[chores] Cache CI bot dependencies #628

[czarflix]

Checklist

• I have read the OpenWISP Contributing Guidelines.
• I have manually tested the changes proposed in this pull request.
• I have written new test cases for new code and/or updated existing tests for changes to existing code.
• I have updated the documentation.

Reference to Existing Issue

Closes #628.

Description of Changes

• enabled pip caching for the bot workflows that install openwisp-utils[github_actions], using setup.py as the cache invalidation key
• added cache support to the changelog composite action without changing its install command, and passed a workspace-relative dependency path from the reusable workflow
• updated the changelog workflow sparse checkout to include setup.py so the cache key is available there as well

Local validation:

• git diff --check
• actionlint .github/workflows/*.yml
• act validation covering the repo-root, nested checkout, trusted_scripts, sparse checkout, and composite-action caller-path shapes

Screenshot

N/A, workflow-only change.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 1609ac2d-4226-4843-8bf5-c24b65c09164

📥 Commits

Reviewing files that changed from the base of the PR and between 742972a and 92914fd.

📒 Files selected for processing (8)

• .github/actions/bot-changelog-generator/action.yml
• .github/workflows/bot-autoassign-issue.yml
• .github/workflows/bot-autoassign-pr-issue-link.yml
• .github/workflows/bot-autoassign-pr-reopen.yml
• .github/workflows/bot-autoassign-stale-pr.yml
• .github/workflows/reusable-bot-autoassign.yml
• .github/workflows/reusable-bot-changelog.yml
• .github/workflows/reusable-bot-ci-failure.yml

📜 Recent review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (12)

• GitHub Check: Python==3.10 | django~=5.1.0
• GitHub Check: Python==3.11 | django~=5.2.0
• GitHub Check: Python==3.13 | django~=5.2.0
• GitHub Check: Python==3.12 | django~=5.1.0
• GitHub Check: Python==3.11 | django~=4.2.0
• GitHub Check: Python==3.13 | django~=5.1.0
• GitHub Check: Python==3.10 | django~=5.0.0
• GitHub Check: Python==3.12 | django~=5.0.0
• GitHub Check: Python==3.11 | django~=5.0.0
• GitHub Check: Python==3.11 | django~=5.1.0
• GitHub Check: Python==3.12 | django~=5.2.0
• GitHub Check: Python==3.10 | django~=5.2.0

🧰 Additional context used

🧠 Learnings (4)

📚 Learning: 2026-03-05T20:55:29.968Z

Learnt from: nemesifier
Repo: openwisp/openwisp-utils PR: 0
File: :0-0
Timestamp: 2026-03-05T20:55:29.968Z
Learning: For the openwisp/openwisp-utils repository (and the broader openwisp org), the maintainers have explicitly decided to use mutable version tags (e.g. `v2`, `v6`) for GitHub Actions and to use `ref: master` for internal script checkouts. Do NOT flag unpinned action versions or `master`/version-tag usage as security issues in any openwisp-utils workflow file. The maintainers are aware of the trade-offs and are intentionally fine with this approach.

Applied to files:

• .github/actions/bot-changelog-generator/action.yml
• .github/workflows/reusable-bot-changelog.yml

📚 Learning: 2026-03-05T09:38:10.320Z

Learnt from: pushpitkamboj
Repo: openwisp/openwisp-utils PR: 584
File: .github/workflows/reusable-bot-changelog.yml:49-49
Timestamp: 2026-03-05T09:38:10.320Z
Learning: In openwisp-utils, PR title prefixes are strictly limited to `[feature]`, `[fix]`, and `[change]` (exact bracketed tags, no scoping/sub-types). The regex `^\[(feature|fix|change)\]` in `.github/workflows/reusable-bot-changelog.yml` is intentional and correct — scoped variants like `[feature/bots]` are not valid and should not be matched.

