changelog: source bundle entries from the CDN with a per-product registry

Source the individual changelog entries that make up a bundle from the
public CDN by default, scoped to the bundle's product(s), instead of the
local folder. Because the bundle filter is content-based (an entry's
products/prs/issues live inside the YAML, not its name) and CloudFront has
no ListObjects, a per-product entry index ({product}/changelog/registry.json)
is published on upload so the client can enumerate then fetch+filter.

- Add bundle.use_local_changelogs opt-out, plus automatic local fallback
  when no concrete product can scope the per-product CDN fetch.
- Extend RegistryBuilder/RegistryKey to write and pass-through the entry
  index (scrubber recognizes {product}/changelog/registry.json).
- Add CdnChangelogEntryFetcher and centralize CDN base resolution in
  ChangelogCdn (shared with the changelog directive's cdn: mode).
- Emit cdn_url from `changelog bundle --plan` so CI can poll for the
  scrubbed bundle ({base}/{product}/bundle/{file}).
- Harden entry sourcing: a registry-listed entry that has not yet
  propagated to the CDN is retried with short backoff and cache-busting;
  a persistent miss fails the bundle instead of silently shipping an
  incomplete release.

dotnet format, AOT publish (0 trim/AOT warnings), and the affected unit
tests all pass; cli-schema.json regenerated for the new --plan output.

Co-authored-by: Cursor <cursoragent@cursor.com>

Author: cotti

docs/cli-schema.json

@@ -2776,7 +2776,7 @@
               "name": "plan",
               "type": "boolean",
               "required": false,
-              "summary": "Emit GitHub Actions step outputs (needs_network, needs_github_token, output_path) describing network requirements and the resolved output path, then exit without generating the bundle. Intended for CI actions.",
+              "summary": "Emit GitHub Actions step outputs (needs_network, needs_github_token, output_path, and cdn_url when a product is resolvable) describing network requirements, the resolved output path, and the public CDN URL of the scrubbed bundle, then exit without generating the bundle. Intended for CI actions.",
               "defaultValue": "false"
             },
             {

src/Elastic.Documentation.Configuration/Changelog/BundleConfiguration.cs

@@ -21,6 +21,14 @@ public record BundleConfiguration
 	/// </summary>
 	public string? OutputDirectory { get; init; }
 
+	/// <summary>
+	/// When true, the individual changelog entries that make up a bundle are sourced from the local
+	/// <see cref="Directory"/>. When false (the default), they are fetched from the public changelog
+	/// CDN, scoped to the bundle's products. An explicit <c>--directory</c> on the CLI always forces
+	/// local sourcing regardless of this setting.
+	/// </summary>
+	public bool UseLocalChangelogs { get; init; }
+
 	/// <summary>
 	/// Whether to resolve (copy contents of each changelog file into the entries array).
 	/// Defaults to true

src/Elastic.Documentation.Configuration/Changelog/ChangelogConfigurationLoader.cs

@@ -529,6 +529,7 @@ private static PivotConfiguration ConvertPivot(PivotConfigurationYaml yamlPivot)
 		{
 			Directory = yaml.Directory,
 			OutputDirectory = yaml.OutputDirectory,
+			UseLocalChangelogs = yaml.UseLocalChangelogs ?? false,
 			Resolve = yaml.Resolve ?? true,
 			Description = yaml.Description,
 			Repo = yaml.Repo,

src/Elastic.Documentation.Configuration/Changelog/ChangelogConfigurationYaml.cs

@@ -275,6 +275,12 @@ internal sealed record BundleConfigurationYaml
 	/// </summary>
 	public string? OutputDirectory { get; set; }
 
+	/// <summary>
+	/// When true, source the individual changelog entries that make up a bundle from the local
+	/// <see cref="Directory"/> instead of the public CDN. Defaults to false (CDN sourcing).
+	/// </summary>
+	public bool? UseLocalChangelogs { get; set; }
+
 	/// <summary>
 	/// Whether to resolve (copy contents) by default.
 	/// </summary>

