[ci] Enabled bot-changelog workflow

[pushpitkamboj]

Checklist

• I have read the OpenWISP Contributing Guidelines.
• I have manually tested the changes proposed in this pull request.

Reference to Existing Issue

Closes #762

Description of Changes

Added a changelog bot workflow to automatically update changelogs when PRs are approved.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Two new GitHub Actions workflows were added: bot-changelog-trigger and bot-changelog-runner. bot-changelog-trigger runs on submitted pull request reviews, checks that the review is an approval by OWNER/MEMBER/COLLABORATOR and that the PR title matches a noteworthy prefix (feature, fix, change); when matched it writes the PR number to an artifact named changelog-metadata. bot-changelog-runner triggers when the trigger workflow completes, downloads and validates changelog-metadata (non-fatal on download failure), and — if a PR number is present — calls a reusable workflow in the openwisp-utils repository, passing the PR number and required secrets.

Sequence Diagram(s)

sequenceDiagram
    participant Reviewer as Reviewer
    participant TriggerWA as "bot-changelog-trigger\n(GitHub Actions)"
    participant Artifact as "Artifact\nStorage"
    participant RunnerWA as "bot-changelog-runner\n(GitHub Actions)"
    participant Reusable as "Reusable\nWorkflow (openwisp-utils)"

    Reviewer->>TriggerWA: Submit approved review (OWNER/MEMBER/COLLABORATOR)
    TriggerWA->>TriggerWA: Read PR title, match ^[\[(feature|fix|change)\]]
    alt Title matches
        TriggerWA->>Artifact: Upload artifact (changelog-metadata with pr_number)
        Artifact-->>TriggerWA: Confirm upload
    else Title doesn't match
        TriggerWA-->>TriggerWA: Skip artifact upload
    end

    Note over TriggerWA,RunnerWA: Trigger workflow completes
    RunnerWA->>Artifact: Download changelog-metadata (continue-on-error)
    Artifact-->>RunnerWA: Return pr_number (or empty)
    alt pr_number present
        RunnerWA->>Reusable: Call reusable workflow with pr_number + secrets
        Reusable-->>RunnerWA: Changelog generation complete
    else pr_number empty
        RunnerWA-->>RunnerWA: Skip calling reusable workflow
    end

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Suggested reviewers

• nemesifier

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description check	✅ Passed	The description addresses most template sections but omits test cases, documentation updates, and screenshots which are non-critical.
Linked Issues check	✅ Passed	The PR successfully implements the objective from issue #762 by adding two GitHub Actions workflows (bot-changelog-trigger and bot-changelog-runner) to automate changelog updates when PRs are approved.
Out of Scope Changes check	✅ Passed	All changes directly relate to the objective of adding a changelog bot workflow; no unrelated or out-of-scope modifications are present.
Bug Fixes	✅ Passed	PR adds a CI/CD feature via GitHub Actions workflows, not a user-facing bug fix. GitHub Actions workflows are explicitly exempted from regression test requirements.
Title check	✅ Passed	The title '[ci] Enabled bot-changelog workflow' follows the required format with the [ci] prefix and clearly summarizes the main change: adding/enabling a new bot-changelog workflow for automating changelog updates.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openwisp-companion]

CI Failures Detected

Hello @pushpitkamboj,
(Analysis for commit 7cea252)

There are multiple build failures due to the runtests script not being found.

Failures & Remediation

1. Build/Infrastructure/Other: The runtests script is not found.

   • Explanation: The CI pipeline is attempting to execute a script named ./runtests, but the logs indicate that this file does not exist in the expected location (/home/runner/work/_temp/ad651493-b8c9-43df-b5b1-eea77b38fbf4.sh: line 1: ./runtests: No such file or directory). This is causing the build to fail with exit code 127 across multiple jobs.
   • Remediation: Ensure that the runtests script is correctly placed in the repository and is executable. If the script has been renamed or moved, update the CI configuration to reflect the correct path. If this is a transient issue, consider re-running the CI job.

