From 3af59fe9acfe7e096a0b3675a27fa967aa26dae7 Mon Sep 17 00:00:00 2001
From: Federico Capoano <f.capoano@openwisp.io>
Date: Mon, 16 Mar 2026 21:41:27 -0300
Subject: [PATCH 1/2] [ci] Failure Bot: run only on PR merge, allowed
 auto-retry

---
 .github/workflows/bot-ci-failure.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/bot-ci-failure.yml b/.github/workflows/bot-ci-failure.yml
index 17f32eb97..54299318a 100644
--- a/.github/workflows/bot-ci-failure.yml
+++ b/.github/workflows/bot-ci-failure.yml
@@ -8,7 +8,7 @@ on:
 
 permissions:
   pull-requests: write
-  actions: read
+  actions: write  # needed for auto retries of flaky CI builds
   contents: read
 
 concurrency:
@@ -18,7 +18,7 @@ concurrency:
 jobs:
   find-pr:
     runs-on: ubuntu-latest
-    if: ${{ github.event.workflow_run.conclusion == 'failure' }}
+    if: ${{ github.event.workflow_run.conclusion == 'failure' && github.event.workflow_run.event == 'pull_request' }}
     outputs:
       pr_number: ${{ steps.pr.outputs.number }}
       pr_author: ${{ steps.pr.outputs.author }}

From 8114ca3f62648c2057d7add180e5272c42cbf2d0 Mon Sep 17 00:00:00 2001
From: stktyagi <stktyagi2810@gmail.com>
Date: Wed, 18 Mar 2026 16:43:47 +0530
Subject: [PATCH 2/2] [chores] Updated CI failure bot caller

Updated the failure bot caller with respect to new improvements.
---
 .github/workflows/bot-ci-failure.yml | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/bot-ci-failure.yml b/.github/workflows/bot-ci-failure.yml
index 54299318a..3ce77998b 100644
--- a/.github/workflows/bot-ci-failure.yml
+++ b/.github/workflows/bot-ci-failure.yml
@@ -7,8 +7,8 @@ on:
       - completed
 
 permissions:
-  pull-requests: write
-  actions: write  # needed for auto retries of flaky CI builds
+  pull-requests: read
+  actions: read
   contents: read
 
 concurrency:
@@ -69,6 +69,10 @@ jobs:
   call-ci-failure-bot:
     needs: find-pr
     if: ${{ needs.find-pr.outputs.pr_number != '' }}
+    permissions:
+      pull-requests: write
+      actions: write
+      contents: read
     uses: openwisp/openwisp-utils/.github/workflows/reusable-bot-ci-failure.yml@master
     with:
       pr_number: ${{ needs.find-pr.outputs.pr_number }}