[ci] Updated CI failure bot caller: permissions, PR author

[stktyagi]

Added Ci failure bot for users module

Checklist

• I have read the OpenWISP Contributing Guidelines.
• I have manually tested the changes proposed in this pull request.
• I have written new test cases for new code and/or updated existing tests for changes to existing code.
• I have updated the documentation.

Description of Changes

Added CI failure bot caller workflow

[coderabbitai]

📝 Walkthrough

Walkthrough

A new GitHub Actions workflow ("CI Failure Bot") is added that runs when the "OpenWISP Users CI Build" workflow completes with conclusion == 'failure' and the event source is a pull request. It has two jobs: find-pr, which determines the PR number and author using the workflow payload, commits API (head SHA), or by scanning open PRs; and call-ci-failure-bot, which runs if a PR was found and invokes a reusable workflow in openwisp-utils, forwarding PR/run context and required secrets.

Sequence Diagram

sequenceDiagram
    participant GitHubActions as GitHub Actions
    participant FindPR as find-pr Job
    participant GitHubAPI as GitHub API
    participant CallBot as call-ci-failure-bot Job
    participant ReusableWorkflow as Reusable Workflow\n(openwisp-utils)

    GitHubActions->>FindPR: Trigger on "OpenWISP Users CI Build" completion (failure)

    rect rgba(200,150,100,0.5)
    Note over FindPR: PR Lookup Strategies
    FindPR->>FindPR: Check workflow payload for PR number
    alt PR found in payload
        FindPR->>GitHubAPI: Fetch PR author via gh pr view
        GitHubAPI-->>FindPR: Return author
    else No PR in payload
        FindPR->>GitHubAPI: Query commits API with head SHA
        GitHubAPI-->>FindPR: Return PR info if matched
    else Still not found
        FindPR->>GitHubAPI: List open PRs and match head SHA
        GitHubAPI-->>FindPR: Return PR info if matched
    end
    end

    FindPR-->>CallBot: Emit pr_number and pr_author (if found)

    alt pr_number exists
        CallBot->>ReusableWorkflow: Invoke reusable workflow with PR/run details and secrets
        ReusableWorkflow-->>CallBot: Complete processing
    else No pr_number
        CallBot->>CallBot: Skip invocation
    end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The PR description is missing the 'Reference to Existing Issue' section and the 'Screenshot' section. While it includes the checklist and description of changes, key required template elements are absent.	Add a 'Reference to Existing Issue' section (e.g., 'Closes #') and optionally include a 'Screenshot' section to match the required template structure.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The PR title '[chores] Added CI failure bot' correctly follows the required format with the [chores] type prefix and clearly describes the main change in the changeset.
Bug Fixes	✅ Passed	PR adds GitHub Actions workflow configuration, which falls under the documented exception for infrastructure changes where regression testing is impractical.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chores/add-ci-falure-bot

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/bot-ci-failure.yml:
- Around line 44-49: The PR_NUMBER payload check can receive the literal string
"null" which passes -n but is invalid; update the conditional that tests
PR_NUMBER (the block that calls emit_pr "$PR_NUMBER") to ensure the value is
both non-empty and not equal to the string "null" (e.g., combine -n check with a
!= "null" check, consistent with the Commits API validation), so emit_pr is only
called with a valid PR number.
- Line 71: The reusable workflow reference currently pins to the branch "master"
(uses:
openwisp/openwisp-utils/.github/workflows/reusable-bot-ci-failure.yml@master);
change this to a fixed tag or commit SHA (for example a release tag like `@v1.2.3`
or a specific commit SHA) to prevent upstream changes from breaking your CI, and
update the uses line accordingly so the workflow uses a stable, immutable ref.
- Around line 3-7: The workflow_run trigger is referencing the wrong workflow
name ("OpenWisp WiFi Login Pages CI BUILD"); update the workflows array under
the workflow_run trigger to use the actual CI workflow name "OpenWISP Users CI
Build" so the bot-ci-failure.yml workflow will run when the "OpenWISP Users CI
Build" workflow completes. Locate the workflows key inside the workflow_run
trigger and replace the incorrect string with "OpenWISP Users CI Build".

