Check: Python==3.11 | django~=5.2.0
  • GitHub Check: Python==3.12 | django~=5.2.0
  • GitHub Check: Python==3.10 | django~=5.2.0
  • GitHub Check: Python==3.13 | django~=5.1.0
  • GitHub Check: Python==3.11 | django~=5.1.0
  • GitHub Check: Python==3.10 | django~=5.1.0
  • GitHub Check: Python==3.12 | django~=5.1.0
  • GitHub Check: Python==3.12 | django~=4.2.0
🧰 Additional context used
🧠 Learnings (4)
📓 Common learnings
Learnt from: stktyagi
Repo: openwisp/openwisp-controller PR: 1289
File: .github/workflows/bot-ci-failure.yml:21-21
Timestamp: 2026-03-19T16:14:32.435Z
Learning: In openwisp/openwisp-controller, the CI Failure Bot workflow (`.github/workflows/bot-ci-failure.yml`) is intentionally gated on `github.event.workflow_run.event == 'pull_request'`. It should NOT be triggered for push events to master (i.e., post-merge CI runs). Suggesting to add a `push` branch condition is wrong; the bot is only meant to run for open PR failures.
Learnt from: nemesifier
Repo: openwisp/openwisp-controller PR: 1233
File: .github/workflows/backport.yml:35-35
Timestamp: 2026-02-24T16:25:31.829Z
Learning: Repository: openwisp/openwisp-controller
File/Area: .github/workflows/backport.yml (backport-on-comment condition)
Learning: Project policy is to restrict the backport trigger via issue comments to users with author_association "MEMBER" or "OWNER" only; "COLLABORATOR" is intentionally excluded (per maintainer feedback on PR `#1233`).
📚 Learning: 2026-03-19T16:14:32.435Z
Learnt from: stktyagi
Repo: openwisp/openwisp-controller PR: 1289
File: .github/workflows/bot-ci-failure.yml:21-21
Timestamp: 2026-03-19T16:14:32.435Z
Learning: In openwisp/openwisp-controller, the CI Failure Bot workflow (`.github/workflows/bot-ci-failure.yml`) is intentionally gated on `github.event.workflow_run.event == 'pull_request'`. It should NOT be triggered for push events to master (i.e., post-merge CI runs). Suggesting to add a `push` branch condition is wrong; the bot is only meant to run for open PR failures.

Applied to files:

  • .github/workflows/bot-changelog-trigger.yml
  • .github/workflows/bot-changelog-runner.yml
📚 Learning: 2026-02-24T16:25:20.080Z
Learnt from: nemesifier
Repo: openwisp/openwisp-controller PR: 1233
File: .github/workflows/backport.yml:35-35
Timestamp: 2026-02-24T16:25:20.080Z
Learning: In .github/workflows/backport.yml, enforce that backport-on-comment triggers only for users with author_association MEMBE R or OWNER (COLLABORATOR excluded), reflecting maintainer feedback. Update the trigger condition to check author_association and restrict to MEMBERS/OWNERS; document rationale and PR `#1233` reference in code comments.

Applied to files:

  • .github/workflows/bot-changelog-trigger.yml
  • .github/workflows/bot-changelog-runner.yml
📚 Learning: 2026-02-24T16:24:55.443Z
Learnt from: nemesifier
Repo: openwisp/openwisp-controller PR: 1233
File: .github/workflows/backport.yml:22-22
Timestamp: 2026-02-24T16:24:55.443Z
Learning: In repositories within the OpenWISP organization, it is acceptable to reference reusable workflows from other OpenWISP-controlled repos using mutable refs (e.g., master) in .github/workflows. This is permissible due to the shared trust boundary within the organization. If applying this pattern, ensure the target repos are under the same organization and maintain awareness of potential breakages from upstream mutable refs; consider pinning to a tagged version for longer-term stability when appropriate.

Applied to files:

  • .github/workflows/bot-changelog-trigger.yml
  • .github/workflows/bot-changelog-runner.yml
🔇 Additional comments (3)
.github/workflows/bot-changelog-trigger.yml (1)

24-39: Noteworthy-title check and artifact handoff are clean.

Regex gating plus conditional artifact upload keeps downstream execution scoped to relevant PRs.

.github/workflows/bot-changelog-runner.yml (2)

21-44: Metadata retrieval + PR number validation is robust.