2. Build/Infrastructure/Other: The geckodriver.log file is not found.

   • Explanation: After the failure of the runtests script, the CI pipeline attempts to cat geckodriver.log. However, the logs show cat: geckodriver.log: No such file or directory, indicating that this log file was not generated or is not accessible. This is a consequence of the primary failure (missing runtests script) and is causing subsequent steps to fail.
   • Remediation: This failure is a direct result of the runtests script not being found. Once the runtests script is correctly placed and executable, the geckodriver.log file should be generated as expected, resolving this secondary error.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/bot-changelog.yml:
- Line 11: Replace the mutable branch reference in the reusable workflow call
with an immutable commit SHA: find the `uses:
openwisp/openwisp-utils/.github/workflows/reusable-bot-changelog.yml@master`
line and replace `@master` with the repository commit SHA for the exact version
you want to lock (e.g., `@<commit-sha>`). Ensure you fetch and verify the
correct commit SHA from the openwisp-utils repository, update the `uses:` entry
accordingly, and commit the change so the workflow is pinned to that immutable
SHA.
- Around line 5-6: The workflow currently fires for all submitted reviews
because it uses pull_request_review with types: [submitted]; update the job (or
step) to gate execution to only approval events by adding an if condition that
checks github.event.review.state == 'approved' (keep the existing
pull_request_review/types: [submitted] but add the conditional at the job/step
level) so the workflow runs only when a review is submitted with state
"approved".

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 6b7e4744-78cd-4326-90df-4df65d7fcb6c

📥 Commits

Reviewing files that changed from the base of the PR and between 98afa9b and 7cea252.

📒 Files selected for processing (1)

• .github/workflows/bot-changelog.yml

📜 Review details

🔇 Additional comments (1)

.github/workflows/bot-changelog.yml (1)

9-12: [Your rewritten review comment text here]
[Exactly ONE classification tag]

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

In GitHub Actions, for pull_request_reviewwithtypes: [submitted], does the workflow trigger for approved, commented, and changes_requested review states?

💡 Result:

Yes. pull_request_review with types: [submitted] fires whenever a PR review is submitted, regardless of whether the submitted review’s github.event.review.state is approved, commented, or changes_requested (you filter by state with an if: condition). [1], [2]

---

Gate execution to approved reviews only.

Line 6 (types: [submitted]) triggers for all submitted reviews, including commented and changes_requested states, not just approvals. This doesn't match the PR objective.

Proposed fix

 on:
   # Trigger when a PR review is submitted with approval
   pull_request_review:
     types: [submitted]
 
 jobs:
   changelog:
+    if: ${{ github.event.review.state == 'approved' }}
     # Call the reusable workflow from openwisp-utils
     uses: openwisp/openwisp-utils/.github/workflows/reusable-bot-changelog.yml@master

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/bot-changelog.yml around lines 5 - 6, The workflow
currently fires for all submitted reviews because it uses pull_request_review
with types: [submitted]; update the job (or step) to gate execution to only
approval events by adding an if condition that checks github.event.review.state
== 'approved' (keep the existing pull_request_review/types: [submitted] but add
the conditional at the job/step level) so the workflow runs only when a review
is submitted with state "approved".

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

What do GitHub Actions security best practices recommend for reusable workflow references: branch refs (e.g., @master) vs pinned commit SHA?

💡 Result:

GitHub Actions security guidance recommends pinning reusable workflow references to an immutable, full-length commit SHA (rather than a mutable ref like a branch name such as @master/@main, or a moving tag), to reduce supply-chain risk from a compromised repo updating that branch/tag to malicious code. You can then use tools like Dependabot to keep those pinned SHAs up to date. [1], [2]

---

Pin the reusable workflow to an immutable commit SHA.

Line 11 uses @master, which is mutable and increases supply-chain risk. Pin to a commit SHA instead to ensure reproducibility and prevent the workflow from being silently updated to malicious code.

Proposed fix

-    uses: openwisp/openwisp-utils/.github/workflows/reusable-bot-changelog.yml@master
+    uses: openwisp/openwisp-utils/.github/workflows/reusable-bot-changelog.yml@<commit-sha>

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	uses: openwisp/openwisp-utils/.github/workflows/reusable-bot-changelog.yml@master
	uses: openwisp/openwisp-utils/.github/workflows/reusable-bot-changelog.yml@abc123def456...

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/bot-changelog.yml at line 11, Replace the mutable branch
reference in the reusable workflow call with an immutable commit SHA: find the
`uses:
openwisp/openwisp-utils/.github/workflows/reusable-bot-changelog.yml@master`
line and replace `@master` with the repository commit SHA for the exact version
you want to lock (e.g., `@<commit-sha>`). Ensure you fetch and verify the
correct commit SHA from the openwisp-utils repository, update the `uses:` entry
accordingly, and commit the change so the workflow is pinned to that immutable
SHA.

[pushpitkamboj]

CI failure is unrelated to the PR changes.