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 9fb1d2bc-98aa-440f-9333-b5006b75cd6c

📥 Commits

Reviewing files that changed from the base of the PR and between e904269 and 219eb0e.

📒 Files selected for processing (1)

• .github/workflows/bot-ci-failure.yml

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (14)

• GitHub Check: Python==3.11 | django~=4.2.0
• GitHub Check: Python==3.12 | django~=5.2.0
• GitHub Check: Python==3.12 | django~=5.0.0
• GitHub Check: Python==3.13 | django~=5.2.0
• GitHub Check: Python==3.12 | django~=5.1.0
• GitHub Check: Python==3.13 | django~=5.1.0
• GitHub Check: Python==3.11 | django~=5.2.0
• GitHub Check: Python==3.11 | django~=5.1.0
• GitHub Check: Python==3.10 | django~=5.0.0
• GitHub Check: Python==3.10 | django~=5.2.0
• GitHub Check: Python==3.12 | django~=4.2.0
• GitHub Check: Python==3.10 | django~=4.2.0
• GitHub Check: Python==3.10 | django~=5.1.0
• GitHub Check: Python==3.11 | django~=5.0.0

🔇 Additional comments (2)

.github/workflows/bot-ci-failure.yml (2)

9-16: LGTM!

Permissions are appropriately scoped (minimal write access only for pull-requests), and the concurrency configuration correctly prevents duplicate runs for the same PR or branch.

---

72-79: No action needed—inputs already correctly specified.

The reusable workflow at openwisp-utils/.github/workflows/reusable-bot-ci-failure.yml explicitly defines both pr_number and run_id with type: string. GitHub Actions workflow outputs are strings by default, which matches these input type expectations. No type coercion is required.

[coveralls]

coverage: 97.894%. remained the same
when pulling 1ad0b79 on chores/add-ci-falure-bot
into e904269 on master.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/bot-ci-failure.yml:
- Around line 58-60: The PR fallback lookup can miss matching PRs because gh pr
list uses --limit 100; update the invocation that sets PR_NUMBER (the gh pr list
command referencing HEAD_SHA and storing into PR_NUMBER) to increase the limit
to a much larger value (e.g., --limit 1000) or replace with a paginated
cursor-based loop to exhaustively scan all open PRs; ensure the change still
filters by headRefOid == "$HEAD_SHA" and returns the first matching .number into
PR_NUMBER.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: f18cb625-2e9b-4d25-ab94-b19b8d7db307

📥 Commits

Reviewing files that changed from the base of the PR and between 219eb0e and 1ad0b79.

📒 Files selected for processing (1)

• .github/workflows/bot-ci-failure.yml

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (14)

• GitHub Check: Python==3.11 | django~=5.2.0
• GitHub Check: Python==3.12 | django~=5.0.0
• GitHub Check: Python==3.11 | django~=5.1.0
• GitHub Check: Python==3.13 | django~=5.2.0
• GitHub Check: Python==3.11 | django~=5.0.0
• GitHub Check: Python==3.10 | django~=5.1.0
• GitHub Check: Python==3.10 | django~=5.2.0
• GitHub Check: Python==3.12 | django~=5.2.0
• GitHub Check: Python==3.13 | django~=5.1.0
• GitHub Check: Python==3.12 | django~=4.2.0
• GitHub Check: Python==3.10 | django~=4.2.0
• GitHub Check: Python==3.10 | django~=5.0.0
• GitHub Check: Python==3.12 | django~=5.1.0
• GitHub Check: Python==3.11 | django~=4.2.0

🔇 Additional comments (1)

.github/workflows/bot-ci-failure.yml (1)

75-87: No security issue found. The reusable workflow correctly separates concerns:

• Bot credentials (APP_ID, PRIVATE_KEY) and GEMINI_API_KEY are generated/loaded in the early steps
• PR code is checked out to a separate pr_code directory but is not executed with secrets in scope
• All code execution with secrets uses only the trusted openwisp-utils repository (line 131: python trusted_scripts/.github/actions/bot-ci-failure/analyze_failure.py)
• The generated bot token is used only for API calls to GitHub, not for running untrusted code

The workflow does not match the hypothetical risk described in the comment.

			> Likely an incorrect or invalid review comment.