Applied to files:

• .github/workflows/reusable-bot-changelog.yml

📚 Learning: 2026-03-05T14:23:55.528Z

Learnt from: nemesifier
Repo: openwisp/openwisp-utils PR: 584
File: .github/workflows/reusable-bot-changelog.yml:22-24
Timestamp: 2026-03-05T14:23:55.528Z
Learning: In `.github/workflows/reusable-bot-changelog.yml`, the maintainer (nemesifier) has explicitly decided that `github.event.review.author_association == 'COLLABORATOR'` should be allowed (alongside `OWNER` and `MEMBER`) to trigger the changelog bot workflow. The rationale is that the workflow is non-destructive and only posts a PR comment — it cannot make code changes. Do not flag `COLLABORATOR` as a security issue for this workflow.

Applied to files:

• .github/workflows/reusable-bot-changelog.yml

📚 Learning: 2026-03-05T09:59:22.581Z

Learnt from: pushpitkamboj
Repo: openwisp/openwisp-utils PR: 584
File: .github/actions/bot-changelog-generator/generate_changelog.py:356-364
Timestamp: 2026-03-05T09:59:22.581Z
Learning: In `.github/actions/bot-changelog-generator/generate_changelog.py`, the `validate_changelog_output` function's purpose is to act as an output safety filter — ensuring no sensitive information or arbitrary LLM-generated text gets posted as a PR comment. It checks that the output starts with a valid tag ([feature]/[fix]/[change]) and contains a correctly structured PR reference pattern. It is NOT intended to strictly validate that the referenced PR number/URL matches the current PR.

Applied to files:

• .github/workflows/reusable-bot-changelog.yml

🔇 Additional comments (11)

.github/workflows/bot-autoassign-issue.yml (1)

34-35: LGTM!

The pip caching configuration is correctly set up with setup.py as the cache key, which aligns with the PR objectives to cache CI bot dependencies.

.github/workflows/reusable-bot-autoassign.yml (1)

38-39: LGTM!

The cache-dependency-path correctly references openwisp-utils/setup.py matching the checkout path at line 32.

.github/workflows/bot-autoassign-stale-pr.yml (1)

35-36: LGTM!

Pip caching configuration is consistent with other bot workflows.

.github/workflows/reusable-bot-ci-failure.yml (1)

71-72: LGTM!

The cache-dependency-path correctly references trusted_scripts/setup.py matching the checkout path at line 56.

.github/workflows/bot-autoassign-pr-reopen.yml (2)

37-38: LGTM!

Pip caching correctly configured for the reassign-on-reopen job.

---

70-71: LGTM!

Pip caching correctly configured for the handle-pr-activity job, consistent with the first job in this workflow.

.github/workflows/bot-autoassign-pr-issue-link.yml (1)

35-36: LGTM!

Pip caching configuration is consistent with other bot workflows in this PR.

.github/workflows/reusable-bot-changelog.yml (2)

64-67: LGTM!

Good addition of setup.py to the sparse-checkout. This ensures the cache key file is available in the openwisp-utils-action directory for the composite action to use.

---

73-73: LGTM!

The cache-dependency-path correctly references the workspace-relative path openwisp-utils-action/setup.py, matching the checkout path configured at line 67.

.github/actions/bot-changelog-generator/action.yml (2)

18-21: LGTM!

Clean input design with an optional cache-dependency-path that defaults to empty string, allowing callers to opt-in to caching.

---

26-38: Version inconsistency already flagged in a previous review.

The conditional branching logic for cached vs non-cached Python setup is correct. The actions/setup-python@v5 vs @v6 inconsistency with other workflow files in this PR has already been raised in a prior review comment.

---

📝 Walkthrough

Walkthrough

Adds pip dependency caching to CI workflows and the bot-changelog-generator action. Introduces a new action input cache-dependency-path and conditional Python setup steps: when cache-dependency-path is non-empty the workflow uses actions/setup-python with pip caching; otherwise it runs the original setup step. Multiple workflow files were updated to set cache: "pip" and appropriate cache-dependency-path values (typically setup.py paths). The reusable changelog workflow now sparse-checkouts the action's setup.py and passes it to the action.

