ci: add changelog-upload workflow and tighten changelog-init permissions (#1123)

cotti · cursoragent · web-flow · commit 2c3f385c86c4 · 2026-05-29T09:54:23.000+02:00
Two pieces were missing for the changelog setup to be complete end to end: 1. `changelog-upload.yml` was absent. The existing `changelog-init` (validate + the bespoke upstream-update job) and `changelog-submit` workflows cover the PR lifecycle, but nothing was wired up to regenerate and upload changelog bundles to S3 when PRs land on `main`. That left fork-PR entries in particular without a path to the public bundle — the upload action re-derives them from the merged commit's pull-request record via `docs-builder changelog add --prs <N>`, which only runs on push. This commit adds the reusable workflow call with the three scopes the upload step needs: `contents: read` to check out the commit, `id-token: write` to acquire the AWS OIDC token, and `pull-requests: read` to look up the merged PRs for the pushed SHA so fork entries can be regenerated. Infra prerequisites are already in place: `elastic/elastic-otel-java` is declared in `elastic/docs-infra/modules/aws-github-actions-oidc-roles/repositories.yml` and in `elastic/docs-builder/config/assembler.yml`. 2. `changelog-init.yml` was granting `contents: read` at the workflow level. That worked today because the `upstream-update` job already overrides to `contents: write` + `pull-requests: write` and the `validate` job only needed read access, but the workflow-level permission would silently get inherited by any future job added to this file. Switch to the same pattern adopted in #1118 for `changelog-submit.yml`: workflow-level `permissions: {}` as a least-privilege ceiling, with each job declaring exactly what it needs. The `validate` job now spells out `contents: read` explicitly (the reusable workflow itself declares the same at job level, but a caller-side declaration is required because the workflow-level ceiling propagates into reusable workflow calls). No behaviour change for existing PR runs; the upload path will start firing on the next push to `main`. Co-authored-by: Cursor <cursoragent@cursor.com>
diff --git a/.github/workflows/changelog-init.yml b/.github/workflows/changelog-init.yml
@@ -10,8 +10,7 @@ on:
       - labeled
       - unlabeled
 
-permissions:
-  contents: read
+permissions: {}
 
 concurrency:
   group: changelog-init-${{ github.event.pull_request.number }}
@@ -54,4 +53,6 @@ jobs:
     if: ${{ always() }}
     # needs to execute after init-upstream-update
     needs: [ upstream-update ]
+    permissions:
+      contents: read  # reusable workflow checks out the repo to read docs/changelog.yml
     uses: elastic/docs-actions/.github/workflows/changelog-validate.yml@v1
diff --git a/.github/workflows/changelog-upload.yml b/.github/workflows/changelog-upload.yml
@@ -0,0 +1,15 @@
+name: changelog-upload
+
+on:
+  push:
+    branches: [main]
+
+permissions: {}
+
+jobs:
+  upload:
+    permissions:
+      contents: read        # checkout the pushed commit
+      id-token: write       # OIDC token for AWS authentication
+      pull-requests: read   # look up merged PRs for the pushed commit so fork-PR entries can be regenerated
+    uses: elastic/docs-actions/.github/workflows/changelog-upload.yml@v1
