[ci] Failure Bot: run only on PR merge, allowed auto-retry

[nemesifier]

Checklist

• I have read the OpenWISP Contributing Guidelines.
• I have manually tested the changes proposed in this pull request.
• N/A I have written new test cases for new code and/or updated existing tests for changes to existing code.
• N/A I have updated the documentation.

Description of Changes

Run the workflow only when pull requests are merged. Enabled auto-retry by adding write permissions to the action workflow.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: cce2d5a2-483e-48bd-b46b-82124232d1d2

📥 Commits

Reviewing files that changed from the base of the PR and between 3af59fe and 8114ca3.

📒 Files selected for processing (1)

• .github/workflows/bot-ci-failure.yml

📜 Recent review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (11)

• GitHub Check: Python==3.10 | django~=5.1.0
• GitHub Check: Python==3.13 | django~=5.2.0
• GitHub Check: Python==3.10 | django~=4.2.0
• GitHub Check: Python==3.11 | django~=5.2.0
• GitHub Check: Python==3.12 | django~=5.1.0
• GitHub Check: Python==3.13 | django~=5.1.0
• GitHub Check: Python==3.12 | django~=4.2.0
• GitHub Check: Python==3.10 | django~=5.2.0
• GitHub Check: Python==3.11 | django~=5.1.0
• GitHub Check: Python==3.11 | django~=4.2.0
• GitHub Check: Python==3.12 | django~=5.2.0

🧰 Additional context used

🧠 Learnings (5)

📓 Common learnings

Learnt from: stktyagi
Repo: openwisp/openwisp-controller PR: 1289
File: .github/workflows/bot-ci-failure.yml:21-21
Timestamp: 2026-03-19T16:14:29.698Z
Learning: In openwisp/openwisp-controller, the CI Failure Bot workflow (`.github/workflows/bot-ci-failure.yml`) is intentionally gated on `github.event.workflow_run.event == 'pull_request'`. It should NOT be triggered for push events to master (i.e., post-merge CI runs). Suggesting to add a `push` branch condition is wrong; the bot is only meant to run for open PR failures.

Learnt from: nemesifier
Repo: openwisp/openwisp-controller PR: 1233
File: .github/workflows/backport.yml:35-35
Timestamp: 2026-02-24T16:25:31.829Z
Learning: Repository: openwisp/openwisp-controller
File/Area: .github/workflows/backport.yml (backport-on-comment condition)
Learning: Project policy is to restrict the backport trigger via issue comments to users with author_association "MEMBER" or "OWNER" only; "COLLABORATOR" is intentionally excluded (per maintainer feedback on PR `#1233`).

📚 Learning: 2026-03-19T16:14:29.698Z

Learnt from: stktyagi
Repo: openwisp/openwisp-controller PR: 1289
File: .github/workflows/bot-ci-failure.yml:21-21
Timestamp: 2026-03-19T16:14:29.698Z
Learning: In `openwisp/openwisp-controller`’s `.github/workflows/bot-ci-failure.yml`, keep the workflow gated to run only when `github.event.workflow_run.event == 'pull_request'`. Do not add/enable `push` (e.g., `push` to `master`) conditions for this bot workflow, since it is intended to report failures from open PR CI runs and should not trigger post-merge CI events.

Applied to files:

• .github/workflows/bot-ci-failure.yml

📚 Learning: 2026-02-24T16:25:20.080Z

Learnt from: nemesifier
Repo: openwisp/openwisp-controller PR: 1233
File: .github/workflows/backport.yml:35-35
Timestamp: 2026-02-24T16:25:20.080Z
Learning: In .github/workflows/backport.yml, enforce that backport-on-comment triggers only for users with author_association MEMBE R or OWNER (COLLABORATOR excluded), reflecting maintainer feedback. Update the trigger condition to check author_association and restrict to MEMBERS/OWNERS; document rationale and PR `#1233` reference in code comments.

