Add org-membership check for changelog commits (#119)

* Get head repo and maintainer_can_modify from fetch script

* Check for org-membership to determine if we can commit changelogs

* Resolve PR author during preflight

* Remove gh token for generation and conditionally pass it for evaluation

* Split artifact generation and usage steps

* Use docs-builder to handle artifacts

* Improve detection of org membership result

* Add fallback for post-push changes to maintainer

Author: cotti

.github/workflows/changelog-submit.yml

@@ -19,18 +19,112 @@ concurrency:
   cancel-in-progress: true
 
 jobs:
-  submit:
+  preflight:
     if: >
       github.event.workflow_run.event == 'pull_request'
       && github.event.workflow_run.conclusion != 'cancelled'
       && github.event.repository.fork == false
     runs-on: ubuntu-latest
+    permissions:
+      contents: none
+      pull-requests: read
+      id-token: write
+    outputs:
+      should-submit: ${{ steps.evaluate.outputs.should-submit }}
+      is-org-member: ${{ steps.check-org-membership.outputs.is-member }}
+    steps:
+      - name: Resolve PR author
+        id: pr-author
+        if: github.event.workflow_run.head_repository.full_name != github.repository
+        uses: actions/github-script@v9
+        with:
+          # language=js
+          script: |
+            const run = context.payload.workflow_run;
+            const { owner, repo } = context.repo;
+
+            let prNumber;
+            if (run.pull_requests?.length > 0) {
+              prNumber = run.pull_requests[0].number;
+            } else {
+              const headLabel = `${run.head_repository.owner.login}:${run.head_branch}`;
+              const { data: prs } = await github.rest.pulls.list({
+                owner, repo, state: 'open', head: headLabel
+              });
+              const match = prs.find(pr => pr.head.sha === run.head_sha);
+              if (match) prNumber = match.number;
+            }
+
+            if (!prNumber) {
+              core.setFailed('Could not resolve PR number for fork — cannot verify org membership. Failing closed.');
+              return;
+            }
+
+            const { data: pr } = await github.rest.pulls.get({
+              owner, repo, pull_number: prNumber
+            });
+            core.setOutput('login', pr.user.login);
+
+      - name: Fetch ephemeral GitHub token
+        if: github.event.workflow_run.head_repository.full_name != github.repository
+        id: fetch-ephemeral-token
+        uses: elastic/ci-gh-actions/fetch-github-token@v1.5.0
+        with:
+          vault-instance: "ci-prod"
+          vault-role: "token-policy-a71b1f2b88ec"
+
+      - name: Check org membership
+        id: check-org-membership
+        if: github.event.workflow_run.head_repository.full_name != github.repository
+        uses: elastic/docs-actions/github/is-elastic-org-member@v1
+        with:
+          username: ${{ steps.pr-author.outputs.login }}
+          token: ${{ steps.fetch-ephemeral-token.outputs.token }}
+
+      - name: Evaluate
+        id: evaluate
+        env:
+          IS_FORK: ${{ github.event.workflow_run.head_repository.full_name != github.repository }}
+          IS_ORG_MEMBER: ${{ steps.check-org-membership.outputs.is-member }}
+        # language=bash
+        run: |
+          if [[ "$IS_FORK" == "true" && "$IS_ORG_MEMBER" != "true" ]]; then
+            echo "should-submit=false" >> "$GITHUB_OUTPUT"
+            echo "::notice::Changelog submit skipped — fork PRs from non-members are not processed"
+          else
+            echo "should-submit=true" >> "$GITHUB_OUTPUT"
+          fi
+
+  generate:
+    needs: preflight
+    if: needs.preflight.outputs.should-submit == 'true'
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: read
+    outputs:
+      proceed: ${{ steps.evaluate.outputs.proceed }}
+    steps:
+      - name: Evaluate and generate changelog
+        id: evaluate
+        uses: elastic/docs-actions/changelog/submit/evaluate@v1
+        with:
+          config: ${{ inputs.config }}
+          # For same-repo PRs the fork-only org-membership steps are skipped,
+          # so the output is empty. Default to 'false' to ensure it is never
+          # interpreted as 'true'.
+          is-org-member: ${{ needs.preflight.outputs.is-org-member || 'false' }}
+          comment-only: ${{ inputs.comment-only }}
+
+  apply:
+    needs: [preflight, generate]
+    if: needs.generate.outputs.proceed == 'true'
+    runs-on: ubuntu-latest
     permissions:
       contents: write
       pull-requests: write
     steps:
-      - name: Submit changelog
-        uses: elastic/docs-actions/changelog/submit@v1
+      - name: Apply changelog
+        uses: elastic/docs-actions/changelog/submit/apply@v1
         with:
           config: ${{ inputs.config }}
-          comment-only: ${{ inputs.comment-only }}

