ci: add changelog-upload workflow and tighten changelog-init permissions

[cotti]

Summary

Two small pieces were missing for the changelog setup to be complete end-to-end:

1. changelog-upload.yml (new file). The existing changelog-init (validate + the bespoke upstream-update job) and changelog-submit workflows cover the PR lifecycle, but nothing was wired up to regenerate and upload changelog bundles to S3 when PRs land on main. That left fork-PR entries in particular without a path to the public bundle — the upload action re-derives them from the merged commit's pull-request record via docs-builder changelog add --prs <N>, which only runs on push. This PR adds the reusable workflow call with the three scopes the upload step needs:
   • contents: read — checkout the pushed commit
   • id-token: write — OIDC token for AWS authentication
   • pull-requests: read — look up merged PRs for the pushed commit so fork-PR entries can be regenerated
2. changelog-init.yml — workflow-level → job-level permissions. Today changelog-init.yml grants contents: read at the workflow level. It works because the upstream-update job already overrides to contents: write + pull-requests: write and the validate job only needs read, but the workflow-level grant would silently get inherited by any future job added to this file. Switching to the same least-privilege pattern adopted in [ci] fix changelog-submit permissions #1118 for changelog-submit.yml: workflow-level permissions: {} ceiling, each job declaring its own. The validate job now spells out contents: read explicitly (the reusable workflow declares the same internally, but a caller-side declaration is required because the workflow-level ceiling propagates down into reusable workflow calls).

No behaviour change for existing PR runs. The upload path will start firing on the next push to main.

Infrastructure prerequisites (verified already in place)

• elastic/elastic-otel-java is declared in elastic/docs-infra/modules/aws-github-actions-oidc-roles/repositories.yml (line 66) — the OIDC role exists, so aws-actions/configure-aws-credentials will succeed.
• elastic-otel-java is declared in elastic/docs-builder/config/assembler.yml (line 121) without private: true — the scrubber Lambda will allow links to this repo through to the public CDN copy.
• Default branch is main, which the upload action's branch guard accepts (refs/heads/main or refs/heads/master).
• docs/changelog.yml is correctly configured (bundle.repo: elastic-otel-java, bundle.owner: elastic, filename: pr, pivot.types covers the team's labels), so both the per-PR upload and the fork-PR regeneration path will resolve cleanly.

Test plan

• actionlint .github/workflows/changelog-*.yml passes locally.
• YAML parses cleanly.
• After merge, watch the changelog-upload run on the first push to main (no test PR required — the first merged PR after this lands will exercise it).
• Confirm the changelog appears in the bundle published to S3 / surfaces on the docs site.

Companion context

The upstream changelog workflow bugs that were causing fork PRs to fail (detached-HEAD push, missing fallback comment) were fixed in elastic/docs-actions#172 and shipped as part of today's v1 retag. With those plus this PR, elastic-otel-java will have the complete changelog story: validate → submit (commit or comment) → upload (per push to main).

Made with Cursor

[github-actions]

📋 Changelog

⚠️ Cannot generate changelog: no matching type label found on this PR.

🔖 Add one of these type labels to your PR:

Label	Type
breaking-change	breaking-change
bug	bug-fix
deprecation	deprecation
feature	feature
enhancement	enhancement
changelog:upstream-update	enhancement
docs	docs
documentation	docs

⏭️ To skip changelog generation, add one of these labels: changelog:skip

📄 See docs/changelog.yml for the full changelog configuration.

[coderabbitai]

📝 Walkthrough

Walkthrough

The PR standardizes GitHub Actions workflow permissions across changelog operations by applying a least-privilege model. The changelog-init workflow is refactored to remove top-level contents: read and declare it explicitly at the job level for the validate job. A new changelog-upload workflow is added that triggers on pushes to main and delegates to a reusable workflow in elastic/docs-actions, with scoped permissions for AWS OIDC authentication and changelog artifact operations.

Possibly related PRs

• elastic/elastic-otel-java#1118: Adjusts GitHub Actions workflow permission blocks for changelog workflows, switching to top-level permissions: {} with explicit job-level permission grants.

Suggested labels

agent-java, changelog:skip

🚥 Pre-merge checks | ✅ 2

✅ Passed checks (2 passed)

Check name	Status	Explanation
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

• 🛠️ Update Documentation

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/changelog-upload.yml:
- Line 15: The workflow reference uses the mutable tag
"elastic/docs-actions/.github/workflows/changelog-upload.yml@v1"; replace that
mutable tag with the immutable commit SHA currently resolved
(62e663e275c5fcc4051e9783d03942752eac579c) so the line that contains uses:
elastic/docs-actions/.github/workflows/changelog-upload.yml@v1 instead becomes
pinned to `@62e663e275c5fcc4051e9783d03942752eac579c`.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: b9894136-8125-4ce6-a4db-7ece24ed55ab

📥 Commits

Reviewing files that changed from the base of the PR and between 2739449 and 4598aca.

📒 Files selected for processing (2)

• .github/workflows/changelog-init.yml
• .github/workflows/changelog-upload.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify mutable refs in workflows and resolve the current v1 tag commit.
rg -n '^\s*uses:\s*[^@]+@v[0-9]+(\.[0-9]+)*\s*$' .github/workflows
git ls-remote https://github.com/elastic/docs-actions refs/tags/v1 refs/tags/v1^{}

Repository: elastic/elastic-otel-java

Length of output: 3439

---

Pin reusable workflow to an immutable commit SHA

.github/workflows/changelog-upload.yml uses the mutable tag elastic/docs-actions/.github/workflows/changelog-upload.yml@v1. The v1 tag currently resolves to 62e663e275c5fcc4051e9783d03942752eac579c, so pin to that commit.

Suggested change

-    uses: elastic/docs-actions/.github/workflows/changelog-upload.yml@v1
+    uses: elastic/docs-actions/.github/workflows/changelog-upload.yml@62e663e275c5fcc4051e9783d03942752eac579c

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	uses: elastic/docs-actions/.github/workflows/changelog-upload.yml@v1
	uses: elastic/docs-actions/.github/workflows/changelog-upload.yml@62e663e275c5fcc4051e9783d03942752eac579c

🧰 Tools

🪛 zizmor (1.25.2)

[error] 15-15: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/changelog-upload.yml at line 15, The workflow reference
uses the mutable tag
"elastic/docs-actions/.github/workflows/changelog-upload.yml@v1"; replace that
mutable tag with the immutable commit SHA currently resolved
(62e663e275c5fcc4051e9783d03942752eac579c) so the line that contains uses:
elastic/docs-actions/.github/workflows/changelog-upload.yml@v1 instead becomes
pinned to `@62e663e275c5fcc4051e9783d03942752eac579c`.

[SylvainJuge]

What does the upload part do exactly ? Does it pushes the changelog entries to S3 instead of pushing the changes into the PR branch as a fallback option ?

I haven't found any documentation about changelog-upload in https://github.com/elastic/docs-actions/tree/main.

[cotti]

S3 will work as more than a fallback option - it will be a source of truth for changelogs and bundles as well. In the future we are going to upload changelog data to an Elasticsearch instance too, so we can add a dynamic release notes navigation page in the docs.

We have some information on its role at https://github.com/elastic/docs-actions/tree/main/changelog#uploading-to-s3 but yeah, I need to add something more dedicated to it.