[openwisp-companion]

CI Failure Analysis

Hello @pushpitkamboj,
(Analysis for commit 9bfb09c)

Test Failures

1. Fatal Python error: Aborted / double free or corruption (fasttop)

• Explanation: The logs indicate a critical Python error, specifically a "double free or corruption (fasttop)" followed by a "Fatal Python error: Aborted". This type of error typically points to a memory corruption issue within the Python interpreter or one of its extensions. The stack trace shows calls related to concurrent.futures.thread and threading, suggesting that the issue might be related to how threads are managed or how resources are shared between them during test execution. The presence of many extension modules in the "Extension modules" list further suggests that the interaction between these modules or their memory management could be the root cause.

• Remediation: Debugging memory corruption issues can be complex. A common first step is to try and isolate the test case that triggers this behavior. If the failure is consistently reproducible, consider running the tests with memory debugging tools like valgrind (if the environment allows) or enabling Python's built-in memory debugging options. In a CI environment, increasing the verbosity of the test runner or adding more logging around the suspected areas might help pinpoint the exact operation causing the corruption. If the issue is intermittent, it might be related to race conditions or specific timing issues in the test suite, which could be addressed by adding more robust synchronization or delays in the test setup.

2. RuntimeWarning: DateTimeField ... received a naive datetime while time zone support is active.

• Explanation: The CI logs show multiple RuntimeWarning messages from Django's DateTimeField. These warnings indicate that naive datetime objects (without timezone information) are being provided to fields that are configured to support timezones. This can lead to unexpected behavior or errors when timezones are actively used in the application. The warnings specifically mention WifiSession.stop_time and WifiSession.start_time.

• Remediation: To fix this, ensure that all datetime objects being saved to timezone-aware DateTimeFields are timezone-aware. This typically involves using django.utils.timezone.now() or timezone.make_aware() when creating or updating datetime objects. You should review the code that creates or updates WifiSession instances and ensure that start_time and stop_time are always timezone-aware datetimes.

3. Slow Test Failures

• Explanation: The CI logs indicate a significant number of slow tests, with several tests exceeding their expected execution times (marked in red, e.g., (5.47s) for test_dashboard_timeseries_charts). The total count of slow tests detected is 207. This suggests that the test suite is taking too long to complete, which can be a symptom of inefficient test setup, database operations, or test logic.

• Remediation: Identify the slowest tests and investigate their performance. This might involve:

  • Optimizing database queries: Ensure that tests are not making excessive or inefficient database calls. Use django-debug-toolbar or similar tools during local development to analyze query performance.
  • Reducing test setup overhead: If tests require complex setup (e.g., creating many objects, configuring services), look for ways to optimize this.
  • Parallelizing tests: If the test runner supports it, consider running tests in parallel to reduce overall execution time.
  • Reviewing test logic: Ensure that tests are not performing unnecessary operations or waiting for events that could be mocked or simulated more efficiently.
  • Addressing the memory corruption issue: The "double free or corruption" error might also be contributing to test slowness or instability, so resolving that could indirectly help with performance.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/bot-changelog-runner.yml:
- Line 24: Replace mutable action/workflow references with full commit SHAs:
locate usages of actions/download-artifact@v4 and the other reusable
workflow/reference currently pinned as `@master` and update each to the
corresponding full-length commit SHA for that repository; ensure you fetch the
exact commit SHA from the upstream repo (or GitHub UI) and replace the tag
strings so the workflow uses actions/download-artifact@<full-commit-sha> and the
reusable workflow@<full-commit-sha> to avoid mutable tags for secrets like
OPENWISP_BOT_PRIVATE_KEY.

In @.github/workflows/bot-changelog-trigger.yml:
- Line 33: Replace the mutable tag usage "uses: actions/upload-artifact@v4" with
a pinned full commit SHA for the actions/upload-artifact action; locate the line
containing that exact string in the workflow and update it to "uses:
actions/upload-artifact@<full-commit-sha>" (obtain the full SHA from the
actions/upload-artifact repository release/commit you intend to pin) so the
workflow references an immutable commit instead of the `@v4` tag.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: a88973f8-b20e-4acd-ac7a-3c1d4c112bb3

📥 Commits

Reviewing files that changed from the base of the PR and between 7cea252 and 580df60.