changelog/submit/apply/action.yml

@@ -0,0 +1,188 @@
+name: Changelog submit / apply
+description: >
+  Write action that downloads the changelog artifact produced by the evaluate
+  action and either commits it to the PR branch or posts it as a PR comment.
+  Requires contents:write and pull-requests:write permissions.
+
+inputs:
+  github-token:
+    description: 'GitHub token with contents:write and pull-requests:write'
+    default: '${{ github.token }}'
+  config:
+    description: 'Path to changelog.yml configuration file (used in failure comment)'
+    default: 'docs/changelog.yml'
+
+outputs:
+  committed:
+    description: 'Whether a changelog was committed (true/false)'
+    value: ${{ steps.commit.outputs.committed || 'false' }}
+
+runs:
+  using: composite
+  steps:
+    - name: Download staging artifact
+      uses: actions/download-artifact@v8
+      with:
+        name: changelog-staging
+        path: /tmp/changelog-staging
+
+    - name: Setup docs-builder
+      uses: elastic/docs-actions/docs-builder/setup@v1
+      with:
+        version: edge
+        github-token: ${{ inputs.github-token }}
+
+    - name: Evaluate artifact
+      id: meta
+      shell: bash
+      env:
+        GITHUB_TOKEN: ${{ inputs.github-token }}
+        REPO_OWNER: ${{ github.repository_owner }}
+        REPO_NAME: ${{ github.event.repository.name }}
+      run: |
+        docs-builder changelog evaluate-artifact \
+          --metadata /tmp/changelog-staging/metadata.json \
+          --owner "$REPO_OWNER" \
+          --repo "$REPO_NAME"
+
+    - name: Checkout PR branch
+      if: steps.meta.outputs.should-commit == 'true'
+      uses: actions/checkout@v6
+      with:
+        repository: ${{ steps.meta.outputs.head-repo }}
+        ref: ${{ steps.meta.outputs.head-sha }}
+        token: ${{ inputs.github-token }}
+        persist-credentials: false
+
+    - name: Validate ref names
+      if: steps.meta.outputs.should-commit == 'true'
+      shell: bash
+      env:
+        HEAD_REF: ${{ steps.meta.outputs.head-ref }}
+      run: |
+        if [[ ! "$HEAD_REF" =~ ^[a-zA-Z0-9._/+-]+$ ]]; then
+          echo "::error::Ref name contains disallowed characters: ${HEAD_REF}"
+          exit 1
+        fi
+
+    - name: Commit changelog
+      if: steps.meta.outputs.should-commit == 'true'
+      id: commit
+      shell: bash
+      env:
+        PR_NUMBER: ${{ steps.meta.outputs.pr-number }}
+        CHANGELOG_DIR: ${{ steps.meta.outputs.changelog-dir }}
+        CHANGELOG_FILENAME: ${{ steps.meta.outputs.changelog-filename }}
+        GH_TOKEN: ${{ inputs.github-token }}
+        GIT_REPOSITORY: ${{ github.repository }}
+        IS_FORK: ${{ steps.meta.outputs.is-fork }}
+        HEAD_REPO: ${{ steps.meta.outputs.head-repo }}
+        HEAD_REF: ${{ steps.meta.outputs.head-ref }}
+      run: |
+        GENERATED=$(ls /tmp/changelog-staging/*.yaml 2>/dev/null | head -1)
+        if [ -z "$GENERATED" ]; then
+          echo "::error::No changelog YAML found in staging directory"
+          exit 1
+        fi
+
+        if [ -n "$CHANGELOG_FILENAME" ]; then
+          TARGET_FILENAME="$CHANGELOG_FILENAME"
+        else
+          TARGET_FILENAME=$(basename "$GENERATED")
+        fi
+        CHANGELOG_FILE="$CHANGELOG_DIR/$TARGET_FILENAME"
+
+        if [ -f "$CHANGELOG_FILE" ]; then
+          VERB="Update"
+        else
+          VERB="Add"
+        fi
+
+        mkdir -p "$CHANGELOG_DIR"
+        cp "$GENERATED" "$CHANGELOG_FILE"
+
+        git config user.name "github-actions[bot]"
+        git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+        git add "$CHANGELOG_FILE"
+
+        if git diff --cached --quiet; then
+          echo "No changes to commit"
+          echo "committed=false" >> "$GITHUB_OUTPUT"
+        else
+          git commit -m "${VERB} changelog for PR #${PR_NUMBER}"
+          push_failed=false
+          if [[ "$IS_FORK" == "true" ]]; then
+            git remote set-url origin "https://x-access-token:${GH_TOKEN}@github.com/${HEAD_REPO}.git"
+            if ! git push origin "HEAD:refs/heads/${HEAD_REF}" 2>&1; then
+              echo "::warning::Push to fork failed — maintainer_can_modify may have been revoked after evaluation"
+              push_failed=true
+            fi
+          else
+            git remote set-url origin "https://x-access-token:${GH_TOKEN}@github.com/${GIT_REPOSITORY}.git"
+            git push
+          fi
+          git remote set-url origin "https://github.com/${GIT_REPOSITORY}.git"
+
+          if [[ "$push_failed" == "true" ]]; then
+            echo "committed=false" >> "$GITHUB_OUTPUT"
+            echo "push-failed=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "committed=true" >> "$GITHUB_OUTPUT"
+          fi
+        fi
+
+        echo "changelog-file=$CHANGELOG_FILE" >> "$GITHUB_OUTPUT"
+
+    - name: Post success comment
+      if: steps.commit.outputs.committed == 'true'
+      uses: actions/github-script@v9
+      env:
+        PR_NUMBER: ${{ steps.meta.outputs.pr-number }}
+        HEAD_REF: ${{ steps.meta.outputs.head-ref }}
+        CHANGELOG_FILE: ${{ steps.commit.outputs.changelog-file }}
+      with:
+        github-token: ${{ inputs.github-token }}
+        script: |
+          const script = require('${{ github.action_path }}/scripts/post-success-comment.js');
+          await script({ github, context, core });
+
+    - name: Post push-fallback comment
+      if: steps.commit.outputs.push-failed == 'true'
+      uses: actions/github-script@v9
+      env:
+        PR_NUMBER: ${{ steps.meta.outputs.pr-number }}
+        CHANGELOG_DIR: ${{ steps.meta.outputs.changelog-dir }}
+        STAGING_DIR: /tmp/changelog-staging
+      with:
+        github-token: ${{ inputs.github-token }}
+        script: |
+          const script = require('${{ github.action_path }}/scripts/post-push-fallback.js');
+          await script({ github, context, core });
+
+    - name: Post comment-only changelog
+      if: steps.meta.outputs.should-comment-success == 'true'
+      uses: actions/github-script@v9
+      env:
+        PR_NUMBER: ${{ steps.meta.outputs.pr-number }}
+        CHANGELOG_DIR: ${{ steps.meta.outputs.changelog-dir }}
+        STAGING_DIR: /tmp/changelog-staging
+      with:
+        github-token: ${{ inputs.github-token }}
+        script: |
+          const script = require('${{ github.action_path }}/scripts/post-comment-only.js');
+          await script({ github, context, core });
+
+    - name: Post failure comment
+      if: steps.meta.outputs.should-comment-failure == 'true'
+      uses: actions/github-script@v9
+      env:
+        PR_NUMBER: ${{ steps.meta.outputs.pr-number }}
+        LABEL_TABLE: ${{ steps.meta.outputs.label-table }}
+        PRODUCT_LABEL_TABLE: ${{ steps.meta.outputs.product-label-table }}
+        SKIP_LABELS: ${{ steps.meta.outputs.skip-labels }}
+        CONFIG_FILE: ${{ inputs.config }}
+      with:
+        github-token: ${{ inputs.github-token }}
+        script: |
+          const script = require('${{ github.action_path }}/scripts/post-failure-comment.js');
+          await script({ github, context, core });

