Add S3 upload support for changelogs (#43)

cotti · Mpdreamz · claude · web-flow · commit 1b56aa20ce51 · 2026-04-07T18:31:20.000-03:00
* Add S3 upload support for changelogs * Add README * Use js-yaml for path checking. * Add pr-number parameter and tighten workflow-level permissions * Fix IFS, add --no-follow-symlinks * Adjust call * Use docs-builder to upload to S3 * Update .gitignore * Update README * Harden release workflows against tag injection and credential leakage (#45) * Harden release workflows against tag injection and credential leakage Made-with: Cursor * Set workflow-level permissions to {} for least-privilege The job already declares contents: write, so the workflow-level contents: read was redundant. Empty permissions at workflow level ensures no implicit grants. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * Adjust call * Adjust inputs and concurrency for upload workflow * Adjust concurrency group * Adjust docs, improve push target pattern * Use the push SHA instead of the merge commit SHA * Update README * Add config input * Set cancel-in-progress * Introduce config input and additional documentation * Update README --------- Co-authored-by: Martijn Laarman <Mpdreamz@gmail.com> Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
diff --git a/.github/workflows/changelog-upload.yml b/.github/workflows/changelog-upload.yml
@@ -0,0 +1,27 @@
+name: Changelog upload
+
+on:
+  workflow_call:
+    inputs:
+      config:
+        description: 'Path to changelog.yml configuration file'
+        type: string
+        default: 'docs/changelog.yml'
+
+permissions: {}
+
+concurrency:
+  group: changelog-s3-sync-${{ github.repository }}
+  cancel-in-progress: false
+
+jobs:
+  upload:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+    steps:
+      - name: Upload changelog
+        uses: elastic/docs-actions/changelog/upload@v1
+        with:
+          config: ${{ inputs.config }}
diff --git a/changelog/README.md b/changelog/README.md
@@ -178,3 +178,60 @@ If a human edits the changelog file directly (i.e., the last commit to the chang
 ## Output
 
 Each PR produces a file at `docs/changelog/{filename}.yaml` on the PR branch (where the filename is determined by the `docs-builder changelog add` command). These files are consumed by `docs-builder` during documentation builds to produce a rendered changelog page.
+
+## Uploading to S3
+
+Changelog files on the default branch can be uploaded to the `elastic-docs-v3-changelog-bundles` S3 bucket under `{product}/changelogs/{filename}.yaml`, preserving the original filename as determined by the repository's `filename` strategy in `changelog.yml`. This makes them available for release bundling workflows.
+
+### 1. Add the upload workflow
+
+**`.github/workflows/changelog-upload.yml`**
+
+```yaml
+name: changelog-upload
+
+on:
+  push:
+    branches: [main, master]
+    paths:
+      - 'docs/changelog/**'
+      - 'docs/changelog.yml'
+
+permissions: {}
+
+jobs:
+  upload:
+    uses: elastic/docs-actions/.github/workflows/changelog-upload.yml@v1
+```
+
+The `paths` filter is optional — it avoids running the workflow on pushes that don't touch changelog files. If your changelog directory or config lives elsewhere, adjust the paths accordingly.
+
+If your changelog configuration is not at `docs/changelog.yml`, pass the path explicitly:
+
+```yaml
+jobs:
+  upload:
+    uses: elastic/docs-actions/.github/workflows/changelog-upload.yml@v1
+    with:
+      config: path/to/changelog.yml
+```
+
+### 2. Enable OIDC access
+
+The upload workflow authenticates to AWS via GitHub Actions OIDC. Your repository must be listed in the `elastic-docs-v3-changelog-bundles` infrastructure to have an IAM role provisioned. Contact the docs-engineering team to add your repository.
+
+### How it works
+
+On each push to `main` or `master`, the upload workflow:
+
+1. Checks out the pushed commit
+2. Sets up `docs-builder` and authenticates with AWS via OIDC
+3. Runs `docs-builder changelog upload`, which reads your `changelog.yml`, discovers changelog YAML files in the configured directory, and incrementally uploads them to `{product}/changelogs/{filename}.yaml` in the bucket — only files whose content has changed are transferred
+
+If the changelog directory has no files (for example, because changelog generation was skipped), the command exits silently without error.
+
+The workflow uses a per-repository concurrency group so that rapid successive pushes queue rather than run in parallel. If a run is already in progress when a new push arrives, the in-progress run completes before the next one starts. Since `docs-builder` performs incremental uploads (skipping unchanged objects), re-runs are cheap.