📒 Files selected for processing (2)

• .github/workflows/bot-changelog-runner.yml
• .github/workflows/bot-changelog-trigger.yml

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (11)

• GitHub Check: Python==3.11 | django~=5.2.0
• GitHub Check: Python==3.11 | django~=4.2.0
• GitHub Check: Python==3.12 | django~=5.2.0
• GitHub Check: Python==3.13 | django~=5.2.0
• GitHub Check: Python==3.12 | django~=5.1.0
• GitHub Check: Python==3.11 | django~=5.1.0
• GitHub Check: Python==3.10 | django~=5.2.0
• GitHub Check: Python==3.12 | django~=4.2.0
• GitHub Check: Python==3.10 | django~=5.1.0
• GitHub Check: Python==3.13 | django~=5.1.0
• GitHub Check: Python==3.10 | django~=4.2.0

🔇 Additional comments (2)

.github/workflows/bot-changelog-trigger.yml (1)

9-29: Approval and noteworthy gating logic looks solid.

The job-level approval filter plus conditional artifact creation is clear and correctly scoped.

.github/workflows/bot-changelog-runner.yml (1)

31-40: PR metadata validation is well implemented.

The numeric guard before setting pr_number output is a good safety check.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

cat -n .github/workflows/bot-changelog-runner.yml

Repository: openwisp/openwisp-monitoring

Length of output: 1911

---

🌐 Web query:

GitHub Actions security best practices pinning actions to commit SHA

💡 Result:

Pinning GitHub Actions to a full-length commit SHA is a critical security best practice to prevent supply chain attacks. This ensures actions are immutable, as a specific SHA cannot be altered without creating a SHA-1 collision, mitigating risks from compromised repositories where attackers could push malicious code to tags or branches. Key practices: - Always use full-length commit SHAs (40 characters) instead of tags like 'v1' or 'main', which can be updated maliciously. Example: - uses: actions/checkout@192f8e1 # v4.1.7 Verify the SHA from the official repository's releases or commits, not forks. - Prioritize for third-party and high-risk actions handling secrets or repository access. - Audit action source code and prefer verified creators from GitHub Marketplace. - Use tools like pinact, pin-github-action, or Dependabot/Renovate for automation and updates. - Enforce organization-wide via GitHub policies: Enable "Require actions to be pinned to a full-length commit SHA" in repository/organization settings under Actions > General > Policies. Additional best practices: - Set GITHUB_TOKEN to read-only permissions by default. - Use Dependabot alerts for vulnerabilities (note: doesn't cover SHA-pinned actions). - Review and periodically update SHAs for security fixes. This aligns with GitHub's security hardening guide and recent policy updates supporting SHA enforcement.

Citations:

• 1: https://github.blog/changelog/2025-08-15-github-actions-policy-now-supports-blocking-and-sha-pinning-actions/
• 2: https://www.stepsecurity.io/blog/pinning-github-actions-for-enhanced-security-a-complete-guide
• 3: https://www.codewrecks.com/post/github/github-sha-pinning/
• 4: https://dev.to/ciberconscientes/github-actions-why-you-should-pin-your-actions-to-a-specific-version-1513
• 5: https://docs.github.com/en/actions/reference/security/secure-use
• 6: https://dev.to/suzukishunsuke/pin-github-actions-to-a-full-length-commit-sha-for-security-2n7p
• 7: https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/cicd/github/unpinned_actions_full_length_commit_sha/
• 8: https://github.com/mheap/pin-github-action
• 9: https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions

---

Pin actions and reusable workflows to full commit SHAs instead of mutable version tags or branch references.

Lines 24 and 45 use mutable references (@v4 and @master) that can be silently updated. Since this workflow handles sensitive secrets including OPENWISP_BOT_PRIVATE_KEY, both should be pinned to full-length commit SHAs to prevent supply chain attacks.

Hardening

-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@<full_commit_sha>

-    uses: openwisp/openwisp-utils/.github/workflows/reusable-bot-changelog.yml@master
+    uses: openwisp/openwisp-utils/.github/workflows/reusable-bot-changelog.yml@<full_commit_sha>

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/bot-changelog-runner.yml at line 24, Replace mutable
action/workflow references with full commit SHAs: locate usages of
actions/download-artifact@v4 and the other reusable workflow/reference currently
pinned as `@master` and update each to the corresponding full-length commit SHA
for that repository; ensure you fetch the exact commit SHA from the upstream
repo (or GitHub UI) and replace the tag strings so the workflow uses
actions/download-artifact@<full-commit-sha> and the reusable
workflow@<full-commit-sha> to avoid mutable tags for secrets like
OPENWISP_BOT_PRIVATE_KEY.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

cat -n .github/workflows/bot-changelog-trigger.yml | head -50

Repository: openwisp/openwisp-monitoring

Length of output: 1405

---

🏁 Script executed:

