[ci:fix] Resolved issues with changelog bot for fork PRs

Co-authored-by: Federico Capoano <f.capoano@openwisp.io>

Author: pushpitkamboj

.github/workflows/bot-changelog-runner.yml

@@ -0,0 +1,51 @@
+name: Changelog Bot Runner
+
+on:
+  workflow_run:
+    workflows: ["Changelog Bot Trigger"]
+    types:
+      - completed
+
+permissions:
+  actions: read
+  contents: read
+  pull-requests: write
+  issues: write
+
+jobs:
+  fetch-metadata:
+    runs-on: ubuntu-latest
+    if: github.event.workflow_run.conclusion == 'success'
+    outputs:
+      pr_number: ${{ steps.metadata.outputs.pr_number }}
+    steps:
+      - name: Download PR metadata
+        id: download
+        uses: actions/download-artifact@v4
+        with:
+          name: changelog-metadata
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          run-id: ${{ github.event.workflow_run.id }}
+        continue-on-error: true
+
+      - name: Read PR metadata
+        if: steps.download.outcome == 'success'
+        id: metadata
+        run: |
+          PR_NUMBER=$(cat pr_number)
+          if ! [[ "$PR_NUMBER" =~ ^[0-9]+$ ]]; then
+            echo "::error::Invalid PR number: $PR_NUMBER"
+            exit 1
+          fi
+          echo "pr_number=$PR_NUMBER" >> $GITHUB_OUTPUT
+
+  changelog:
+    needs: fetch-metadata
+    if: needs.fetch-metadata.outputs.pr_number != ''
+    uses: openwisp/openwisp-utils/.github/workflows/reusable-bot-changelog.yml@master
+    with:
+      pr_number: ${{ needs.fetch-metadata.outputs.pr_number }}
+    secrets:
+      GEMINI_API_KEY: ${{ secrets.GEMINI_API_KEY }}
+      OPENWISP_BOT_APP_ID: ${{ secrets.OPENWISP_BOT_APP_ID }}
+      OPENWISP_BOT_PRIVATE_KEY: ${{ secrets.OPENWISP_BOT_PRIVATE_KEY }}

.github/workflows/bot-changelog-trigger.yml

@@ -0,0 +1,36 @@
+name: Changelog Bot Trigger
+
+on:
+  pull_request_review:
+    types: [submitted]
+
+jobs:
+  check:
+    if: |
+      github.event.review.state == 'approved' &&
+      (github.event.review.author_association == 'OWNER' ||
+        github.event.review.author_association == 'MEMBER' ||
+        github.event.review.author_association == 'COLLABORATOR')
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check for noteworthy PR
+        id: check
+        env:
+          PR_TITLE: ${{ github.event.pull_request.title }}
+        run: |
+          if echo "$PR_TITLE" | grep -qiE '^\[(feature|fix|change)\]'; then
+            echo "has_noteworthy=true" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Save PR metadata
+        if: steps.check.outputs.has_noteworthy == 'true'
+        env:
+          PR_NUMBER: ${{ github.event.pull_request.number }}
+        run: echo "$PR_NUMBER" > pr_number
+
+      - name: Upload PR metadata
+        if: steps.check.outputs.has_noteworthy == 'true'
+        uses: actions/upload-artifact@v4
+        with:
+          name: changelog-metadata
+          path: pr_number

.github/workflows/bot-changelog.yml

@@ -2,6 +2,11 @@ name: Reusable Changelog Bot
 
 on:
   workflow_call:
+    inputs:
+      pr_number:
+        description: "Pull request number"
+        required: true
+        type: string
     secrets:
       GEMINI_API_KEY:
         description: "Google Gemini API key"
@@ -15,13 +20,6 @@ on:
 
 jobs:
   generate-changelog:
-    # Trigger only when PR is approved
-    if: |
-      github.event_name == 'pull_request_review' &&
-      github.event.review.state == 'approved' &&
-      (github.event.review.author_association == 'OWNER' ||
-       github.event.review.author_association == 'MEMBER' ||
-       github.event.review.author_association == 'COLLABORATOR')
     runs-on: ubuntu-latest
     permissions:
       contents: read
@@ -32,31 +30,17 @@ jobs:
       - name: Checkout PR repository
         uses: actions/checkout@v6
         with:
-          ref: ${{ github.event.pull_request.head.sha }}
+          ref: refs/pull/${{ inputs.pr_number }}/head
           fetch-depth: 0
 
