Add org-membership check for changelog commits

[cotti]

This pull request refactors and improves the changelog submission workflow by splitting it into two distinct GitHub Actions: one for evaluating and generating the changelog artifact, and another for applying (committing or commenting) the changelog to the PR. This change enhances security, flexibility, and maintainability, especially around handling forked pull requests and organization membership. Key updates include new preflight checks, improved artifact handling, and more granular permission management.

Workflow refactor and security improvements:

• Split changelog submit into evaluate and apply actions:
  The previous monolithic changelog submission action is now separated into evaluate (read-only, generates an artifact) and apply (writes the changelog or comments). This separation allows for safer handling of forked PRs and better permission scoping. (.github/workflows/changelog-submit.yml, changelog/submit/evaluate/action.yml, changelog/submit/apply/action.yml) [1] [2] [3]

• Preflight checks for org membership and fork status:
  Added a new preflight job that determines if the PR author is an organization member and whether to proceed with changelog submission, preventing untrusted forks from triggering write operations. (.github/workflows/changelog-submit.yml)

Changelog evaluation and artifact handling:

• Artifact-based changelog handoff:
  The evaluate action now uploads a changelog artifact, which the apply action later downloads and commits or comments. This decouples artifact generation from write operations and improves workflow modularity. (changelog/submit/evaluate/action.yml, changelog/submit/apply/action.yml) [1] [2]

• Improved context and commit strategy resolution:
  The evaluate action determines if the PR is from a trusted source and whether it can safely commit to the branch or must comment, based on fork status, org membership, and PR edit permissions. (changelog/submit/evaluate/action.yml) [1] [2]

Output and input changes for actions:

• More granular inputs and outputs:
  Inputs like is-org-member and outputs like proceed and is-org-member were added to facilitate better coordination between jobs and actions. (changelog/submit/evaluate/action.yml)

• Enhanced PR data extraction:
  The script fetching PR data now outputs additional fields like head-repo and maintainer-can-modify to support the new commit strategy logic. (changelog/submit/evaluate/scripts/fetch-pr-data.js)

Overall, these changes make the changelog automation more robust and secure, especially when dealing with contributions from forks and external contributors.

[Mpdreamz]

Summary

Strong direction: fork/org-member preflight, evaluate vs apply split, and reduced token exposure on the read path address the main trust issues for workflow_run changelog automation. Artifact handoff in the same workflow run does not introduce meaningful artifact-poisoning risk versus cross-run or cross-repo misuse.

Request changes / must-resolve before merge

1. fetch-ephemeral-token + continue-on-error: true
   If Vault/OIDC token retrieval fails, downstream org membership may run with no/invalid token or behave inconsistently. Please either remove continue-on-error, fail the preflight job when the token is absent, or document and enforce fail-closed behavior in check-org-membership (e.g. treat failure/empty token as non-member and fail the job rather than silently skipping trusted fork handling). Goal: no ambiguous path where a fork PR is skipped or accepted due to infra failure without an explicit failure signal.

2. PR author resolution when PR number cannot be resolved
   The “Resolve PR author” step warns and returns without setting login. Confirm what is-elastic-org-member does with an empty username and whether preflight still gates correctly (should not treat empty as org member; preferably fail closed or skip with a clear error so legitimate PRs are not silently dropped without notice).

3. Preflight outputs when fork-only steps are skipped
   For same-repo PRs, is-org-member may be unset. The evaluate strategy correctly keys off IS_FORK first; please add a short comment in the workflow or ensure generate inputs default so nothing interprets empty is-org-member as "true".

Non-blocking / follow-up

• Race on maintainer_can_modify: rare UX edge between evaluate and apply; acceptable if documented or handled on push failure.
• docs-builder: artifact commands and metadata contract are paired with elastic/docs-builder#3199; consider aligning CLI naming with a CI-oriented subcommand (changelog ci prepare-pr-artifact, etc.) per discussion in docs-builder#3202.

Happy to re-review after the preflight/token failure modes are explicit and closed.

[Mpdreamz]

Approved. Preflight gates and fail-closed PR resolution match the trust model, token fetch no longer swallows errors, is-org-member is normalized for same-repo runs, and the push-fallback path is UX-only (no broadened privileges). Good to merge once paired with the docs-builder artifact side as needed.