# Check if the file exists and get its full content
wc -l .github/workflows/bot-changelog-trigger.yml

Repository: openwisp/openwisp-monitoring

Length of output: 118

---

🏁 Script executed:

# Search for all 'uses:' statements in the workflow file
rg "uses:" .github/workflows/bot-changelog-trigger.yml -A 1

Repository: openwisp/openwisp-monitoring

Length of output: 126

---

🌐 Web query:

GitHub Actions best practices version pinning commit SHA 2025

💡 Result:

GitHub Actions best practices strongly recommend pinning actions to full-length commit SHAs for security and reproducibility. This prevents supply chain attacks where malicious code could be injected via mutable tags or branches. Key practices: - Use full 40-character commit SHA: uses: actions/checkout@692d365 # v4.1.4 - Find SHA by visiting the action repo, selecting the tag/release, and copying the commit hash from the URL or branch switcher. - Add version comment for readability and tracking. - Prioritize for third-party and high-risk actions (those handling secrets or deployments). - For GitHub-owned actions (actions/, github/), tags like @v4 are acceptable if trusted, but SHA is still best. - Pin runners too: runs-on: ubuntu-24.04 instead of ubuntu-latest. Automation and enforcement (2025 updates): - Use Dependabot or Renovate to update pinned SHAs: Renovate's helpers:pinGitHubActionDigests preset automates SHA pinning and updates. - Tools: pin-github-action, pinact for bulk pinning. - Enforce via policies: Repository/Org/Enterprise settings > Actions > General > "Require actions to be pinned to a full-length commit SHA" checkbox (introduced Aug 2025). - Validation actions: zgosalvez/github-actions-ensure-sha-pinned-actions to fail builds on unpinned actions. Tradeoffs: - SHAs are immutable but require updates for fixes/security patches. - Balance with scheduled updates via PRs. Official guidance: GitHub Docs "Secure use reference" states SHA pinning is the only immutable way, mitigating SHA-1 collision attacks needed for supply chain compromise.

Citations:

• 1: https://docs.github.com/en/actions/reference/security/secure-use
• 2: https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions
• 3: https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository
• 4: https://docs.github.com/en/enterprise-cloud@latest/admin/enforcing-policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise
• 5: https://github.blog/changelog/2025-08-15-github-actions-policy-now-supports-blocking-and-sha-pinning-actions/
• 6: https://dev.to/ciberconscientes/github-actions-why-you-should-pin-your-actions-to-a-specific-version-1513
• 7: https://www.stepsecurity.io/blog/pinning-github-actions-for-enhanced-security-a-complete-guide

---

Pin actions/upload-artifact to an immutable commit SHA.

Line 33 uses a mutable major tag (@v4), which weakens workflow integrity guarantees. GitHub Actions best practices recommend pinning all actions to full-length commit SHAs to prevent supply chain attacks and ensure reproducible workflows.

      - name: Upload PR metadata
        if: steps.check.outputs.has_noteworthy == 'true'
-       uses: actions/upload-artifact@v4
+       uses: actions/upload-artifact@692d36539f903b6016f51ba6bba3eedbf55d65af # v4
        with:
          name: changelog-metadata
          path: pr_number

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	uses: actions/upload-artifact@v4
	uses: actions/upload-artifact@692d36539f903b6016f51ba6bba3eedbf55d65af # v4

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/bot-changelog-trigger.yml at line 33, Replace the mutable
tag usage "uses: actions/upload-artifact@v4" with a pinned full commit SHA for
the actions/upload-artifact action; locate the line containing that exact string
in the workflow and update it to "uses:
actions/upload-artifact@<full-commit-sha>" (obtain the full SHA from the
actions/upload-artifact repository release/commit you intend to pin) so the
workflow references an immutable commit instead of the `@v4` tag.

[openwisp-companion]

Prettier Check Failed: .github/workflows/bot-changelog-trigger.yml

Hello @pushpitkamboj,
(Analysis for commit 76a4bf1)

The CI failed because of a code style issue detected by Prettier in the .github/workflows/bot-changelog-trigger.yml file.

Fix:
Run openwisp-qa-format to automatically fix the formatting issues.

