[CI] Add changelog bot workflow

[pushpitkamboj]

Checklist

• I have read the OpenWISP Contributing Guidelines.
• I have manually tested the changes proposed in this pull request.

Reference to Existing Issue

Closes #1271

Description of Changes

Added a changelog bot workflow to automatically update changelogs when PRs are approved.

[coderabbitai]

📝 Walkthrough

Walkthrough

A new GitHub Actions workflow is added at .github/workflows/bot-changelog.yml. It triggers on pull request review submissions, checks that the review state is "approved" and the author is an OWNER/MEMBER/COLLABORATOR, and then invokes the reusable workflow openwisp/openwisp-utils/.github/workflows/reusable-bot-changelog.yml@master, forwarding the secrets GEMINI_API_KEY, OPENWISP_BOT_APP_ID, and OPENWISP_BOT_PRIVATE_KEY.

Sequence Diagram(s)

sequenceDiagram
    participant Reviewer
    participant GitHub as "GitHub Actions"
    participant Repo as "Repo Workflow\n(.github/workflows/bot-changelog.yml)"
    participant Reusable as "Reusable Workflow\nopenwisp-utils"
    participant Secrets as "Repo Secrets"

    Reviewer->>GitHub: submit pull_request_review
    GitHub->>Repo: trigger workflow
    Repo->>Repo: check review.state == "approved"\nand author in {OWNER,MEMBER,COLLABORATOR}
    alt conditions met
        Repo->>Secrets: read GEMINI_API_KEY, OPENWISP_BOT_APP_ID,\nOPENWISP_BOT_PRIVATE_KEY
        Repo->>Reusable: call reusable workflow\n(pass secrets)
        Reusable->>Secrets: validate/use secrets
        Reusable->>Repo: return status
    else conditions not met
        Repo-->>GitHub: exit (no-op)
    end

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related issues

• [CI] Add changelog bot workflow openwisp-monitoring#762 — Adds the same changelog bot workflow to that repository; objectives overlap.

Suggested reviewers

• nemesifier

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	The PR description includes completed checklist items and references the linked issue, but is missing test-related and documentation-related checklist items that are required by the template.	Complete the remaining checklist items (test cases and documentation) or clarify why they are not applicable to this CI workflow change.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The PR title '[CI] Add changelog bot workflow' correctly uses the 'CI' type prefix and clearly describes the main change: adding a changelog bot workflow.
Linked Issues check	✅ Passed	The PR successfully implements the objective from issue #1271 by adding a changelog bot GitHub Actions workflow that automates changelog generation upon PR approval.
Out of Scope Changes check	✅ Passed	All changes in the PR are directly related to adding the changelog bot workflow as specified in the linked issue #1271, with no extraneous modifications.
Bug Fixes	✅ Passed	This PR adds a GitHub Actions workflow for changelog automation, not a bug fix. Custom checks apply only to bug fixes, so this check passes by default.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/bot-changelog.yml:
- Around line 3-6: The workflow currently triggers on all review submissions
because it uses pull_request_review: types: [submitted]; restrict the job to run
only for approvals by adding a job-level condition that checks the review state
(e.g. use an if condition that evaluates github.event.review.state ==
'approved'); update the job definitions (within the workflow that contains
pull_request_review) to include this if check so only approved reviews will
execute the workflow.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 3efec7b0-7ede-4772-b0b2-edd2de2e1183

📥 Commits

Reviewing files that changed from the base of the PR and between d203490 and 4781572.

📒 Files selected for processing (1)

• .github/workflows/bot-changelog.yml

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (9)

• GitHub Check: Python==3.12 | django~=5.1.0
• GitHub Check: Python==3.13 | django~=5.2.0
• GitHub Check: Python==3.12 | django~=4.2.0
• GitHub Check: Python==3.11 | django~=4.2.0
• GitHub Check: Python==3.10 | django~=5.2.0
• GitHub Check: Python==3.10 | django~=5.1.0
• GitHub Check: Python==3.10 | django~=4.2.0
• GitHub Check: Python==3.13 | django~=5.1.0
• GitHub Check: Python==3.11 | django~=5.2.0

🧰 Additional context used

🧠 Learnings (3)

📓 Common learnings

Learnt from: nemesifier
Repo: openwisp/openwisp-controller PR: 1233
File: .github/workflows/backport.yml:35-35
Timestamp: 2026-02-24T16:25:31.829Z
Learning: Repository: openwisp/openwisp-controller
File/Area: .github/workflows/backport.yml (backport-on-comment condition)
Learning: Project policy is to restrict the backport trigger via issue comments to users with author_association "MEMBER" or "OWNER" only; "COLLABORATOR" is intentionally excluded (per maintainer feedback on PR `#1233`).

