diff --git a/.github/workflows/changelog-upload.yml b/.github/workflows/changelog-upload.yml
new file mode 100644
index 0000000..a02b272
--- /dev/null
+++ b/.github/workflows/changelog-upload.yml
@@ -0,0 +1,31 @@
+name: Changelog upload
+
+on:
+  workflow_call:
+    inputs:
+      config:
+        description: 'Path to changelog.yml configuration file'
+        type: string
+        default: 'docs/changelog.yml'
+      pr-number:
+        description: 'Pull request number (required for concurrency deduplication)'
+        type: string
+        required: true
+
+permissions: {}
+
+concurrency:
+  group: changelog-upload-${{ inputs.pr-number }}
+  cancel-in-progress: true
+
+jobs:
+  upload:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+    steps:
+      - name: Upload changelog
+        uses: elastic/docs-actions/changelog/upload@v1
+        with:
+          config: ${{ inputs.config }}
diff --git a/.github/workflows/create-major-tag.yml b/.github/workflows/create-major-tag.yml
index 4854188..c2ecaf5 100644
--- a/.github/workflows/create-major-tag.yml
+++ b/.github/workflows/create-major-tag.yml
@@ -5,19 +5,37 @@ on:
     types:
       - published
 
-permissions:
-  contents: write
+permissions: {}
+
+concurrency:
+  group: create-major-tag
+  cancel-in-progress: false
 
 jobs:
   create-major-tag:
+    permissions:
+      contents: write
     runs-on: ubuntu-slim
     steps:
       - uses: actions/checkout@v6
-      - name: Get major version
+        with:
+          persist-credentials: false
+
+      - name: Validate and extract major version
+        env:
+          TAG: ${{ github.event.release.tag_name }}
         run: |
-          MAJOR_VERSION=$(echo "${GITHUB_REF#refs/tags/}" | awk -F. '{print $1}')
-          echo "MAJOR_VERSION=${MAJOR_VERSION}" >> "${GITHUB_ENV}"
+          if [[ ! "$TAG" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
+            echo "::error::Tag '${TAG}' does not match expected semver format (N.N.N)"
+            exit 1
+          fi
+          echo "MAJOR_VERSION=${TAG%%.*}" >> "${GITHUB_ENV}"
+
       - name: Create major tag
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
+          git remote set-url origin "https://x-access-token:${GITHUB_TOKEN}@github.com/${GITHUB_REPOSITORY}.git"
           git tag "v${MAJOR_VERSION}"
           git push -f origin "refs/tags/v${MAJOR_VERSION}"
+          git remote set-url origin "https://github.com/${GITHUB_REPOSITORY}.git"
diff --git a/.github/workflows/required-labels.yml b/.github/workflows/required-labels.yml
index 560b140..f1a252d 100644
--- a/.github/workflows/required-labels.yml
+++ b/.github/workflows/required-labels.yml
@@ -19,13 +19,20 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v6
+        with:
+          sparse-checkout: .github/release-drafter.yml
+          persist-credentials: false
       - name: Wait for PR to be ready (if just opened)
         if: github.event_name == 'pull_request_target' && github.event.action == 'opened'
         run: sleep 30
       - id: get-labels
         run: |
-          labels=$(yq '[.categories[].labels] + .exclude-labels | flatten | unique | sort | @tsv' .github/release-drafter.yml | tr '\t' ',')
-          echo "labels=$labels" >> "${GITHUB_OUTPUT}"
+          delimiter="$(openssl rand -hex 16)"
+          {
+            echo "labels<<${delimiter}"
+            yq '[.categories[].labels] + .exclude-labels | flatten | unique | sort | @tsv' .github/release-drafter.yml | tr '\t' ','
+            echo "${delimiter}"
+          } >> "${GITHUB_OUTPUT}"
       - id: check-labels
         uses: mheap/github-action-required-labels@8afbe8ae6ab7647d0c9f0cfa7c2f939650d22509 # v5.5
         with:
diff --git a/changelog/README.md b/changelog/README.md
index afbfbc5..6b3ebae 100644
--- a/changelog/README.md
+++ b/changelog/README.md
@@ -178,3 +178,57 @@ If a human edits the changelog file directly (i.e., the last commit to the chang
 ## Output
 