[openwisp-companion]

{
    "failures": [
        {
            "name": "Commit Message",
            "message": "Invalid commit message format",
            "details": "The commit message does not follow the expected format. Please ensure your commit message includes a header in the format `[tag] Capitalized short title #<issue>`, followed by a blank line, a detailed description, and a footer with a closing keyword and issue number (e.g., `Fixes #123`).",
            "command": "git commit --amend"
        }
    ]
}

Commit Message Invalid Format

Hello @pushpitkamboj,
(Analysis for commit 246341b)

• Commit Message: The commit message is invalid. Please follow the conventional commit format: [tag] Capitalized short title #<issue>. For example: [fix] Corrected typo in README #123.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/bot-changelog-trigger.yml:
- Line 17: Replace the mutable runner label used by the runs-on key to a fixed
OS version: change the runs-on value from "ubuntu-latest" to a specific pinned
label such as "ubuntu-24.04" (i.e., update the runs-on: "ubuntu-latest" line to
runs-on: "ubuntu-24.04") so the workflow uses a stable, reproducible runner
image.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 836451f5-fe21-4f5e-9645-b38e6db4d8fd

📥 Commits

Reviewing files that changed from the base of the PR and between 246341b and 35c1c88.

📒 Files selected for processing (1)

• .github/workflows/bot-changelog-trigger.yml

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (11)

• GitHub Check: Python==3.11 | django~=5.2.0
• GitHub Check: Python==3.11 | django~=4.2.0
• GitHub Check: Python==3.12 | django~=4.2.0
• GitHub Check: Python==3.12 | django~=5.2.0
• GitHub Check: Python==3.10 | django~=5.2.0
• GitHub Check: Python==3.13 | django~=5.1.0
• GitHub Check: Python==3.12 | django~=5.1.0
• GitHub Check: Python==3.10 | django~=4.2.0
• GitHub Check: Python==3.10 | django~=5.1.0
• GitHub Check: Python==3.13 | django~=5.2.0
• GitHub Check: Python==3.11 | django~=5.1.0

🔇 Additional comments (2)

.github/workflows/bot-changelog-trigger.yml (2)

36-36: Pin actions/upload-artifact to a full commit SHA.

Line 36 still uses a mutable tag (@v4). This was already flagged in prior review and remains unresolved.

What is the current full commit SHA to pin for actions/upload-artifact v4, and what does GitHub recommend for immutable action pinning?

---

12-32: Approval gate and metadata extraction look correct.

The review-state/author-association checks and PR-title filtering logic are aligned with the workflow objective, and the PR number handoff is clean.

[coderabbitai]

🧹 Nitpick | 🔵 Trivial

🧩 Analysis chain

🌐 Web query:

What are GitHub’s current recommendations for pinning runs-on runner images in GitHub Actions workflows?

💡 Result:

GitHub does not recommend or support directly pinning runs-on runner images to specific versions (e.g., ubuntu-24.04-20250915.62.1) in standard GitHub-hosted runners. Instead, the current recommendation is to use specific OS version labels like ubuntu-24.04, ubuntu-22.04, windows-2025, or macos-15 to avoid unexpected changes from -latest aliases, which roll forward to newer OS versions (e.g., ubuntu-latest now points to ubuntu-24.04 as of early 2025).

Citations:

• 1: https://docs.github.com/en/actions/how-tos/write-workflows/choose-where-workflows-run/choose-the-runner-for-a-job
• 2: https://docs.github.com/en/actions/reference/github-hosted-runners-reference
• 3: https://docs.github.com/en/actions/using-jobs/choosing-the-runner-for-a-job
• 4: Please allow pinning an image to a specific version like 20250915.62.1, so users get control over *when* image updates break their CI 🙏 actions/runner-images#13034
• 5: Ubuntu-latest workflows will use Ubuntu-24.04 image actions/runner-images#10636
• 6: https://docs.github.com/en/actions/reference/runners/github-hosted-runners
• 7: https://github.com/actions/runner-images

---

Use a fixed runner image instead of ubuntu-latest.

ubuntu-latest is mutable and can introduce non-reproducible CI behavior. Pin to a specific OS version label like ubuntu-24.04 to ensure consistency.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/bot-changelog-trigger.yml at line 17, Replace the mutable
runner label used by the runs-on key to a fixed OS version: change the runs-on
value from "ubuntu-latest" to a specific pinned label such as "ubuntu-24.04"
(i.e., update the runs-on: "ubuntu-latest" line to runs-on: "ubuntu-24.04") so
the workflow uses a stable, reproducible runner image.

[openwisp-companion]

Commit Message and Test Failures

Hello @pushpitkamboj,
(Analysis for commit a8544ee)

1. Commit Message Failure: The commit message does not follow the required format. The title should start with a capitalized word after the prefix.