…angelog/submit/scripts/comment-helper.js …g/submit/apply/scripts/comment-helper.jschangelog/submit/scripts/comment-helper.js renamed to changelog/submit/apply/scripts/comment-helper.js changelog/submit/scripts/comment-helper.js renamed to changelog/submit/apply/scripts/comment-helper.js

@@ -0,0 +1,38 @@
+const fs = require('fs');
+const { TITLE, upsertComment, escapeMarkdown } = require('./comment-helper');
+
+module.exports = async ({ github, context, core }) => {
+  const prNumber = parseInt(process.env.PR_NUMBER, 10);
+  const changelogDir = process.env.CHANGELOG_DIR;
+  const stagingDir = process.env.STAGING_DIR || '/tmp/changelog-staging';
+
+  const files = fs.readdirSync(stagingDir).filter(f => f.endsWith('.yaml'));
+  const content = files.length > 0
+    ? fs.readFileSync(`${stagingDir}/${files[0]}`, 'utf8').trim()
+    : '';
+
+  const bodyParts = [
+    TITLE,
+    '',
+    '⚠️ **Could not push changelog to your fork branch.**',
+    'This usually happens when "Allow edits from maintainers" was disabled after the changelog was evaluated.',
+    '',
+    'Please re-enable it in your PR settings, or apply the changelog manually:',
+  ];
+
+  if (content) {
+    const targetPath = `${changelogDir}/${files[0]}`;
+    bodyParts.push(
+      '',
+      `Save the following to \`${escapeMarkdown(targetPath)}\`:`,
+      '',
+      '```yaml',
+      content,
+      '```',
+    );
+  } else {
+    bodyParts.push('', '⚠️ Changelog entry was generated but the file content could not be read.');
+  }
+
+  await upsertComment({ github, context, prNumber, body: bodyParts.join('\n') });
+};