📚 Learning: 2026-02-24T16:24:55.443Z

Learnt from: nemesifier
Repo: openwisp/openwisp-controller PR: 1233
File: .github/workflows/backport.yml:22-22
Timestamp: 2026-02-24T16:24:55.443Z
Learning: In repositories within the OpenWISP organization, it is acceptable to reference reusable workflows from other OpenWISP-controlled repos using mutable refs (e.g., master) in .github/workflows. This is permissible due to the shared trust boundary within the organization. If applying this pattern, ensure the target repos are under the same organization and maintain awareness of potential breakages from upstream mutable refs; consider pinning to a tagged version for longer-term stability when appropriate.

Applied to files:

• .github/workflows/bot-changelog.yml

📚 Learning: 2026-02-24T16:25:20.080Z

Learnt from: nemesifier
Repo: openwisp/openwisp-controller PR: 1233
File: .github/workflows/backport.yml:35-35
Timestamp: 2026-02-24T16:25:20.080Z
Learning: In .github/workflows/backport.yml, enforce that backport-on-comment triggers only for users with author_association MEMBE R or OWNER (COLLABORATOR excluded), reflecting maintainer feedback. Update the trigger condition to check author_association and restrict to MEMBERS/OWNERS; document rationale and PR `#1233` reference in code comments.

Applied to files:

• .github/workflows/bot-changelog.yml

🔇 Additional comments (1)

.github/workflows/bot-changelog.yml (1)

8-15: LGTM on the reusable workflow reference and secrets.

Using the @master ref for the openwisp-utils reusable workflow is acceptable within the OpenWISP organization's shared trust boundary. The secrets passed (GEMINI_API_KEY, OPENWISP_BOT_APP_ID, OPENWISP_BOT_PRIVATE_KEY) appear appropriate for a bot workflow using Gemini API and GitHub App authentication. Based on learnings indicating mutable refs are permissible for OpenWISP-controlled repos.

[coveralls]

coverage: 98.672%. remained the same
when pulling a6055ec on pushpitkamboj:ci/changelog-bot
into d203490 on openwisp:master.

[pushpitkamboj]

added the pr approved checks

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/bot-changelog.yml:
- Around line 12-14: The workflow's review-author gating currently allows
github.event.review.author_association == 'COLLABORATOR' which grants privileged
secrets to collaborators; remove the 'COLLABORATOR' check so the condition only
permits 'OWNER' or 'MEMBER' (i.e., leave github.event.review.author_association
== 'OWNER' || github.event.review.author_association == 'MEMBER'), updating the
conditional expression around github.event.review.author_association accordingly
to prevent collaborators from triggering this job.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 3e2c0599-6789-419d-af50-8eb14b4f870b

📥 Commits

Reviewing files that changed from the base of the PR and between 4781572 and a6055ec.

📒 Files selected for processing (1)

• .github/workflows/bot-changelog.yml

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (10)

• GitHub Check: Python==3.12 | django~=5.2.0
• GitHub Check: Python==3.13 | django~=5.1.0
• GitHub Check: Python==3.10 | django~=5.1.0
• GitHub Check: Python==3.12 | django~=5.1.0
• GitHub Check: Python==3.11 | django~=5.1.0
• GitHub Check: Python==3.13 | django~=5.2.0
• GitHub Check: Python==3.12 | django~=4.2.0
• GitHub Check: Python==3.11 | django~=5.2.0
• GitHub Check: Python==3.10 | django~=5.2.0
• GitHub Check: Python==3.11 | django~=4.2.0

🧰 Additional context used

🧠 Learnings (3)

📓 Common learnings

Learnt from: nemesifier
Repo: openwisp/openwisp-controller PR: 1233
File: .github/workflows/backport.yml:35-35
Timestamp: 2026-02-24T16:25:31.829Z
Learning: Repository: openwisp/openwisp-controller
File/Area: .github/workflows/backport.yml (backport-on-comment condition)
Learning: Project policy is to restrict the backport trigger via issue comments to users with author_association "MEMBER" or "OWNER" only; "COLLABORATOR" is intentionally excluded (per maintainer feedback on PR `#1233`).