Correct format example:

[fix] Remove js env and edited permissions for workflow #123

2. Test Failure: The following tests failed:

• test_200_multiple_measurements in openwisp_monitoring.device.tests.test_api failed with AssertionError: 2 != 4.
• test_evdo_charts in openwisp_monitoring.device.tests.test_api failed with AssertionError: 1 != 3.

These failures indicate that the actual number of data points or charts returned by the API does not match the expected values in the tests. You need to investigate why the API is returning fewer data points than expected for test_200_multiple_measurements and why test_evdo_charts is only returning one chart instead of three.

[openwisp-companion]

Hi @pushpitkamboj 👋,

This pull request has been marked as stale due to 41 days of inactivity after changes were requested.

As a result, the linked issue(s) have been unassigned from you to allow other contributors to work on it.

However, you can still continue working on this PR! If you push new commits or respond to the review feedback:

• The issue will be reassigned to you
• Your contribution is still very welcome

If you need more time or have questions about the requested changes, please let us know. We're happy to help! 🤝

If there's no further activity within 19 more days, this PR will be automatically closed (but can be reopened anytime).

[coderabbitai]

♻️ Duplicate comments (2)

.github/workflows/bot-changelog-trigger.yml (1)

35-35: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Pin actions/upload-artifact to a full commit SHA.

Line 35 uses a mutable tag (@v7). Please pin it to an immutable 40-char SHA for reproducibility and supply-chain hardening.

#!/bin/bash
# Verify unpinned action refs in this workflow and fetch SHA candidates.
set -euo pipefail

echo "Unpinned uses in trigger workflow:"
rg -n '^\s*uses:\s*[^@]+@(?:v[0-9]+|master|main|latest)\s*$' .github/workflows/bot-changelog-trigger.yml || true

echo
echo "Latest upload-artifact release tag + commit:"
curl -fsSL https://api.github.com/repos/actions/upload-artifact/releases/latest | jq -r '.tag_name, .target_commitish'

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/bot-changelog-trigger.yml at line 35, The workflow
currently uses a mutable tag "uses: actions/upload-artifact@v7" which should be
pinned to an immutable 40-character commit SHA to improve reproducibility and
supply-chain security; replace the "uses: actions/upload-artifact@v7" entry with
"uses: actions/upload-artifact@<40-char-commit-sha>" (the exact SHA for the v7
tag) — obtain the correct SHA for the v7 release from the
actions/upload-artifact GitHub API or the releases page and update the uses line
accordingly so the workflow references that full commit SHA instead of the v7
tag.

.github/workflows/bot-changelog-runner.yml (1)

23-23: ⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Use immutable SHAs for both action and reusable workflow references.

Lines 23 and 48 use mutable refs (@v8, @master). Since this workflow passes sensitive secrets, both should be pinned to full commit SHAs.

#!/bin/bash
# Detect mutable refs and fetch SHAs to pin.
set -euo pipefail

echo "Mutable refs in runner workflow:"
rg -n '^\s*uses:\s*[^@]+@(?:v[0-9]+|master|main|latest)\s*$' .github/workflows/bot-changelog-runner.yml || true

echo
echo "Latest download-artifact release tag + commit:"
curl -fsSL https://api.github.com/repos/actions/download-artifact/releases/latest | jq -r '.tag_name, .target_commitish'

echo
echo "Current SHA behind openwisp-utils master:"
curl -fsSL https://api.github.com/repos/openwisp/openwisp-utils/commits/master | jq -r '.sha'

Also applies to: 48-48

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/bot-changelog-runner.yml at line 23, The workflow uses
mutable action/workflow refs (e.g. uses: actions/download-artifact@v8 and the
reusable workflow reference pinned to `@master`); replace both mutable tags with
the corresponding full commit SHAs to make them immutable. Locate the two uses:
lines referencing actions/download-artifact@v8 and the reusable workflow
reference using `@master`, query the GitHub API or the upstream repo to get the
exact commit SHA for each reference, and update the workflow to use uses:
actions/download-artifact@<full-sha> and uses: <owner>/<repo>@<full-sha> (or the
reusable workflow's full SHA) so secrets are only passed to pinned commits.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Duplicate comments:
In @.github/workflows/bot-changelog-runner.yml:
- Line 23: The workflow uses mutable action/workflow refs (e.g. uses:
actions/download-artifact@v8 and the reusable workflow reference pinned to
`@master`); replace both mutable tags with the corresponding full commit SHAs to
make them immutable. Locate the two uses: lines referencing
actions/download-artifact@v8 and the reusable workflow reference using `@master`,
query the GitHub API or the upstream repo to get the exact commit SHA for each
reference, and update the workflow to use uses:
actions/download-artifact@<full-sha> and uses: <owner>/<repo>@<full-sha> (or the
reusable workflow's full SHA) so secrets are only passed to pinned commits.