The success gate, artifact read guard, and numeric validation provide a solid safety check before invoking the bot workflow.


45-54: Downstream reusable-workflow invocation is correctly guarded.

Conditioning on non-empty pr_number avoids unnecessary privileged runs and keeps execution deterministic.

@openwisp-companion

Copy link
Copy Markdown

Test Failure in test_add_mobile_location

Hello @pushpitkamboj,
(Analysis for commit b6f6572)

The test test_add_mobile_location failed with an AssertionError: 0 != 1. This indicates that the count of locations with is_mobile=True was 0, but the test expected it to be 1.

Fix:

This failure suggests that a location marked as mobile was not correctly created or counted. To resolve this, ensure that when a mobile location is added, its is_mobile attribute is set to True and that it is correctly persisted in the database. You might need to review the logic in test_add_mobile_location and the related model/view code to ensure the is_mobile flag is handled correctly during location creation.

env:
PR_TITLE: ${{ github.event.pull_request.title }}
run: |
if echo "$PR_TITLE" | grep -qiE '^\[(feature|fix|change)\]'; then

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CRITICAL: Script injection vulnerability

The PR title is passed directly to a shell command without sanitization. A malicious PR title containing shell metacharacters could execute arbitrary code.

Consider using bash's regex matching instead of echo + grep:

Suggested change
if echo "$PR_TITLE" | grep -qiE '^\[(feature|fix|change)\]'; then
if [[ "$PR_TITLE" =~ ^\[(feature|fix|change)\] ]]; then

@kilo-code-bot

kilo-code-bot Bot commented Apr 23, 2026

Copy link
Copy Markdown

Code Review Summary

Status: No Issues Found | Recommendation: Merge

Overview

Severity Count
CRITICAL 0
WARNING 0
SUGGESTION 0

Previous Issues Resolved

File Line Issue Status
.github/workflows/bot-changelog-trigger.yml 23 Script injection vulnerability RESOLVED - File deleted
Files Reviewed (17 files)

New Workflow Files (4):

  • .github/workflows/bot-autoassign-issue.yml - No issues
  • .github/workflows/bot-autoassign-pr-issue-link.yml - No issues
  • .github/workflows/bot-autoassign-pr-reopen.yml - No issues
  • .github/workflows/bot-autoassign-stale-pr.yml - No issues

Modified Files:

  • .github/workflows/backport.yml - Removed main branch trigger
  • .github/workflows/bot-ci-failure.yml - Permission fixes, logic improvements
  • .github/workflows/ci.yml - Improved geckodriver.log handling
  • .github/workflows/pypi.yml - Version bump
  • openwisp_controller/config/base/device.py - Fixed deferred fields bug
  • openwisp_controller/config/admin.py - Fixed template tampering log message
  • openwisp_controller/connection/tasks.py - Fixed concurrent task detection
  • openwisp_controller/connection/base/models.py - Fixed typo update_stragy -> update_strategy
  • Multiple WHOIS/geo related files - Architecture improvements
  • Documentation updates
  • New regression tests added

Deleted Files:

  • .github/workflows/bot-changelog-trigger.yml
  • .github/workflows/bot-changelog-runner.yml

Reviewed by kimi-k2.5 · 180,573 tokens

@openwisp-companion

Copy link
Copy Markdown

Test Failure in test_add_mobile_location

Hello @pushpitkamboj,
(Analysis for commit c2c87ce)

The test test_add_mobile_location failed because it expected 1 mobile location to be present, but found 0. This indicates that a mobile location was not created or correctly identified as mobile during the test setup.

To fix this, ensure that the test setup correctly creates a Location object with is_mobile=True before the assertion is made. If the creation logic is correct, investigate why the is_mobile=True filter might be failing to find the object.

@openwisp-companion

Copy link
Copy Markdown

Hi @pushpitkamboj 👋,

This pull request has been marked as stale due to 41 days of inactivity after changes were requested.

As a result, the linked issue(s) have been unassigned from you to allow other contributors to work on it.

However, you can still continue working on this PR! If you push new commits or respond to the review feedback:

  • The issue will be reassigned to you
  • Your contribution is still very welcome

If you need more time or have questions about the requested changes, please let us know. We're happy to help! 🤝

If there's no further activity within 19 more days, this PR will be automatically closed (but can be reopened anytime).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[ci] add changelog bot workflow

10 participants