Applied to files:

• .github/workflows/bot-ci-failure.yml

📚 Learning: 2026-03-14T19:34:33.773Z

Learnt from: CR
Repo: openwisp/openwisp-controller PR: 0
File: coderabbit-custom-pre-merge-checks-unique-id-file-non-traceable-F7F2B60C-1728-4C9A-8889-4F2235E186CA.txt:0-0
Timestamp: 2026-03-14T19:34:33.773Z
Learning: If the pull request fixes a bug, verify that the change fixes the root cause of the bug rather than hiding or bypassing the problem

Applied to files:

• .github/workflows/bot-ci-failure.yml

📚 Learning: 2026-02-24T16:24:55.443Z

Learnt from: nemesifier
Repo: openwisp/openwisp-controller PR: 1233
File: .github/workflows/backport.yml:22-22
Timestamp: 2026-02-24T16:24:55.443Z
Learning: In repositories within the OpenWISP organization, it is acceptable to reference reusable workflows from other OpenWISP-controlled repos using mutable refs (e.g., master) in .github/workflows. This is permissible due to the shared trust boundary within the organization. If applying this pattern, ensure the target repos are under the same organization and maintain awareness of potential breakages from upstream mutable refs; consider pinning to a tagged version for longer-term stability when appropriate.

Applied to files:

• .github/workflows/bot-ci-failure.yml

🔇 Additional comments (3)

.github/workflows/bot-ci-failure.yml (3)

10-12: Good least-privilege workflow defaults.

Setting workflow-level token permissions to read-only is the right baseline and reduces blast radius for non-mutating jobs.

---

21-21: PR-event gate is correctly strict.

The failure && event == 'pull_request' condition keeps this workflow focused on open PR CI failures and avoids post-merge push runs.

Based on learnings: in openwisp/openwisp-controller, this workflow is intentionally limited to github.event.workflow_run.event == 'pull_request' and should not run on push to master.

---

72-75: Write permissions are correctly scoped to the reusable-bot job.

Granting pull-requests: write and actions: write only on call-ci-failure-bot preserves least privilege while enabling retry/comment operations where needed.

---

📝 Walkthrough

Walkthrough

The PR changes the GitHub Actions workflow .github/workflows/bot-ci-failure.yml. At workflow level the pull-requests permission was reduced from write to read while actions and contents remain read. The find-pr job now requires both github.event.workflow_run.conclusion == 'failure' and github.event.workflow_run.event == 'pull_request'. The reusable call-ci-failure-bot job invocation explicitly sets job-level permissions, granting pull-requests: write and actions: write while keeping contents: read.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• [ci] Enabled CI failure bot #1256: Adds the initial bot-ci-failure.yml workflow and its caller logic, directly related to these permission and gating adjustments.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly addresses the main changes: limiting bot execution to PR merges and enabling auto-retry capability.
Description check	✅ Passed	The description covers the main changes and objectives, though the reference issue section is missing and test/documentation notes use informal N/A.
Bug Fixes	✅ Passed	PR is categorized as enhancement, not a bug fix. GitHub Actions workflow changes have valid exception for impractical regression testing.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch update-ci-failure-bot

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/bot-ci-failure.yml:
- Line 11: The workflow currently sets a global `actions: write` permission;
remove that global `actions: write` and instead add `permissions: actions:
write` scoped to the `call-ci-failure-bot` job, while ensuring the `find-pr` job
uses only `permissions: actions: read` (or inherits default read) since it only
runs `gh pr view`, `gh api`, `gh pr list`. Locate the `actions: write` entry in
the top-level permissions, delete it, then add a `permissions` block under the
`call-ci-failure-bot` job with `actions: write` and keep `find-pr` job
permissions restricted to read.
- Line 21: The condition only triggers for workflow_run events with event ==
'pull_request', skipping merged-PR failures that produce a 'push' workflow_run;
update the if to catch both pull_request failures and post-merge pushes (e.g.
change the test to github.event.workflow_run.conclusion == 'failure' &&
(github.event.workflow_run.event == 'pull_request' ||
(github.event.workflow_run.event == 'push' &&
github.event.workflow_run.head_branch == 'master'))) so the bot also runs for CI
failures from merged PRs on master; apply this change to the existing if
expression in the workflow (referencing github.event.workflow_run.event,
github.event.workflow_run.conclusion and github.event.workflow_run.head_branch).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: dbf69c66-d0e5-4ad8-bfe3-2b8039124a31

📥 Commits

Reviewing files that changed from the base of the PR and between 8cf6733 and 3af59fe.