Sequence Diagram(s)

sequenceDiagram
  participant Runner as Runner
  participant Workflow as Workflow Job
  participant Action as bot-changelog-generator Action
  participant SetupPy as actions/setup-python
  participant Cache as Cache Store

  Runner->>Workflow: start job
  Workflow->>Action: call bot-changelog-generator (input: cache-dependency-path)
  alt cache-dependency-path != ""
    Workflow->>SetupPy: setup-python (cache: "pip", cache-dependency-path)
    SetupPy->>Cache: lookup cache(key from cache-dependency-path)
    alt cache hit
      Cache-->>SetupPy: restore cache
    else cache miss
      SetupPy-->>Cache: populate cache after install
    end
  else cache-dependency-path == ""
    Workflow->>SetupPy: setup-python (no pip cache)
  end
  SetupPy-->>Action: python env ready
  Action-->>Workflow: run remaining steps
  Workflow-->>Runner: finish job

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• [feature] Added changelog entry bot using Gemini AI #584: Modifies the same bot-changelog-generator action and introduces related caching/conditional logic.
• [ci:fix] Refined reusable autoassign workflow #623: Updates the reusable bot autoassign workflow and Python setup caching, overlapping with these workflow edits.

Suggested reviewers

• nemesifier

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title uses the required [chores] type prefix, is descriptive about caching CI bot dependencies, and references the issue number #628 as required.
Description check	✅ Passed	The description follows the template with completed checklist items, linked issue reference, and detailed changes. However, test and documentation updates are marked as not completed.
Linked Issues check	✅ Passed	The PR fully implements the objective from issue #628 by adding pip caching to bot workflows using setup.py as the cache key, with validation performed across multiple scenarios.
Out of Scope Changes check	✅ Passed	All changes are focused on implementing pip caching across GitHub Actions workflows and the changelog composite action, directly aligned with the caching objective in issue #628.
Bug Fixes	✅ Passed	This PR is a performance optimization for GitHub Actions CI workflows, which falls within the explicit exception for fixes affecting Github Actions workflows.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

Tip

CodeRabbit can generate a title for your PR based on the changes with custom instructions.

Set the reviews.auto_title_instructions setting to generate a title for your PR based on the changes in the PR with custom instructions.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/actions/bot-changelog-generator/action.yml:
- Around line 26-38: Update the composite action steps that currently reference
"uses: actions/setup-python@v5" to use "@v6" for consistency with the rest of
the repo; specifically modify both occurrences of the "uses:
actions/setup-python@v5" lines in the steps that handle the cache (with
cache-dependency-path) and the non-cache branch so they read "uses:
actions/setup-python@v6", leaving the existing with: keys (python-version,
cache, cache-dependency-path) unchanged.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: d2e1d5b0-85b6-4a72-b22b-62277fea74a7

📥 Commits

Reviewing files that changed from the base of the PR and between e1d24be and 742972a.

📒 Files selected for processing (8)

• .github/actions/bot-changelog-generator/action.yml
• .github/workflows/bot-autoassign-issue.yml
• .github/workflows/bot-autoassign-pr-issue-link.yml
• .github/workflows/bot-autoassign-pr-reopen.yml
• .github/workflows/bot-autoassign-stale-pr.yml
• .github/workflows/reusable-bot-autoassign.yml
• .github/workflows/reusable-bot-changelog.yml
• .github/workflows/reusable-bot-ci-failure.yml

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (8)

• GitHub Check: Python==3.10 | django~=5.1.0
• GitHub Check: Python==3.10 | django~=5.0.0
• GitHub Check: Python==3.12 | django~=4.2.0
• GitHub Check: Python==3.12 | django~=5.0.0
• GitHub Check: Python==3.11 | django~=5.2.0
• GitHub Check: Python==3.11 | django~=5.1.0
• GitHub Check: Python==3.11 | django~=5.0.0
• GitHub Check: Python==3.11 | django~=4.2.0

🧰 Additional context used

🧠 Learnings (4)

📚 Learning: 2026-03-05T09:38:10.320Z

Learnt from: pushpitkamboj
Repo: openwisp/openwisp-utils PR: 584
File: .github/workflows/reusable-bot-changelog.yml:49-49
Timestamp: 2026-03-05T09:38:10.320Z
Learning: In openwisp-utils, PR title prefixes are strictly limited to `[feature]`, `[fix]`, and `[change]` (exact bracketed tags, no scoping/sub-types). The regex `^\[(feature|fix|change)\]` in `.github/workflows/reusable-bot-changelog.yml` is intentional and correct — scoped variants like `[feature/bots]` are not valid and should not be matched.