Learnt from: nemesifier
Repo: openwisp/openwisp-controller PR: 1233
File: .github/workflows/backport.yml:22-22
Timestamp: 2026-02-24T16:25:03.810Z
Learning: In the openwisp organization repositories, it is acceptable to use mutable refs like `master` when referencing reusable workflows from other openwisp-controlled repositories (e.g., `openwisp/openwisp-utils/.github/workflows/reusable-backport.ymlmaster`) because these repositories are under the same organizational control and trust boundary.

📚 Learning: 2026-02-24T16:25:20.080Z

Learnt from: nemesifier
Repo: openwisp/openwisp-controller PR: 1233
File: .github/workflows/backport.yml:35-35
Timestamp: 2026-02-24T16:25:20.080Z
Learning: In .github/workflows/backport.yml, enforce that backport-on-comment triggers only for users with author_association MEMBE R or OWNER (COLLABORATOR excluded), reflecting maintainer feedback. Update the trigger condition to check author_association and restrict to MEMBERS/OWNERS; document rationale and PR `#1233` reference in code comments.

Applied to files:

• .github/workflows/bot-changelog.yml

📚 Learning: 2026-02-24T16:24:55.443Z

Learnt from: nemesifier
Repo: openwisp/openwisp-controller PR: 1233
File: .github/workflows/backport.yml:22-22
Timestamp: 2026-02-24T16:24:55.443Z
Learning: In repositories within the OpenWISP organization, it is acceptable to reference reusable workflows from other OpenWISP-controlled repos using mutable refs (e.g., master) in .github/workflows. This is permissible due to the shared trust boundary within the organization. If applying this pattern, ensure the target repos are under the same organization and maintain awareness of potential breakages from upstream mutable refs; consider pinning to a tagged version for longer-term stability when appropriate.

Applied to files:

• .github/workflows/bot-changelog.yml

🔇 Additional comments (2)

.github/workflows/bot-changelog.yml (2)

10-11: Approval-only gate is correctly enforced.

Good call adding the approved state filter at job level; this keeps non-approval review submissions from executing the reusable workflow.

---

15-19: Reusable workflow wiring and secret forwarding look good.

@master usage for an internal OpenWISP reusable workflow is acceptable here, and the forwarded secret names align with existing bot workflows.

Based on learnings: Using mutable refs like @master for reusable workflows across OpenWISP-controlled repositories is acceptable within this trust boundary.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Remove COLLABORATOR from the privileged trigger condition.

Line 14 currently allows COLLABORATOR to trigger this bot workflow. Given this job uses privileged secrets, this should be restricted to OWNER/MEMBER for consistency with established repository policy.

🔧 Proposed fix

     if: |
       github.event.review.state == 'approved' &&
       (github.event.review.author_association == 'OWNER' ||
-       github.event.review.author_association == 'MEMBER' ||
-       github.event.review.author_association == 'COLLABORATOR')
+       github.event.review.author_association == 'MEMBER')

Based on learnings: Project policy in this repository’s bot-trigger gating (see .github/workflows/backport.yml maintainer decision in PR #1233) intentionally excludes COLLABORATOR and allows only MEMBER/OWNER.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	(github.event.review.author_association == 'OWNER' ||
	github.event.review.author_association == 'MEMBER' ||
	github.event.review.author_association == 'COLLABORATOR')
	(github.event.review.author_association == 'OWNER' ||
	github.event.review.author_association == 'MEMBER')

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/bot-changelog.yml around lines 12 - 14, The workflow's
review-author gating currently allows github.event.review.author_association ==
'COLLABORATOR' which grants privileged secrets to collaborators; remove the
'COLLABORATOR' check so the condition only permits 'OWNER' or 'MEMBER' (i.e.,
leave github.event.review.author_association == 'OWNER' ||
github.event.review.author_association == 'MEMBER'), updating the conditional
expression around github.event.review.author_association accordingly to prevent
collaborators from triggering this job.

[pushpitkamboj]

also added it in utils repos