From a55d3bace11f71dfaff6d06a80a9aa73485b4955 Mon Sep 17 00:00:00 2001 From: Martijn Laarman Date: Wed, 25 Mar 2026 14:30:37 +0100 Subject: [PATCH 1/4] Migrate docs workflows from preview-build to docs-actions Replace the monolithic preview-build.yml caller with the new two-phase workflow architecture from elastic/docs-actions: - docs-build.yml (Phase 1): read-only build validation on PRs and push - docs-deploy.yml (Phase 2): privileged deploy via workflow_run - docs-preview-cleanup.yml: cleanup on PR close Removes the old docs-cleanup.yml that called docs-builder's preview-cleanup workflow. Part of elastic/docs-eng-team#474 Made-with: Cursor --- .github/workflows/docs-build.yml | 20 +++++--------------- .github/workflows/docs-cleanup.yml | 14 -------------- .github/workflows/docs-deploy.yml | 8 ++++++++ .github/workflows/docs-preview-cleanup.yml | 7 +++++++ 4 files changed, 20 insertions(+), 29 deletions(-) delete mode 100644 .github/workflows/docs-cleanup.yml create mode 100644 .github/workflows/docs-deploy.yml create mode 100644 .github/workflows/docs-preview-cleanup.yml diff --git a/.github/workflows/docs-build.yml b/.github/workflows/docs-build.yml index adf95da5..03f98ef7 100644 --- a/.github/workflows/docs-build.yml +++ b/.github/workflows/docs-build.yml @@ -1,19 +1,9 @@ name: docs-build - on: + pull_request: + types: [opened, synchronize, reopened] push: - branches: - - main - pull_request_target: ~ - merge_group: ~ - + branches: [main] jobs: - docs-preview: - uses: elastic/docs-builder/.github/workflows/preview-build.yml@main - with: - path-pattern: docs/** - permissions: - deployments: write - id-token: write - contents: read - pull-requests: write + build: + uses: elastic/docs-actions/.github/workflows/docs-build.yml@v1 diff --git a/.github/workflows/docs-cleanup.yml b/.github/workflows/docs-cleanup.yml deleted file mode 100644 index f83e017b..00000000 --- a/.github/workflows/docs-cleanup.yml +++ /dev/null @@ -1,14 +0,0 @@ -name: docs-cleanup - -on: - pull_request_target: - types: - - closed - -jobs: - docs-preview: - uses: elastic/docs-builder/.github/workflows/preview-cleanup.yml@main - permissions: - contents: none - id-token: write - deployments: write diff --git a/.github/workflows/docs-deploy.yml b/.github/workflows/docs-deploy.yml new file mode 100644 index 00000000..9ae18ea1 --- /dev/null +++ b/.github/workflows/docs-deploy.yml @@ -0,0 +1,8 @@ +name: docs-deploy +on: + workflow_run: + workflows: [docs-build] + types: [completed] +jobs: + deploy: + uses: elastic/docs-actions/.github/workflows/docs-deploy.yml@v1 diff --git a/.github/workflows/docs-preview-cleanup.yml b/.github/workflows/docs-preview-cleanup.yml new file mode 100644 index 00000000..cd120429 --- /dev/null +++ b/.github/workflows/docs-preview-cleanup.yml @@ -0,0 +1,7 @@ +name: docs-preview-cleanup +on: + pull_request_target: + types: [closed] +jobs: + cleanup: + uses: elastic/docs-actions/.github/workflows/docs-preview-cleanup.yml@v1 From 63abf7187682cd67907fdf379a681519fda4e442 Mon Sep 17 00:00:00 2001 From: Martijn Laarman Date: Wed, 25 Mar 2026 15:18:16 +0100 Subject: [PATCH 2/4] Add explicit GITHUB_TOKEN permissions to workflow callers Repos with restrictive default token permissions need the caller to explicitly grant what the reusable workflows require. Made-with: Cursor --- .github/workflows/docs-build.yml | 3 +++ .github/workflows/docs-deploy.yml | 5 +++++ .github/workflows/docs-preview-cleanup.yml | 4 ++++ 3 files changed, 12 insertions(+) diff --git a/.github/workflows/docs-build.yml b/.github/workflows/docs-build.yml index 03f98ef7..1672d8a6 100644 --- a/.github/workflows/docs-build.yml +++ b/.github/workflows/docs-build.yml @@ -4,6 +4,9 @@ on: types: [opened, synchronize, reopened] push: branches: [main] +permissions: + contents: read + pull-requests: read jobs: build: uses: elastic/docs-actions/.github/workflows/docs-build.yml@v1 diff --git a/.github/workflows/docs-deploy.yml b/.github/workflows/docs-deploy.yml index 9ae18ea1..df92fabc 100644 --- a/.github/workflows/docs-deploy.yml +++ b/.github/workflows/docs-deploy.yml @@ -3,6 +3,11 @@ on: workflow_run: workflows: [docs-build] types: [completed] +permissions: + contents: read + deployments: write + id-token: write + pull-requests: write jobs: deploy: uses: elastic/docs-actions/.github/workflows/docs-deploy.yml@v1 diff --git a/.github/workflows/docs-preview-cleanup.yml b/.github/workflows/docs-preview-cleanup.yml index cd120429..b234c235 100644 --- a/.github/workflows/docs-preview-cleanup.yml +++ b/.github/workflows/docs-preview-cleanup.yml @@ -2,6 +2,10 @@ name: docs-preview-cleanup on: pull_request_target: types: [closed] +permissions: + contents: none + deployments: write + id-token: write jobs: cleanup: uses: elastic/docs-actions/.github/workflows/docs-preview-cleanup.yml@v1 From f9fec1e4e38b2a8f0506d07fe2aea89f622c252d Mon Sep 17 00:00:00 2001 From: Martijn Laarman Date: Wed, 25 Mar 2026 15:25:18 +0100 Subject: [PATCH 3/4] Narrow docs-build.yml permissions to contents: read only Made-with: Cursor --- .github/workflows/docs-build.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/docs-build.yml b/.github/workflows/docs-build.yml index 1672d8a6..42528d9d 100644 --- a/.github/workflows/docs-build.yml +++ b/.github/workflows/docs-build.yml @@ -6,7 +6,6 @@ on: branches: [main] permissions: contents: read - pull-requests: read jobs: build: uses: elastic/docs-actions/.github/workflows/docs-build.yml@v1 From 3f57a7d12603c1431797f1e99cf5758800e82bfb Mon Sep 17 00:00:00 2001 From: Martijn Laarman Date: Wed, 25 Mar 2026 15:47:52 +0100 Subject: [PATCH 4/4] Add pull-requests: read to docs-build.yml permissions Made-with: Cursor --- .github/workflows/docs-build.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/docs-build.yml b/.github/workflows/docs-build.yml index 42528d9d..1672d8a6 100644 --- a/.github/workflows/docs-build.yml +++ b/.github/workflows/docs-build.yml @@ -6,6 +6,7 @@ on: branches: [main] permissions: contents: read + pull-requests: read jobs: build: uses: elastic/docs-actions/.github/workflows/docs-build.yml@v1