Security fixes

Author: cotti

.github/workflows/changelog-bundle.yml

@@ -14,20 +14,29 @@ on:
         type: string
       report:
         description: >
-          Buildkite promotion report URL or local file path.
+          Buildkite promotion report HTTPS URL or local file path.
           Mutually exclusive with release-version.
         type: string
       output:
         description: 'Output file path for the bundle (e.g. docs/releases/v9.2.0.yaml)'
         type: string
         required: true
+      base-branch:
+        description: 'Base branch for the pull request (defaults to repository default branch)'
+        type: string
       repo:
         description: 'GitHub repository name; falls back to bundle.repo in changelog.yml'
         type: string
       owner:
         description: 'GitHub repository owner; falls back to bundle.owner in changelog.yml'
         type: string
 
+permissions: {}
+
+concurrency:
+  group: changelog-bundle-${{ inputs.output }}
+  cancel-in-progress: false
+
 jobs:
   generate:
     runs-on: ubuntu-latest
@@ -54,4 +63,5 @@ jobs:
       - uses: elastic/docs-actions/changelog/bundle-pr@v1
         with:
           output: ${{ inputs.output }}
+          base-branch: ${{ inputs.base-branch }}
           github-token: ${{ github.token }}

changelog/README.md

@@ -196,8 +196,6 @@ Your `docs/changelog.yml` must include a `bundle` section so docs-builder knows
 ```yaml
 bundle:
   directory: docs/changelog
-  repo: my-repo
-  owner: elastic
 ```
 
 The reusable workflow splits into two jobs with separate permissions: `generate` (read-only, produces the bundle artifact) and `create-pr` (write access, opens a pull request with the bundle file).
@@ -244,6 +242,7 @@ name: changelog-bundle
 
 on:
   schedule:
+    # At 08:00 AM, Monday through Friday
     - cron: '0 8 * * 1-5'
   workflow_dispatch:
     inputs:

changelog/bundle-create/action.yml

@@ -31,6 +31,9 @@ inputs:
     description: >
       GitHub repository owner. Falls back to bundle.owner in changelog.yml,
       then to elastic.
+  artifact-name:
+    description: 'Name for the uploaded artifact (must match bundle-pr artifact-name)'
+    default: 'changelog-bundle'
   github-token:
     description: 'GitHub token (needed for release-version to access GitHub API)'
     default: '${{ github.token }}'
@@ -75,9 +78,12 @@ runs:
         fi
 
         if [ -n "$REPORT" ]; then
-          if [[ "$REPORT" == http://* ]] || [[ "$REPORT" == https://* ]]; then
+          if [[ "$REPORT" == https://* ]]; then
             curl -fsSL "$REPORT" -o .bundle-report.html
             REPORT=".bundle-report.html"
+          elif [[ "$REPORT" == http://* ]]; then
+            echo "::error::Report URL must use HTTPS: ${REPORT}"
+            exit 1
           fi
           bundle_args+=(--report "$REPORT")
           docker_args+=(--network none)
@@ -88,7 +94,7 @@ runs:
     - name: Upload bundle artifact
       uses: actions/upload-artifact@v6
       with:
-        name: changelog-bundle
+        name: ${{ inputs.artifact-name }}
         path: ${{ inputs.output }}
         if-no-files-found: error
         retention-days: 1

changelog/bundle-pr/action.yml

@@ -11,6 +11,12 @@ inputs:
       (e.g. docs/releases/v9.2.0.yaml). Must match the path used
       by the bundle-create action.
     required: true
+  base-branch:
+    description: 'Base branch for the pull request (defaults to repository default branch)'
+    default: ''
+  artifact-name:
+    description: 'Name of the artifact uploaded by bundle-create'
+    default: 'changelog-bundle'
   github-token:
     description: 'GitHub token with contents:write and pull-requests:write permissions'
     default: '${{ github.token }}'
@@ -23,20 +29,46 @@ runs:
       with:
         persist-credentials: false
 
+    - name: Validate output path
+      shell: bash
+      env:
+        OUTPUT: ${{ inputs.output }}
+      run: |
+        if [[ "$OUTPUT" != *.yml && "$OUTPUT" != *.yaml ]]; then
+          echo "::error::Output path must end in .yml or .yaml: ${OUTPUT}"
+          exit 1
+        fi
+        if [[ "$OUTPUT" == /* ]]; then
+          echo "::error::Output path must be relative: ${OUTPUT}"
+          exit 1
+        fi
+        if [[ "$OUTPUT" == *..* ]]; then
+          echo "::error::Output path must not contain '..': ${OUTPUT}"
+          exit 1
+        fi
+
     - name: Download bundle artifact
       uses: actions/download-artifact@v6
       with:
-        name: changelog-bundle
+        name: ${{ inputs.artifact-name }}
         path: .bundle-artifact
 
     - name: Create pull request
       shell: bash
       env:
         OUTPUT: ${{ inputs.output }}
+        BASE_BRANCH: ${{ inputs.base-branch }}
         GH_TOKEN: ${{ inputs.github-token }}
         GIT_REPOSITORY: ${{ github.repository }}
       run: |
         BUNDLE_NAME=$(basename "$OUTPUT" .yaml)
+        BUNDLE_NAME=$(basename "$BUNDLE_NAME" .yml)
+
+        if [[ ! "$BUNDLE_NAME" =~ ^[a-zA-Z0-9._+-]+$ ]]; then
+          echo "::error::Bundle name contains disallowed characters: ${BUNDLE_NAME}"
+          exit 1
+        fi
+
         BRANCH="changelog-bundle/${BUNDLE_NAME}"
 
         mkdir -p "$(dirname "$OUTPUT")"
@@ -55,15 +87,22 @@ runs:
 
         git commit -m "Add changelog bundle ${BUNDLE_NAME}"
         git remote set-url origin "https://x-access-token:${GH_TOKEN}@github.com/${GIT_REPOSITORY}.git"
+        # Force-push: branch is ephemeral and always rebuilt from scratch
         git push -f origin "$BRANCH"
         git remote set-url origin "https://github.com/${GIT_REPOSITORY}.git"
 
+        BASE_FLAG=()
+        if [ -n "$BASE_BRANCH" ]; then
+          BASE_FLAG=(--base "$BASE_BRANCH")
+        fi
+
         EXISTING_PR=$(gh pr list --head "$BRANCH" --json number --jq '.[0].number // empty')
         if [ -n "$EXISTING_PR" ]; then
           echo "PR #${EXISTING_PR} already exists for branch ${BRANCH}, updated with latest bundle"
         else
           gh pr create \
             --title "Add changelog bundle ${BUNDLE_NAME}" \
             --body "Auto-generated changelog bundle for ${BUNDLE_NAME}." \
-            --head "$BRANCH"
+            --head "$BRANCH" \
+            "${BASE_FLAG[@]}"
         fi