+
+> **Note:** The composite action accepts an `aws-account-id` input (default: the Elastic docs account). Overriding this is only valid when OIDC trust and IAM roles have been provisioned for the target account. In practice, most repositories should use the default.
+
+> **Note:** The `github-token` input defaults to the workflow's `GITHUB_TOKEN`, which is scoped to the job's declared permissions. Do not substitute a broader PAT unless `docs-builder/setup` explicitly requires it.
diff --git a/changelog/upload/README.md b/changelog/upload/README.md
@@ -0,0 +1,24 @@
+<!-- Generated by https://github.com/reakaleek/gh-action-readme -->
+# <!--name-->Changelog upload<!--/name-->
+<!--description-->
+Uploads changelog entries to the elastic-docs-v3-changelog-bundles S3 bucket using docs-builder's incremental upload. Intended to run on push to the default branch (main/master). Only files whose content has changed are transferred.
+<!--/description-->
+
+## Inputs
+<!--inputs-->
+| Name             | Description                                                                                                 | Required | Default               |
+|------------------|-------------------------------------------------------------------------------------------------------------|----------|-----------------------|
+| `config`         | Path to changelog.yml configuration file (repo-relative, no ".." or absolute paths)                         | `false`  | `docs/changelog.yml`  |
+| `github-token`   | GitHub token (used by docs-builder setup). Use the default GITHUB_TOKEN; do not substitute a broader PAT.   | `false`  | `${{ github.token }}` |
+| `aws-account-id` | The AWS account ID. Only override if OIDC trust and IAM roles have been provisioned for the target account. | `false`  | `197730964718`        |
+<!--/inputs-->
+
+## Outputs
+<!--outputs-->
+| Name | Description |
+|------|-------------|
+<!--/outputs-->
+
+## Usage
+<!--usage action="your/action" version="v1"-->
+<!--/usage-->
diff --git a/changelog/upload/action.yml b/changelog/upload/action.yml
@@ -0,0 +1,76 @@
+name: Changelog upload
+description: >
+  Uploads changelog entries to the elastic-docs-v3-changelog-bundles S3 bucket
+  using docs-builder's incremental upload. Intended to run on push to the default
+  branch (main/master). Only files whose content has changed are transferred.
+
+inputs:
+  config:
+    description: 'Path to changelog.yml configuration file (repo-relative, no ".." or absolute paths)'
+    default: 'docs/changelog.yml'
+  github-token:
+    description: 'GitHub token (used by docs-builder setup). Use the default GITHUB_TOKEN; do not substitute a broader PAT.'
+    default: '${{ github.token }}'
+  aws-account-id:
+    description: 'The AWS account ID. Only override if OIDC trust and IAM roles have been provisioned for the target account.'
+    default: '197730964718'
+
+runs:
+  using: composite
+  steps:
+    - name: Verify push to default branch
+      shell: bash
+      env:
+        REF: ${{ github.ref }}
+      run: |
+        if [[ "$REF" != "refs/heads/main" && "$REF" != "refs/heads/master" ]]; then
+          echo "::error::changelog upload must run on a push to main or master (got $REF)"
+          exit 1
+        fi
+
+    - name: Validate config path
+      shell: bash
+      env:
+        CONFIG: ${{ inputs.config }}
+      run: |
+        if [[ "$CONFIG" == /* ]]; then
+          echo "::error::config path must be relative, not absolute: ${CONFIG}"
+          exit 1
+        fi
+        if [[ "$CONFIG" == *..* ]]; then
+          echo "::error::config path must not contain '..': ${CONFIG}"
+          exit 1
+        fi
+        if [[ "$CONFIG" == *$'\n'* || "$CONFIG" == *$'\r'* ]]; then
+          echo "::error::config path must not contain newlines"
+          exit 1
+        fi
+
+    - name: Checkout
+      uses: actions/checkout@v6
+      with:
+        ref: ${{ github.sha }}
+        persist-credentials: false
+
+    - name: Setup docs-builder
+      uses: elastic/docs-actions/docs-builder/setup@v1
+      with:
+        version: edge
+        github-token: ${{ inputs.github-token }}
+
+    - name: Authenticate with AWS
+      uses: elastic/docs-actions/aws/auth@v1
+      with:
+        aws_account_id: ${{ inputs.aws-account-id }}
+        aws_role_name_prefix: elastic-docs-v3-changelog-
+
+    - name: Upload changelogs
+      shell: bash
+      env:
+        CONFIG: ${{ inputs.config }}
+      run: |
+        docs-builder changelog upload \
+          --artifact-type changelog \
+          --target s3 \
+          --s3-bucket-name elastic-docs-v3-changelog-bundles \
+          --config "$CONFIG"
