[ci] CI Failure Bot: run only on pull requests + OSError transient marker

[nemesifier]

Checklist

• I have read the OpenWISP Contributing Guidelines.
• I have manually tested the changes proposed in this pull request.
• N/A I have written new test cases for new code and/or updated existing tests for changes to existing code.
• N/A I have updated the documentation.

Reference to Existing Issue

Related to #161

Description of Changes

• Changed caller to only run on pull requests, updated docs
• Added transient failure marker for ERROR: Could not install packages due to an OSError

CC @stktyagi

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: c019202e-235d-43ac-a95f-6212f14b3c32

📥 Commits

Reviewing files that changed from the base of the PR and between ee41a27 and e1d24be.

📒 Files selected for processing (3)

• .github/actions/bot-ci-failure/analyze_failure.py
• .github/workflows/bot-ci-failure.yml
• docs/developer/reusable-github-utils.rst

📜 Recent review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (13)

• GitHub Check: Python==3.10 | django~=5.0.0
• GitHub Check: Python==3.10 | django~=5.2.0
• GitHub Check: Python==3.11 | django~=5.1.0
• GitHub Check: Python==3.12 | django~=5.0.0
• GitHub Check: Python==3.12 | django~=5.2.0
• GitHub Check: Python==3.13 | django~=5.2.0
• GitHub Check: Python==3.11 | django~=5.0.0
• GitHub Check: Python==3.12 | django~=4.2.0
• GitHub Check: Python==3.11 | django~=4.2.0
• GitHub Check: Python==3.10 | django~=5.1.0
• GitHub Check: Analyze (javascript-typescript)
• GitHub Check: Analyze (python)
• GitHub Check: Analyze (actions)

🧰 Additional context used

🧠 Learnings (4)

📓 Common learnings

Learnt from: pushpitkamboj
Repo: openwisp/openwisp-utils PR: 584
File: .github/workflows/reusable-bot-changelog.yml:49-49
Timestamp: 2026-03-05T09:38:10.320Z
Learning: In openwisp-utils, PR title prefixes are strictly limited to `[feature]`, `[fix]`, and `[change]` (exact bracketed tags, no scoping/sub-types). The regex `^\[(feature|fix|change)\]` in `.github/workflows/reusable-bot-changelog.yml` is intentional and correct — scoped variants like `[feature/bots]` are not valid and should not be matched.

📚 Learning: 2026-03-05T14:23:55.528Z

Learnt from: nemesifier
Repo: openwisp/openwisp-utils PR: 584
File: .github/workflows/reusable-bot-changelog.yml:22-24
Timestamp: 2026-03-05T14:23:55.528Z
Learning: In `.github/workflows/reusable-bot-changelog.yml`, the maintainer (nemesifier) has explicitly decided that `github.event.review.author_association == 'COLLABORATOR'` should be allowed (alongside `OWNER` and `MEMBER`) to trigger the changelog bot workflow. The rationale is that the workflow is non-destructive and only posts a PR comment — it cannot make code changes. Do not flag `COLLABORATOR` as a security issue for this workflow.

Applied to files:

• .github/workflows/bot-ci-failure.yml

📚 Learning: 2026-03-05T09:38:10.320Z

Learnt from: pushpitkamboj
Repo: openwisp/openwisp-utils PR: 584
File: .github/workflows/reusable-bot-changelog.yml:49-49
Timestamp: 2026-03-05T09:38:10.320Z
Learning: In openwisp-utils, PR title prefixes are strictly limited to `[feature]`, `[fix]`, and `[change]` (exact bracketed tags, no scoping/sub-types). The regex `^\[(feature|fix|change)\]` in `.github/workflows/reusable-bot-changelog.yml` is intentional and correct — scoped variants like `[feature/bots]` are not valid and should not be matched.

Applied to files:

• .github/workflows/bot-ci-failure.yml

📚 Learning: 2026-03-05T09:59:22.581Z

Learnt from: pushpitkamboj
Repo: openwisp/openwisp-utils PR: 584
File: .github/actions/bot-changelog-generator/generate_changelog.py:356-364
Timestamp: 2026-03-05T09:59:22.581Z
Learning: In `.github/actions/bot-changelog-generator/generate_changelog.py`, the `validate_changelog_output` function's purpose is to act as an output safety filter — ensuring no sensitive information or arbitrary LLM-generated text gets posted as a PR comment. It checks that the output starts with a valid tag ([feature]/[fix]/[change]) and contains a correctly structured PR reference pattern. It is NOT intended to strictly validate that the referenced PR number/URL matches the current PR.

Applied to files:

• .github/workflows/bot-ci-failure.yml

🔇 Additional comments (3)

docs/developer/reusable-github-utils.rst (1)

397-397: LGTM!

The documentation correctly reflects the new guard condition that restricts the CI Failure Bot to only run on pull request events. This is consistent with the actual workflow implementation.

.github/actions/bot-ci-failure/analyze_failure.py (1)

33-33: LGTM!

The new transient failure marker for pip OSError is appropriate. This error commonly occurs due to temporary network issues, server-side errors, or resource constraints during package installation. The marker string is specific enough to avoid false positives while catching genuine transient failures.

.github/workflows/bot-ci-failure.yml (1)

21-21: LGTM!

The guard correctly restricts the CI Failure Bot to pull request events only. This is appropriate because:

1. The bot's purpose is to help PR contributors debug failures
2. Direct pushes to master/1.1 branches (per .github/workflows/ci.yml) are typically by maintainers who don't need automated assistance
3. Push-triggered workflow runs don't have associated PRs to post comments on

---

📝 Walkthrough

Walkthrough

This pull request makes three related changes to the CI failure handling system. A new transient failure marker for OSError during package installation is added to the failure detection logic. The bot-ci-failure workflow and its documentation are updated to restrict the failure detection to pull request events specifically, by adding a guard condition to verify the event type is 'pull_request' in addition to checking for workflow failure conclusion.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

• [ci:fix] CI Failure bot refinements #624: Adds transient failure markers and workflow event guards to the same bot-ci-failure infrastructure
• [chores:fix] Fixed CI failure bot retry and narrowed down transient error identifiers #626: Modifies the TRANSIENT_FAILURE_MARKERS set in analyze_failure.py alongside main PR's marker addition
• [fix] Fixed context scope to prevent hallucinations #607: Updates bot-ci-failure tooling and workflow inputs in parallel with this PR's changes

Suggested labels

github_actions, helper-bots

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title correctly uses the [ci] prefix, is descriptive, and accurately summarizes both main changes: restricting CI failure bot to pull requests and adding an OSError transient marker.
Description check	✅ Passed	The description covers the key changes and includes required checklist, issue reference, and change description. However, test and documentation updates are marked N/A without justification.
Bug Fixes	✅ Passed	This pull request is a CI/CD infrastructure enhancement affecting only GitHub Actions workflows, not core user-facing functionality, making regression tests inapplicable.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ci-failure-refinements

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coveralls]

coverage: 97.348%. remained the same
when pulling e1d24be on ci-failure-refinements
into ee41a27 on master.