-      - name: Check for noteworthy commits
-        id: check-commits
-        env:
-          PR_TITLE: ${{ github.event.pull_request.title }}
-        run: |
-          echo "pr_number=${{ github.event.pull_request.number }}" >> $GITHUB_OUTPUT
-          if echo "$PR_TITLE" | grep -qiE '^\[(feature|fix|change)\]'; then
-            echo "has_noteworthy=true" >> $GITHUB_OUTPUT
-          else
-            echo "has_noteworthy=false" >> $GITHUB_OUTPUT
-          fi
-
       - name: Generate App Token
-        if: steps.check-commits.outputs.has_noteworthy == 'true'
-        uses: actions/create-github-app-token@v1
+        uses: actions/create-github-app-token@v2
         id: app-token
         with:
           app-id: ${{ secrets.OPENWISP_BOT_APP_ID }}
           private-key: ${{ secrets.OPENWISP_BOT_PRIVATE_KEY }}
 
       - name: Checkout openwisp-utils for action
-        if: steps.check-commits.outputs.has_noteworthy == 'true'
         uses: actions/checkout@v6
         with:
           repository: openwisp/openwisp-utils
@@ -66,10 +50,9 @@ jobs:
           path: openwisp-utils-action
 
       - name: Generate changelog
-        if: steps.check-commits.outputs.has_noteworthy == 'true'
         uses: ./openwisp-utils-action/.github/actions/bot-changelog-generator
         with:
           github-token: ${{ steps.app-token.outputs.token }}
           gemini-api-key: ${{ secrets.GEMINI_API_KEY }}
-          pr-number: ${{ steps.check-commits.outputs.pr_number }}
+          pr-number: ${{ inputs.pr_number }}
           repo-name: ${{ github.repository }}

.github/workflows/reusable-bot-changelog.yml

@@ -472,28 +472,137 @@ maintainer. It analyzes the PR's title, description, code changes, and
 linked issues, then posts a properly formatted changelog entry as a
 comment on the PR.
 
+The bot uses a two-workflow pattern to support PRs from forks. The first
+workflow is triggered by ``pull_request_review``: it checks whether the PR
+qualifies and uploads the PR number as an artifact, but requires no
+secrets. The second workflow executes via ``workflow_run`` once the first
+completes: it runs in the context of the base repository, has full access
+to secrets, and is the one that generates and posts the changelog comment.
+
 **Secrets**
 
 - ``GEMINI_API_KEY`` (required): Google Gemini API key.
 - ``OPENWISP_BOT_APP_ID`` (required): OpenWISP Bot GitHub App ID.
 - ``OPENWISP_BOT_PRIVATE_KEY`` (required): OpenWISP Bot GitHub App private
   key.
 
-**Usage Example**
+**Setup for Other Repositories**
 
-To enable the changelog bot in any OpenWISP repository, create a workflow
-file at ``.github/workflows/changelog-bot.yml``:
+To enable the changelog bot in any OpenWISP repository, create the
+following two workflow files.
+
+**1. Trigger** (``.github/workflows/bot-changelog-trigger.yml``)
+
+This workflow fires on PR approval, checks if the PR is noteworthy, and
+uploads the PR number as an artifact for the runner to pick up.
 
