[chores] Added CI failure bot

[stktyagi]

Added CI failure bot for netjsonconfig.

Checklist

• I have read the OpenWISP Contributing Guidelines.
• I have manually tested the changes proposed in this pull request.
• I have written new test cases for new code and/or updated existing tests for changes to existing code.
• I have updated the documentation.

Description of Changes

Added CI failure bot workflow

[coderabbitai]

Warning

Rate limit exceeded

@stktyagi has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 2 minutes and 25 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 6196e5f7-63db-4144-b41f-280285d809e1

📥 Commits

Reviewing files that changed from the base of the PR and between a47c3ef and f5f23c4.

📒 Files selected for processing (1)

• .github/workflows/bot-ci-failure.yml

📝 Walkthrough

Walkthrough

A new GitHub Actions workflow (.github/workflows/bot-ci-failure.yml) is added to run when the "Netjsonconfig CI Build" workflow completes with failure. It contains two jobs: find-pr, which attempts multiple methods to resolve the associated PR number and author (payload, gh CLI, commits API, scanning open PRs), and call-ci-failure-bot, which, when a PR is found, invokes an external reusable workflow with PR details and required secrets.

Sequence Diagram

sequenceDiagram
    participant GHA as GitHub Actions (CI Failure Event)
    participant FindPR as find-pr Job
    participant API as GitHub API / gh CLI
    participant ReusableBot as Reusable Bot Workflow
    participant Bot as CI Failure Bot Handler

    GHA->>FindPR: Trigger on CI failure
    FindPR->>API: Inspect workflow payload for PR
    alt PR in payload
        API-->>FindPR: PR number
        FindPR->>API: gh pr view -> fetch author
        API-->>FindPR: PR author
    else PR not in payload
        FindPR->>API: Commits API query with head_sha
        alt PR found via commits API
            API-->>FindPR: PR number and author
        else no match
            FindPR->>API: Scan open PRs for head_sha
            API-->>FindPR: PR details or no-PR warning
        end
    end

    alt PR found
        FindPR->>ReusableBot: Call reusable workflow with pr_number, head_sha, repos, run_id, pr_author, actor
        ReusableBot->>Bot: Forward PR info + secrets
        Bot->>Bot: Process CI failure actions
        Bot-->>ReusableBot: Complete
        ReusableBot-->>GHA: Workflow done
    else no PR found
        FindPR-->>GHA: Emit warning / skip bot call
    end

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Suggested reviewers

• nemesifier

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	The description includes most required sections but lacks a reference to an existing issue/Closes statement and provides minimal detail in the 'Description of Changes' section.	Add 'Closes #' section and expand 'Description of Changes' with more specific details about the workflow's functionality and purpose.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title '[chores] Added CI failure bot' follows the required format with proper type prefix and clearly describes the main change of adding a CI failure bot workflow.
Bug Fixes	✅ Passed	This pull request is a chore/feature addition that introduces a new CI failure bot GitHub Actions workflow, not a bug fix.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chores/add-ci-failure

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coveralls]

coverage: 99.18%. remained the same
when pulling f5f23c4 on chores/add-ci-failure
into 39b85dc on master.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/bot-ci-failure.yml:
- Line 71: Replace the mutable branch reference in the reusable workflow usage
(the line containing uses:
openwisp/openwisp-utils/.github/workflows/reusable-bot-ci-failure.yml@master)
with a full immutable commit SHA from the openwisp-utils repository; locate that
line in .github/workflows/bot-ci-failure.yml and update the suffix `@master` to
@<full-commit-sha> (obtain the SHA from the openwisp-utils repo commit you want
to pin) so the workflow is pinned to an immutable revision.
- Around line 9-13: The workflow grants global pull-requests: write but the
find-pr job only needs read access; update the permissions so pull-requests:
write is removed from the top-level permissions block and instead added to the
call-ci-failure-bot job's permissions; locate the top-level permissions
declaration and the jobs named find-pr and call-ci-failure-bot and move the
pull-requests: write entry into the call-ci-failure-bot job (leaving find-pr and
other jobs with only read actions/contents as required) to enforce least
privilege.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 1fe2eaef-d7c2-4111-9cea-eb709852cec8

📥 Commits

Reviewing files that changed from the base of the PR and between 39b85dc and abfd78c.

📒 Files selected for processing (1)

• .github/workflows/bot-ci-failure.yml

📜 Review details

🔇 Additional comments (2)

.github/workflows/bot-ci-failure.yml (2)

3-7: Trigger configuration looks correct.

Good use of workflow_run scoped to Netjsonconfig CI Build; this keeps the bot tied to the intended CI pipeline.

---

33-66: PR resolution fallback chain is solid.

The payload → commits API → SHA scan sequence is resilient and avoids hard-failing when metadata is missing.

[coderabbitai]

♻️ Duplicate comments (1)

.github/workflows/bot-ci-failure.yml (1)

76-76: ⚠️ Potential issue | 🟠 Major

Pin the reusable workflow to an immutable commit SHA.

The workflow references @master, which is mutable. Since this job passes sensitive secrets (GEMINI_API_KEY, bot credentials), pinning to a full commit SHA mitigates supply-chain risk from unexpected upstream changes.

-    uses: openwisp/openwisp-utils/.github/workflows/reusable-bot-ci-failure.yml@master
+    uses: openwisp/openwisp-utils/.github/workflows/reusable-bot-ci-failure.yml@<full-commit-sha>

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/bot-ci-failure.yml at line 76, The reusable workflow
reference currently uses a mutable ref
("openwisp/openwisp-utils/.github/workflows/reusable-bot-ci-failure.yml@master");
update that `uses:` entry to pin to an immutable commit SHA by replacing
`@master` with the full 40-character commit SHA from the upstream repo (obtain
the SHA from the openwisp-utils repo commit that you want to lock to) so the
workflow consumes a fixed commit instead of a branch.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In @.github/workflows/bot-ci-failure.yml:
- Line 76: The reusable workflow reference currently uses a mutable ref
("openwisp/openwisp-utils/.github/workflows/reusable-bot-ci-failure.yml@master");
update that `uses:` entry to pin to an immutable commit SHA by replacing
`@master` with the full 40-character commit SHA from the upstream repo (obtain
the SHA from the openwisp-utils repo commit that you want to lock to) so the
workflow consumes a fixed commit instead of a branch.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: e780f02c-ac9b-41c5-9c12-0eb51a7f61a9

📥 Commits

Reviewing files that changed from the base of the PR and between abfd78c and a47c3ef.

📒 Files selected for processing (1)

• .github/workflows/bot-ci-failure.yml

📜 Review details

🔇 Additional comments (5)

.github/workflows/bot-ci-failure.yml (5)

3-7: LGTM!

The workflow trigger configuration correctly references "Netjsonconfig CI Build" which matches the actual CI workflow name in .github/workflows/ci.yml.

---

9-12: LGTM!

Top-level permissions correctly follow least-privilege by granting only read access. The pull-requests: write permission is appropriately scoped to only the call-ci-failure-bot job that needs it.

---

14-16: LGTM!

Good use of concurrency grouping with PR number fallback to head branch, preventing duplicate bot runs for the same CI failure.

---

19-67: LGTM!

The PR discovery logic is robust with a well-designed fallback chain: payload → commits API → open PR scan. The use of environment variables for user-controlled inputs (lines 28-32) avoids shell injection risks. Error handling with fallback to workflow_run.actor.login is appropriate.

---

77-88: LGTM!

Inputs are correctly sourced from the workflow_run event context, and secrets are properly mapped to the reusable workflow's expected parameter names.

[stktyagi]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.