 Each PR produces a file at `docs/changelog/{filename}.yaml` on the PR branch (where the filename is determined by the `docs-builder changelog add` command). These files are consumed by `docs-builder` during documentation builds to produce a rendered changelog page.
+
+## Uploading to S3
+
+When a PR is merged, the committed changelog file can be uploaded to the `elastic-docs-v3-changelog-bundles` S3 bucket under `{product}/changelogs/{filename}.yaml`, preserving the original filename as determined by the repository's `filename` strategy in `changelog.yml`. This makes it available for release bundling workflows.
+
+### 1. Add the upload workflow
+
+**`.github/workflows/changelog-upload.yml`**
+
+```yaml
+name: changelog-upload
+
+on:
+  pull_request:
+    types:
+      - closed
+
+permissions:
+  contents: read
+  id-token: write
+
+jobs:
+  upload:
+    if: github.event.pull_request.merged == true
+    uses: elastic/docs-actions/.github/workflows/changelog-upload.yml@v1
+    with:
+      pr-number: ${{ github.event.pull_request.number }}
+```
+
+If your changelog configuration is not at `docs/changelog.yml`, pass the path explicitly:
+
+```yaml
+jobs:
+  upload:
+    if: github.event.pull_request.merged == true
+    uses: elastic/docs-actions/.github/workflows/changelog-upload.yml@v1
+    with:
+      pr-number: ${{ github.event.pull_request.number }}
+      config: path/to/changelog.yml
+```
+
+### 2. Enable OIDC access
+
+The upload workflow authenticates to AWS via GitHub Actions OIDC. Your repository must be listed in the `elastic-docs-v3-changelog-bundles` infrastructure to have an IAM role provisioned. Contact the docs-engineering team to add your repository.
+
+### How it works
+
+When a PR is merged, the upload workflow:
+
+1. Checks out the merge commit
+2. Sets up `docs-builder` and authenticates with AWS via OIDC
+3. Runs `docs-builder changelog upload`, which reads your `changelog.yml`, discovers changelog YAML files in the configured directory, and incrementally uploads them to `{product}/changelogs/{filename}.yaml` in the bucket — only files whose content has changed are transferred
+
+If the changelog directory has no files (for example, because changelog generation was skipped), the command exits silently without error.
diff --git a/changelog/upload/README.md b/changelog/upload/README.md
new file mode 100644
index 0000000..4507854
--- /dev/null
+++ b/changelog/upload/README.md
@@ -0,0 +1,24 @@
+<!-- Generated by https://github.com/reakaleek/gh-action-readme -->
+# <!--name-->Changelog upload<!--/name-->
+<!--description-->
+Uploads changelog entries for a merged PR to the elastic-docs-v3-changelog-bundles S3 bucket using docs-builder's incremental upload. Only files whose content has changed are transferred.
+<!--/description-->
+
+## Inputs
+<!--inputs-->
+| Name             | Description                               | Required | Default               |
+|------------------|-------------------------------------------|----------|-----------------------|
+| `config`         | Path to changelog.yml configuration file  | `false`  | `docs/changelog.yml`  |
+| `github-token`   | GitHub token (used by docs-builder setup) | `false`  | `${{ github.token }}` |
+| `aws-account-id` | The AWS account ID                        | `false`  | `197730964718`        |
+<!--/inputs-->
+
+## Outputs
+<!--outputs-->
+| Name | Description |
+|------|-------------|
+<!--/outputs-->
+
+## Usage
+<!--usage action="your/action" version="v1"-->
+<!--/usage-->
diff --git a/changelog/upload/action.yml b/changelog/upload/action.yml
new file mode 100644
index 0000000..1f4b602
--- /dev/null
+++ b/changelog/upload/action.yml
@@ -0,0 +1,58 @@
+name: Changelog upload
+description: >
+  Uploads changelog entries for a merged PR to the elastic-docs-v3-changelog-bundles
+  S3 bucket using docs-builder's incremental upload. Only files whose content has
+  changed are transferred.
+
+inputs:
+  config:
+    description: 'Path to changelog.yml configuration file'
+    default: 'docs/changelog.yml'
+  github-token:
+    description: 'GitHub token (used by docs-builder setup)'
+    default: '${{ github.token }}'
+  aws-account-id:
+    description: 'The AWS account ID'
+    default: '197730964718'
+
+runs:
+  using: composite
+  steps:
+    - name: Verify event context
+      shell: bash
+      env:
+        MERGE_SHA: ${{ github.event.pull_request.merge_commit_sha }}
+      run: |
+        if [ -z "$MERGE_SHA" ]; then
+          echo "::error::merge_commit_sha is empty — must be triggered from a merged pull_request event"
+          exit 1
+        fi
+
+    - name: Checkout
+      uses: actions/checkout@v6
+      with:
+        ref: ${{ github.event.pull_request.merge_commit_sha }}
+        persist-credentials: false
+
+    - name: Setup docs-builder
+      uses: elastic/docs-actions/docs-builder/setup@v1
+      with:
+        version: edge
+        github-token: ${{ inputs.github-token }}
+
+    - name: Authenticate with AWS
+      uses: elastic/docs-actions/aws/auth@v1
+      with:
+        aws_account_id: ${{ inputs.aws-account-id }}
+        aws_role_name_prefix: elastic-docs-v3-changelog-
+
+    - name: Upload changelogs
+      shell: bash
+      env:
+        CONFIG: ${{ inputs.config }}
+      run: |
+        docs-builder changelog upload \
+          --artifact-type changelog \
+          --target s3 \
+          --s3-bucket-name elastic-docs-v3-changelog-bundles \
+          --config "$CONFIG"