Applied to files:

• .github/workflows/reusable-bot-changelog.yml

📚 Learning: 2026-02-06T20:46:32.980Z

Learnt from: nemesifier
Repo: openwisp/openwisp-utils PR: 560
File: openwisp_utils/commitizen/openwisp.py:9-25
Timestamp: 2026-02-06T20:46:32.980Z
Learning: In openwisp-utils, the commit message prefix "chores" (plural) is intentionally used instead of "chore" (singular) in the Commitizen ALLOWED_PREFIXES configuration.

Applied to files:

• .github/workflows/reusable-bot-changelog.yml

📚 Learning: 2026-03-05T09:59:22.581Z

Learnt from: pushpitkamboj
Repo: openwisp/openwisp-utils PR: 584
File: .github/actions/bot-changelog-generator/generate_changelog.py:356-364
Timestamp: 2026-03-05T09:59:22.581Z
Learning: In `.github/actions/bot-changelog-generator/generate_changelog.py`, the `validate_changelog_output` function's purpose is to act as an output safety filter — ensuring no sensitive information or arbitrary LLM-generated text gets posted as a PR comment. It checks that the output starts with a valid tag ([feature]/[fix]/[change]) and contains a correctly structured PR reference pattern. It is NOT intended to strictly validate that the referenced PR number/URL matches the current PR.

Applied to files:

• .github/workflows/reusable-bot-changelog.yml

📚 Learning: 2026-03-05T20:55:29.968Z

Learnt from: nemesifier
Repo: openwisp/openwisp-utils PR: 0
File: :0-0
Timestamp: 2026-03-05T20:55:29.968Z
Learning: For the openwisp/openwisp-utils repository (and the broader openwisp org), the maintainers have explicitly decided to use mutable version tags (e.g. `v2`, `v6`) for GitHub Actions and to use `ref: master` for internal script checkouts. Do NOT flag unpinned action versions or `master`/version-tag usage as security issues in any openwisp-utils workflow file. The maintainers are aware of the trade-offs and are intentionally fine with this approach.

Applied to files:

• .github/workflows/reusable-bot-changelog.yml

🔇 Additional comments (10)

.github/workflows/reusable-bot-autoassign.yml (1)

38-39: LGTM!

The pip caching configuration is correctly aligned with the checkout path. The openwisp-utils/setup.py path matches the checkout destination at line 32, ensuring the cache key will properly invalidate when dependencies change.

.github/workflows/bot-autoassign-stale-pr.yml (1)

35-36: LGTM!

Caching is correctly configured for the repository's root setup.py, matching the checkout and install paths.

.github/workflows/reusable-bot-ci-failure.yml (1)

71-72: LGTM!

The pip caching configuration correctly references trusted_scripts/setup.py, consistent with the checkout path at line 56 and the install command at line 76.

.github/workflows/reusable-bot-changelog.yml (2)

64-67: LGTM!

Good change to include setup.py in the sparse checkout. This ensures the file is available for the cache key computation when invoking the composite action.

---

73-73: LGTM!

The cache-dependency-path correctly references the sparse-checked-out setup.py relative to the workspace root.

.github/workflows/bot-autoassign-issue.yml (1)

34-35: LGTM!

Pip caching is correctly configured for the repository root setup.py.

.github/workflows/bot-autoassign-pr-reopen.yml (2)

37-38: LGTM!

Pip caching correctly configured for the reassign-on-reopen job.

---

70-71: LGTM!

Pip caching correctly configured for the handle-pr-activity job, consistent with the other job in this workflow.

.github/workflows/bot-autoassign-pr-issue-link.yml (1)

35-36: LGTM!

Pip caching correctly configured for the repository root setup.py.

.github/actions/bot-changelog-generator/action.yml (1)

18-21: LGTM!

Good design choice making the cache-dependency-path optional with an empty default. This maintains backward compatibility for callers that don't provide the input.