src/Elastic.Documentation.Configuration/ReleaseNotes/CdnChangelogEntryFetcher.cs

@@ -0,0 +1,218 @@
+// Licensed to Elasticsearch B.V under one or more agreements.
+// Elasticsearch B.V licenses this file to you under the Apache 2.0 License.
+// See the LICENSE file in the project root for more information
+
+using System.Text.Json;
+using Microsoft.Extensions.Logging;
+
+namespace Elastic.Documentation.Configuration.ReleaseNotes;
+
+/// <summary>
+/// One downloaded changelog entry: the registry file name and its raw YAML content.
+/// </summary>
+public readonly record struct CdnChangelogEntry(string FileName, string Content);
+
+/// <summary>
+/// Fetches the individual (scrubbed) changelog entries for a single product from the public CDN, for
+/// the <c>changelog bundle</c> command when sourcing entries from S3 rather than a local folder. It
+/// reads <c>{base}/{product}/changelog/registry.json</c> to enumerate entries and downloads each
+/// <c>{base}/{product}/changelog/{file}</c> as raw YAML; the bundle command then applies its usual
+/// filter (products / prs / issues) to the downloaded set.
+/// </summary>
+/// <remarks>
+/// <para>
+/// A registry that cannot be fetched or parsed is a hard error (the caller gets an empty list and an
+/// emitted error). An individual entry that the registry lists but the CDN does not yet serve is
+/// retried a few times with short backoff (and cache-busting, to defeat any CloudFront negative-cache)
+/// to ride out the brief upload→scrub→propagate window. If it still cannot be fetched after the retry
+/// budget it is escalated to an error, not skipped: the registry asserts the entry exists (uploads
+/// never prune) and scrubbing is sub-second, so a persistent miss is a real pipeline problem and
+/// silently shipping an incomplete release bundle is worse than failing the run.
+/// </para>
+/// </remarks>
+public sealed class CdnChangelogEntryFetcher(
+	ILoggerFactory logFactory,
+	HttpMessageHandler? handler = null,
+	int maxAttempts = CdnChangelogEntryFetcher.DefaultMaxAttempts,
+	Action<TimeSpan, Cancel>? sleep = null)
+{
+	private const int SupportedSchemaVersion = 1;
+
+	/// <summary>Total GET attempts per entry (1 initial + retries). ~3.5s budget at the default backoff.</summary>
+	private const int DefaultMaxAttempts = 4;
+	private const int BaseRetryDelayMs = 500;
+	private const int MaxRetryDelayMs = 2000;
+
+	private readonly ILogger _logger = logFactory.CreateLogger<CdnChangelogEntryFetcher>();
+	private readonly HttpClient _httpClient = handler is null ? new HttpClient() : new HttpClient(handler, disposeHandler: false);
+	private readonly int _maxAttempts = maxAttempts < 1 ? DefaultMaxAttempts : maxAttempts;
+	private readonly Action<TimeSpan, Cancel> _sleep = sleep ?? DefaultSleep;
+
+	/// <summary>
+	/// Downloads the changelog entries for <paramref name="product"/> from the CDN at
+	/// <paramref name="baseUri"/>. Returns an empty list after emitting an error when the registry cannot
+	/// be read or when a registry-listed entry cannot be fetched within the retry budget. Entries are
+	/// returned in registry order; the caller owns filtering and de-duplication.
+	/// </summary>
+	public IReadOnlyList<CdnChangelogEntry> Fetch(
+		Uri baseUri,
+		string product,
+		Action<string> emitError,
+		Action<string> emitWarning,
+		Cancel ctx)
+	{
+		var registryUri = Combine(baseUri, product, "changelog", "registry.json");
+
+		ChangelogRegistry? registry;
+		try
+		{
+			registry = FetchRegistry(registryUri, ctx);
+		}
+		catch (Exception ex) when (ex is not OperationCanceledException)
+		{
+			emitError($"Could not fetch changelog entry registry for product '{product}' from {registryUri}: {ex.Message}");
+			return [];
+		}
+
+		if (registry is null)
+		{
+			emitError($"Changelog entry registry for product '{product}' at {registryUri} was empty or unparseable.");
+			return [];
+		}
+
+		if (registry.SchemaVersion > SupportedSchemaVersion)
+		{
+			emitError(
+				$"Changelog entry registry for product '{product}' uses schema version {registry.SchemaVersion}, but this build only understands version {SupportedSchemaVersion}. Update docs-builder.");
+			return [];
+		}
+
+		var entries = new List<CdnChangelogEntry>(registry.Bundles.Count);
+		foreach (var entry in registry.Bundles)
+		{
+			ctx.ThrowIfCancellationRequested();
+
+			var fileName = entry.File;
+			if (string.IsNullOrWhiteSpace(fileName) || !IsSafeFileName(fileName))
+			{
+				emitWarning($"Changelog entry registry for '{product}' lists an invalid file name '{fileName}'; skipping.");
+				continue;
+			}
+
+			var entryUri = Combine(baseUri, product, "changelog", fileName);
+			if (TryFetchEntry(entryUri, fileName, product, ctx, out var content, out var lastError))