📒 Files selected for processing (1)

• .github/workflows/bot-ci-failure.yml

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (11)

• GitHub Check: Python==3.12 | django~=5.1.0
• GitHub Check: Python==3.12 | django~=5.2.0
• GitHub Check: Python==3.13 | django~=5.2.0
• GitHub Check: Python==3.10 | django~=5.2.0
• GitHub Check: Python==3.12 | django~=4.2.0
• GitHub Check: Python==3.11 | django~=5.2.0
• GitHub Check: Python==3.11 | django~=5.1.0
• GitHub Check: Python==3.13 | django~=5.1.0
• GitHub Check: Python==3.10 | django~=5.1.0
• GitHub Check: Python==3.10 | django~=4.2.0
• GitHub Check: Python==3.11 | django~=4.2.0

🧰 Additional context used

🧠 Learnings (3)

📓 Common learnings

Learnt from: nemesifier
Repo: openwisp/openwisp-controller PR: 1233
File: .github/workflows/backport.yml:35-35
Timestamp: 2026-02-24T16:25:31.829Z
Learning: Repository: openwisp/openwisp-controller
File/Area: .github/workflows/backport.yml (backport-on-comment condition)
Learning: Project policy is to restrict the backport trigger via issue comments to users with author_association "MEMBER" or "OWNER" only; "COLLABORATOR" is intentionally excluded (per maintainer feedback on PR `#1233`).

📚 Learning: 2026-02-24T16:25:20.080Z

Learnt from: nemesifier
Repo: openwisp/openwisp-controller PR: 1233
File: .github/workflows/backport.yml:35-35
Timestamp: 2026-02-24T16:25:20.080Z
Learning: In .github/workflows/backport.yml, enforce that backport-on-comment triggers only for users with author_association MEMBE R or OWNER (COLLABORATOR excluded), reflecting maintainer feedback. Update the trigger condition to check author_association and restrict to MEMBERS/OWNERS; document rationale and PR `#1233` reference in code comments.

Applied to files:

• .github/workflows/bot-ci-failure.yml

📚 Learning: 2026-02-24T16:24:55.443Z

Learnt from: nemesifier
Repo: openwisp/openwisp-controller PR: 1233
File: .github/workflows/backport.yml:22-22
Timestamp: 2026-02-24T16:24:55.443Z
Learning: In repositories within the OpenWISP organization, it is acceptable to reference reusable workflows from other OpenWISP-controlled repos using mutable refs (e.g., master) in .github/workflows. This is permissible due to the shared trust boundary within the organization. If applying this pattern, ensure the target repos are under the same organization and maintain awareness of potential breakages from upstream mutable refs; consider pinning to a tagged version for longer-term stability when appropriate.

Applied to files:

• .github/workflows/bot-ci-failure.yml

[openwisp-companion]

Prettier Formatting Failure

Hello @nemesifier,
(Analysis for commit 3af59fe)

The CI pipeline failed because of a Prettier formatting issue in the .github/workflows/bot-ci-failure.yml file.

Fix:
Run openwisp-qa-format to automatically fix the code style issues.

[openwisp-companion]

Prettier Formatting Failure

Hello @nemesifier and @stktyagi,
(Analysis for commit 146b29b)

The CI failed because of a Prettier formatting issue in the .github/workflows/bot-ci-failure.yml file.

Fix:
Please run openwisp-qa-format to automatically fix the Prettier formatting issues.

[coveralls]

coverage: 98.658%. remained the same
when pulling 8114ca3 on update-ci-failure-bot
into 45b24b6 on master.