In @.github/workflows/bot-changelog-trigger.yml:
- Line 35: The workflow currently uses a mutable tag "uses:
actions/upload-artifact@v7" which should be pinned to an immutable 40-character
commit SHA to improve reproducibility and supply-chain security; replace the
"uses: actions/upload-artifact@v7" entry with "uses:
actions/upload-artifact@<40-char-commit-sha>" (the exact SHA for the v7 tag) —
obtain the correct SHA for the v7 release from the actions/upload-artifact
GitHub API or the releases page and update the uses line accordingly so the
workflow references that full commit SHA instead of the v7 tag.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: c73da99c-db50-457c-af8e-b50a00d07a2b

📥 Commits

Reviewing files that changed from the base of the PR and between 35c1c88 and de476b6.

📒 Files selected for processing (2)

• .github/workflows/bot-changelog-runner.yml
• .github/workflows/bot-changelog-trigger.yml

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (11)

• GitHub Check: Python==3.13 | django~=5.2.0
• GitHub Check: Python==3.13 | django~=5.1.0
• GitHub Check: Python==3.10 | django~=5.1.0
• GitHub Check: Python==3.12 | django~=4.2.0
• GitHub Check: Python==3.12 | django~=5.2.0
• GitHub Check: Python==3.11 | django~=4.2.0
• GitHub Check: Python==3.10 | django~=4.2.0
• GitHub Check: Python==3.10 | django~=5.2.0
• GitHub Check: Python==3.11 | django~=5.1.0
• GitHub Check: Python==3.12 | django~=5.1.0
• GitHub Check: Python==3.11 | django~=5.2.0

[openwisp-companion]

The CI is failing due to transient infrastructure issues (not related to your code). I have restarted the failed jobs automatically (1/3).

[openwisp-companion]

Multiple Test Failures Detected

Hello @pushpitkamboj,
(Analysis for commit 92d4870)

There are multiple test failures in your commit. Please address the following:

1. test_wifi_hostapd failure:

• Error: AssertionError: Lists differ: [0, 0, 0, 0, 0, 0, 0, 0, 0, 2] != [0, 2, 2, 2, 2, 2, 2, 2, 2, 4]
• Reason: The actual output [0, 0, 0, 0, 0, 0, 0, 0, 0, 2] does not match the expected output [0, 2, 2, 2, 2, 2, 2, 2, 2, 4].
• Fix: Examine the test_wifi_hostapd test in openwisp_monitoring/monitoring/tests/test_charts.py and adjust the expected output or the test data to match the actual behavior.

2. test_store_result (openwisp_monitoring.check.tests.test_data_collected) failure:

• Error: AssertionError: {'data_collected': 0} != {'data_collected': 1}
• Reason: The test expects {'data_collected': 1} but received {'data_collected': 0}.
• Fix: Review the logic in test_store_result within openwisp_monitoring/check/tests/test_data_collected.py and ensure the expected value for data_collected is correct or adjust the test to match the actual outcome.

3. test_iperf3_check failure:

• Error: AssertionError: 0 != 1
• Reason: The test expects a length of 1 for points but received 0.
• Fix: Investigate the test_iperf3_check in openwisp_monitoring/check/tests/test_iperf3.py. The iperf3 check likely did not produce any data points as expected by the assertion.

4. test_config_error failure:

• Error: AssertionError: True != False
• Reason: The test asserts that m.is_healthy_tolerant should be False, but it is True.
• Fix: Examine the test_config_error in openwisp_monitoring/check/tests/test_models.py and the logic related to is_healthy_tolerant to understand why it's True when False is expected.

5. test_store_result (openwisp_monitoring.check.tests.test_wifi_client) failure:

• Error: AssertionError: {'wifi_clients_min': 0, 'wifi_clients_max': 0} != {'wifi_clients_min': 3, 'wifi_clients_max': 3}
• Reason: The test expects {'wifi_clients_min': 3, 'wifi_clients_max': 3} but received {'wifi_clients_min': 0, 'wifi_clients_max': 0}.
• Fix: Review the test_store_result in openwisp_monitoring/check/tests/test_wifi_client.py. The test is likely failing because the expected number of WiFi clients is not being generated or captured correctly.

Please fix these test failures and push a new commit.