Skip to content

[ci] Updated CI failure bot caller: permissions, PR author#606

Merged
nemesifier merged 1 commit intomasterfrom
chores/improve-ci-failure-bot
Mar 24, 2026
Merged

[ci] Updated CI failure bot caller: permissions, PR author#606
nemesifier merged 1 commit intomasterfrom
chores/improve-ci-failure-bot

Conversation

@stktyagi
Copy link
Copy Markdown
Member

@stktyagi stktyagi commented Mar 24, 2026
edited
Loading

Added enhancements and fixed scoping

Checklist

  • I have read the OpenWISP Contributing Guidelines.
  • I have manually tested the changes proposed in this pull request.
  • I have written new test cases for new code and/or updated existing tests for changes to existing code.
  • I have updated the documentation.

Description of Changes

Added enhancements to CI failure bot and fixed scoping.

@stktyagi
[chores] Improved CI failure bot
63db3f6 
Added enhancements and fixed scoping
@coderabbitai
Copy link
Copy Markdown

coderabbitai bot commented Mar 24, 2026
edited
Loading

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 640c5060-0282-46a9-879a-bfa4036d1150

📥 Commits

Reviewing files that changed from the base of the PR and between fab8fc4 and 63db3f6.

📒 Files selected for processing (1)
  • .github/workflows/bot-ci-failure.yml
📜 Recent review details
🔇 Additional comments (4)
.github/workflows/bot-ci-failure.yml (4)

9-12: Good security improvement: reducing top-level permissions.

Downgrading pull-requests from write to read at the workflow level follows the principle of least privilege. Write access is correctly scoped to only the job that requires it.

21-21: LGTM: Tightened trigger condition.

Adding the event == 'pull_request' check ensures the bot only processes failures from PR-triggered workflow runs, avoiding unnecessary execution for push events or other triggers.

37-38: LGTM: Defensive null handling.

The // empty jq idiom combined with the shell-level empty and "null" string checks provides robust handling of edge cases where author information may be unavailable or malformed.

71-74: Change actions: write to actions: read.

The reusable workflow at openwisp/openwisp-utils/.github/workflows/reusable-bot-ci-failure.yml@master declares permissions: { actions: read, ... }. The calling workflow here grants actions: write, which is over-permissioning—the bot only needs to read workflow run logs via the GitHub API, not manage workflow runs.

📝 Walkthrough

Walkthrough

This pull request modifies the .github/workflows/bot-ci-failure.yml GitHub Actions workflow file with security and conditional logic improvements. The changes reduce top-level repository permissions by downgrading pull-requests from write to read, while adding specific job-level permissions to the call-ci-failure-bot job that allow it to perform necessary write operations. The find-pr job trigger condition is tightened to only execute on pull_request events, and the PR author extraction logic is refined to handle edge cases with a safer jq expression and additional null-string validation.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Possibly related PRs

  • [ci] Added CI failure bot #605: Directly modifies the same workflow file with related changes to the find-pr and call-ci-failure-bot jobs, including PR author extraction adjustments and permission modifications.

Suggested reviewers

  • nemesifier
🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name Status Explanation Resolution
Description check ❓ Inconclusive The pull request description is missing the 'Reference to Existing Issue' section and 'Screenshot' section, though the core sections are present and checklist items are addressed. Consider adding the missing 'Reference to Existing Issue' section to link to the related GitHub issue and include the 'Screenshot' section if applicable to the changes.
✅ Passed checks (2 passed)
Check name Status Explanation
Title check ✅ Passed The title '[chores] Improved CI failure bot' follows the required format with proper type prefix and clearly describes the main change in the pull request.
Bug Fixes ✅ Passed PR modifies GitHub Actions workflow file, which is explicitly listed as a valid exception for regression testing requirements.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch chores/improve-ci-failure-bot

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@nemesifier nemesifier added the github_actions Pull requests that update GitHub Actions code label Mar 24, 2026
@nemesifier nemesifier merged commit 28586d5 into master Mar 24, 2026
6 checks passed
@nemesifier nemesifier deleted the chores/improve-ci-failure-bot branch March 24, 2026 20:04
@nemesifier nemesifier changed the title [chores] Improved CI failure bot [ci] Updated CI failure bot caller: permissions, PR author Mar 24, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nemesifier nemesifier nemesifier approved these changes

@coderabbitai coderabbitai[bot] coderabbitai[bot] approved these changes

Assignees

@stktyagi stktyagi

Labels

github_actions Pull requests that update GitHub Actions code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@stktyagi @nemesifier