+			{
+				entries.Add(new CdnChangelogEntry(fileName, content));
+				continue;
+			}
+
+			// The registry lists this entry, so it exists in the private bucket and should have been
+			// scrubbed to the public one within milliseconds. Still missing after the retry budget means
+			// a genuine propagation/scrub failure — fail rather than ship a bundle missing this entry.
+			emitError(
+				$"Changelog entry '{fileName}' for product '{product}' is listed in the registry but could not be fetched from {entryUri} after {_maxAttempts} attempt(s): {lastError}. " +
+				"The scrubbed copy may not have propagated to the CDN yet; retry shortly, and if it persists check the changelog scrubber pipeline.");
+			return [];
+		}
+
+		_logger.LogInformation("Fetched {Count} changelog entry(ies) for {Product} from {BaseUri}", entries.Count, product, baseUri);
+		return entries;
+	}
+
+	/// <summary>
+	/// Fetches a single entry, retrying transient failures (most importantly a not-yet-propagated 404)
+	/// up to <see cref="_maxAttempts"/> times with exponential backoff. Retry requests are cache-busted
+	/// so a CloudFront-cached 404 cannot pin the result for the whole window.
+	/// </summary>
+	private bool TryFetchEntry(Uri uri, string fileName, string product, Cancel ctx, out string content, out string? lastError)
+	{
+		content = string.Empty;
+		lastError = null;
+
+		for (var attempt = 1; attempt <= _maxAttempts; attempt++)
+		{
+			ctx.ThrowIfCancellationRequested();
+			try
+			{
+				content = FetchText(uri, attempt, ctx);
+				if (attempt > 1)
+					_logger.LogInformation("Fetched changelog entry '{File}' for {Product} on attempt {Attempt}/{Max}", fileName, product, attempt, _maxAttempts);
+				return true;
+			}
+			catch (Exception ex) when (ex is not OperationCanceledException)
+			{
+				lastError = ex.Message;
+				if (attempt >= _maxAttempts)
+					break;
+
+				var delay = RetryDelay(attempt);
+				_logger.LogDebug(
+					"Changelog entry '{File}' for {Product} not yet available (attempt {Attempt}/{Max}: {Error}); retrying in {Delay}",
+					fileName, product, attempt, _maxAttempts, ex.Message, delay);
+				_sleep(delay, ctx);
+			}
+		}
+
+		return false;
+	}
+
+	private ChangelogRegistry? FetchRegistry(Uri registryUri, Cancel ctx)
+	{
+		_logger.LogInformation("Fetching changelog entry registry {RegistryUri}", registryUri);
+		using var request = new HttpRequestMessage(HttpMethod.Get, registryUri);
+		using var response = _httpClient.Send(request, ctx);
+		_ = response.EnsureSuccessStatusCode();
+		using var stream = response.Content.ReadAsStream(ctx);
+		return JsonSerializer.Deserialize(stream, ChangelogRegistryJsonContext.Default.ChangelogRegistry);
+	}
+
+	private string FetchText(Uri uri, int attempt, Cancel ctx)
+	{
+		// Only bust the cache on retries: the first hit should use the CDN cache normally (the common,
+		// already-propagated case); retries explicitly want to bypass any cached 404.
+		var requestUri = attempt > 1 ? WithCacheBuster(uri) : uri;
+		using var request = new HttpRequestMessage(HttpMethod.Get, requestUri);
+		if (attempt > 1)
+			_ = request.Headers.TryAddWithoutValidation("Cache-Control", "no-cache");
+		using var response = _httpClient.Send(request, ctx);
+		_ = response.EnsureSuccessStatusCode();
+		using var stream = response.Content.ReadAsStream(ctx);
+		using var reader = new StreamReader(stream);
+		return reader.ReadToEnd();
+	}
+
+	private static TimeSpan RetryDelay(int attempt)
+	{
+		// attempt is 1-based; first retry waits BaseRetryDelayMs, doubling up to the cap.
+		var ms = Math.Min(BaseRetryDelayMs * (1L << (attempt - 1)), MaxRetryDelayMs);
+		return TimeSpan.FromMilliseconds(ms);
+	}
+
+	private static void DefaultSleep(TimeSpan delay, Cancel ctx)
+	{
+		if (delay > TimeSpan.Zero)
+			_ = ctx.WaitHandle.WaitOne(delay);
+	}
+
+	private static Uri WithCacheBuster(Uri uri)
+	{
+		var separator = string.IsNullOrEmpty(uri.Query) ? "?" : "&";
+		return new Uri($"{uri.AbsoluteUri}{separator}_={DateTimeOffset.UtcNow.Ticks:x}");
+	}
+
+	private static Uri Combine(Uri baseUri, params string[] segments)
+	{
+		var basePath = baseUri.AbsoluteUri.TrimEnd('/');
+		var suffix = string.Join('/', segments.Select(Uri.EscapeDataString));
+		return new Uri($"{basePath}/{suffix}");
+	}
+
+	/// <summary>
+	/// Guards against path traversal or nested keys sneaking in via the registry: an entry file name
+	/// must be a single path segment (the producer always writes <c>{product}/changelog/{file}</c>).
+	/// </summary>
+	private static bool IsSafeFileName(string fileName) =>
+		!fileName.Contains('/', StringComparison.Ordinal)
+		&& !fileName.Contains('\\', StringComparison.Ordinal)
+		&& fileName is not ("." or "..");
+}