[coderabbitai]

🧹 Nitpick | 🔵 Trivial

🧩 Analysis chain

🌐 Web query:

What is the latest version of actions/setup-python GitHub Action?

💡 Result:

The latest release of actions/setup-python is v6.2.0 (tagged “Latest” on the Releases page). You can reference it as actions/setup-python@v6.2.0 (pinned) or actions/setup-python@v6 (floating major). (github.com)

Citations:

• 1: https://github.com/actions/setup-python/releases

---

🏁 Script executed:

find .github/workflows -type f -name "*.yml" -o -name "*.yaml" | xargs grep -n "actions/setup-python"

Repository: openwisp/openwisp-utils

Length of output: 900

---

Version inconsistency: actions/setup-python@v5 vs @v6 used elsewhere.

This composite action uses actions/setup-python@v5 (lines 28, 36), while the workflow files in this PR use actions/setup-python@v6. Consider updating to @v6 for consistency across the codebase.

♻️ Suggested fix for version consistency

     - name: Set up Python with cache
       if: ${{ inputs.cache-dependency-path != '' }}
-      uses: actions/setup-python@v5
+      uses: actions/setup-python@v6
       with:
         python-version: "3.13"
         cache: "pip"
         cache-dependency-path: ${{ inputs.cache-dependency-path }}

     - name: Set up Python
       if: ${{ inputs.cache-dependency-path == '' }}
-      uses: actions/setup-python@v5
+      uses: actions/setup-python@v6
       with:
         python-version: "3.13"

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- name: Set up Python with cache
	if: ${{ inputs.cache-dependency-path != '' }}
	uses: actions/setup-python@v5
	with:
	python-version: "3.13"
	cache: "pip"
	cache-dependency-path: ${{ inputs.cache-dependency-path }}
	- name: Set up Python
	if: ${{ inputs.cache-dependency-path == '' }}
	uses: actions/setup-python@v5
	with:
	python-version: "3.13"
	- name: Set up Python with cache
	if: ${{ inputs.cache-dependency-path != '' }}
	uses: actions/setup-python@v6
	with:
	python-version: "3.13"
	cache: "pip"
	cache-dependency-path: ${{ inputs.cache-dependency-path }}
	- name: Set up Python
	if: ${{ inputs.cache-dependency-path == '' }}
	uses: actions/setup-python@v6
	with:
	python-version: "3.13"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/actions/bot-changelog-generator/action.yml around lines 26 - 38,
Update the composite action steps that currently reference "uses:
actions/setup-python@v5" to use "@v6" for consistency with the rest of the repo;
specifically modify both occurrences of the "uses: actions/setup-python@v5"
lines in the steps that handle the cache (with cache-dependency-path) and the
non-cache branch so they read "uses: actions/setup-python@v6", leaving the
existing with: keys (python-version, cache, cache-dependency-path) unchanged.

[coveralls]

coverage: 97.348%. remained the same
when pulling 92914fd on czarflix:codex/issue-628-cache-bot-deps
into e1d24be on openwisp:master.

[czarflix]

@nemesifier could you take a look, this addresses the caching issue

[nemesifier]

The goal is to cache the installation of openwisp-utils itself, so we shouldn't need to add a new input parameter as the result is always the same in all repos. Are you sure this is the correct approach?

The problem is that now we're installing openwisp-utils directly and using master, we may need to do something different to make cache invalidation easier.

[czarflix]

The goal is to cache the installation of openwisp-utils itself, so we shouldn't need to add a new input parameter as the result is always the same in all repos. Are you sure this is the correct approach?

The problem is that now we're installing openwisp-utils directly and using master, we may need to do something different to make cache invalidation easier.

Thanks, I reworked this locally in the direction you suggested. I removed the extra input and changed the changelog bot to install from the checked-out openwisp-utils-action copy instead, with caching keyed off openwisp-utils-action/setup.py.

I tested that locally with a fresh sparse-checkout-style install, a smoke import, actionlint, and an act run that saved and restored the pip cache successfully. If that’s the direction you had in mind, I can update the PR accordingly.