 .. code-block:: yaml
 
-    name: Changelog Bot
+    name: Changelog Bot Trigger
+
     on:
       pull_request_review:
         types: [submitted]
+
+    jobs:
+      check:
+        if: |
+          github.event.review.state == 'approved' &&
+          (github.event.review.author_association == 'OWNER' ||
+            github.event.review.author_association == 'MEMBER' ||
+            github.event.review.author_association == 'COLLABORATOR')
+        runs-on: ubuntu-latest
+        steps:
+          - name: Check for noteworthy PR
+            id: check
+            env:
+              PR_TITLE: ${{ github.event.pull_request.title }}
+            run: |
+              if echo "$PR_TITLE" | grep -qiE '^\[(feature|fix|change)\]'; then
+                echo "has_noteworthy=true" >> $GITHUB_OUTPUT
+              fi
+
+          - name: Save PR metadata
+            if: steps.check.outputs.has_noteworthy == 'true'
+            env:
+              PR_NUMBER: ${{ github.event.pull_request.number }}
+            run: echo "$PR_NUMBER" > pr_number
+
+          - name: Upload PR metadata
+            if: steps.check.outputs.has_noteworthy == 'true'
+            uses: actions/upload-artifact@v4
+            with:
+              name: changelog-metadata
+              path: pr_number
+
+**2. Runner** (``.github/workflows/bot-changelog-runner.yml``)
+
+This workflow triggers after the trigger completes, downloads the
+artifact, and calls the reusable workflow with full secret access.
+
+.. code-block:: yaml
+
+    name: Changelog Bot Runner
+
+    on:
+      workflow_run:
+        workflows: ["Changelog Bot Trigger"]
+        types:
+          - completed
+
+    permissions:
+      actions: read
+      contents: read
+      pull-requests: write
+      issues: write
+
     jobs:
+      fetch-metadata:
+        runs-on: ubuntu-latest
+        if: github.event.workflow_run.conclusion == 'success'
+        outputs:
+          pr_number: ${{ steps.metadata.outputs.pr_number }}
+        steps:
+          - name: Download PR metadata
+            id: download
+            uses: actions/download-artifact@v4
+            with:
+              name: changelog-metadata
+              github-token: ${{ secrets.GITHUB_TOKEN }}
+              run-id: ${{ github.event.workflow_run.id }}
+            continue-on-error: true
+
+          - name: Read PR metadata
+            if: steps.download.outcome == 'success'
+            id: metadata
+            run: |
+              PR_NUMBER=$(cat pr_number)
+              if ! [[ "$PR_NUMBER" =~ ^[0-9]+$ ]]; then
+                echo "::error::Invalid PR number: $PR_NUMBER"
+                exit 1
+              fi
+              echo "pr_number=$PR_NUMBER" >> $GITHUB_OUTPUT
+
       changelog:
+        needs: fetch-metadata
+        if: needs.fetch-metadata.outputs.pr_number != ''
         uses: openwisp/openwisp-utils/.github/workflows/reusable-bot-changelog.yml@master
+        with:
+          pr_number: ${{ needs.fetch-metadata.outputs.pr_number }}
         secrets:
           GEMINI_API_KEY: ${{ secrets.GEMINI_API_KEY }}
           OPENWISP_BOT_APP_ID: ${{ secrets.OPENWISP_BOT_APP_ID }}
           OPENWISP_BOT_PRIVATE_KEY: ${{ secrets.OPENWISP_BOT_PRIVATE_KEY }}
+
+.. note::
+
+    The ``name`` field in the trigger workflow must be exactly ``Changelog
+    Bot Trigger``. The runner watches for this name via ``workflow_run``.
+    Changing it will silently break the connection between the two
+    workflows.
+
+    Both ``bot-changelog-trigger.yml`` and ``bot-changelog-runner.yml``
+    must be committed to the **default branch** of the repository. GitHub
+    only activates ``workflow_run`` listeners that exist on the default
+    branch: adding the runner only to a feature branch will cause it to
+    silently do nothing.