src/Elastic.Documentation.Configuration/ReleaseNotes/ChangelogCdn.cs

@@ -0,0 +1,37 @@
+// Licensed to Elasticsearch B.V under one or more agreements.
+// Elasticsearch B.V licenses this file to you under the Apache 2.0 License.
+// See the LICENSE file in the project root for more information
+
+namespace Elastic.Documentation.Configuration.ReleaseNotes;
+
+/// <summary>
+/// Single source of truth for the public changelog CDN base URL used by both the <c>changelog</c>
+/// directive (<c>:cdn:</c> mode) and the <c>changelog bundle</c> command (CDN entry sourcing).
+/// </summary>
+public static class ChangelogCdn
+{
+	/// <summary>
+	/// Environment variable that overrides the changelog CDN base URL (staging/local/testing).
+	/// </summary>
+	public const string BaseUrlEnvironmentVariable = "DOCS_BUILDER_CHANGELOG_CDN";
+
+	/// <summary>
+	/// Default public CDN base for changelog content (CloudFront in front of the public S3 bucket).
+	/// Overridable via <see cref="BaseUrlEnvironmentVariable"/>.
+	/// </summary>
+	public const string DefaultBaseUrl = "https://d10xozp44eyz7q.cloudfront.net";
+
+	/// <summary>
+	/// Resolves the configured CDN base URI, honoring <see cref="BaseUrlEnvironmentVariable"/> and
+	/// falling back to <see cref="DefaultBaseUrl"/>. Returns null when the configured value is not a
+	/// valid absolute http(s) URL.
+	/// </summary>
+	public static Uri? ResolveBaseUri()
+	{
+		var configured = Environment.GetEnvironmentVariable(BaseUrlEnvironmentVariable);
+		var raw = string.IsNullOrWhiteSpace(configured) ? DefaultBaseUrl : configured;
+		return Uri.TryCreate(raw, UriKind.Absolute, out var uri) && uri.Scheme is "http" or "https"
+			? uri
+			: null;
+	}
+}

src/Elastic.Markdown/Myst/Directives/Changelog/ChangelogBlock.cs

@@ -468,16 +468,11 @@ private void LoadPrivateRepositories()
 		}
 	}
 
-	/// <summary>
-	/// Environment variable that overrides the changelog CDN base URL (staging/local/testing).
-	/// </summary>
-	private const string CdnBaseUrlEnvironmentVariable = "DOCS_BUILDER_CHANGELOG_CDN";
-
 	/// <summary>
 	/// Default public CDN base for changelog bundles (CloudFront in front of the public S3 bucket).
-	/// Overridable via <see cref="CdnBaseUrlEnvironmentVariable"/>.
+	/// Overridable via <see cref="ChangelogCdn.BaseUrlEnvironmentVariable"/>.
 	/// </summary>
-	internal const string DefaultCdnBaseUrl = "https://d10xozp44eyz7q.cloudfront.net";
+	internal const string DefaultCdnBaseUrl = ChangelogCdn.DefaultBaseUrl;
 
 	private void LoadAndCacheBundles()
 	{
@@ -507,10 +502,10 @@ private void LoadCdnBundles(string product)
 		if (!string.IsNullOrWhiteSpace(Arguments))
 			this.EmitWarning("The bundles folder argument is ignored when :cdn: is set; bundles are sourced from the CDN.");
 
-		if (ResolveCdnBaseUri() is not { } baseUri)
+		if (ChangelogCdn.ResolveBaseUri() is not { } baseUri)
 		{
 			this.EmitError(
-				$"No valid changelog CDN base URL is configured. Set the {CdnBaseUrlEnvironmentVariable} environment variable to an absolute http(s) URL.");
+				$"No valid changelog CDN base URL is configured. Set the {ChangelogCdn.BaseUrlEnvironmentVariable} environment variable to an absolute http(s) URL.");
 			return;
 		}
 
@@ -579,16 +574,6 @@ private static bool IsValidCdnProduct(string product) =>
 			: repository;
 	}
 
-	private static Uri? ResolveCdnBaseUri()
-	{
-		var configured = Environment.GetEnvironmentVariable(CdnBaseUrlEnvironmentVariable);
-		var raw = string.IsNullOrWhiteSpace(configured) ? DefaultCdnBaseUrl : configured;
-		return Uri.TryCreate(raw, UriKind.Absolute, out var uri)
-			&& uri.Scheme is "http" or "https"
-			? uri
-			: null;
-	}
-
 	private IEnumerable<string> ComputeGeneratedAnchors()
 	{
 		var dedicatedPage = ChangelogInlineRenderer.IsDedicatedSeparatedTypePage(TypeFilter);