[One Workflow] fix: prevent alert rule actions from triggering disabled workflows#252673
Merged
talboren merged 2 commits intoFeb 11, 2026
Conversation
The workflows connector execution path did not check the workflow's enabled state before running it. This meant alert rule actions with a "Run Workflow" action would still execute disabled workflows. Extract shared workflow validation into `validateWorkflowForExecution` (assertion function) and add the missing `enabled` check alongside the existing not-found / no-definition / not-valid guards. Closes elastic/security-team#15684 Co-authored-by: Cursor <cursoragent@cursor.com>
talboren
added
release_note:skip
talboren
changed the title
Contributor
Author
Contributor
|
Starting backport for target branches: 9.3 https://github.com/elastic/kibana/actions/runs/21902428998 |
Contributor
💛 Build succeeded, but was flaky
Failed CI StepsMetrics [docs]
|
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Feb 11, 2026
…ed workflows (elastic#252673) ## Summary - Alert rule actions with a "Run Workflow" connector were executing workflows even when the workflow was disabled (`enabled: false`). The backend connector path checked for workflow existence, definition, and validity — but skipped the `enabled` check. - Extracted the shared validation logic into a reusable `validateWorkflowForExecution` assertion function that guards against not-found, missing-definition, invalid, and **disabled** workflows before execution. - Added comprehensive unit tests covering all validation scenarios including the disabled workflow case. ## References Closes elastic/security-team#15684 Made with [Cursor](https://cursor.com) Co-authored-by: Cursor <cursoragent@cursor.com> (cherry picked from commit 6b7b6f3)
Contributor
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation |
kibanamachine
added a commit
that referenced
this pull request
Feb 11, 2026
…disabled workflows (#252673) (#252682) # Backport This will backport the following commits from `main` to `9.3`: - [[One Workflow] fix: prevent alert rule actions from triggering disabled workflows (#252673)](#252673) <!--- Backport version: 9.6.6 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Tal","email":"tal.borenstein@elastic.co"},"sourceCommit":{"committedDate":"2026-02-11T10:59:34Z","message":"[One Workflow] fix: prevent alert rule actions from triggering disabled workflows (#252673)\n\n## Summary\n\n- Alert rule actions with a \"Run Workflow\" connector were executing\nworkflows even when the workflow was disabled (`enabled: false`). The\nbackend connector path checked for workflow existence, definition, and\nvalidity — but skipped the `enabled` check.\n- Extracted the shared validation logic into a reusable\n`validateWorkflowForExecution` assertion function that guards against\nnot-found, missing-definition, invalid, and **disabled** workflows\nbefore execution.\n- Added comprehensive unit tests covering all validation scenarios\nincluding the disabled workflow case.\n\n## References\n\nCloses elastic/security-team#15684\n\n\nMade with [Cursor](https://cursor.com)\n\nCo-authored-by: Cursor <cursoragent@cursor.com>","sha":"6b7b6f35672e10108689dd1cb1acc81b18e13913","branchLabelMapping":{"^v9.4.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","backport:version","Team:One Workflow","v9.3.0","v9.4.0"],"title":"[One Workflow] fix: prevent alert rule actions from triggering disabled workflows","number":252673,"url":"https://github.com/elastic/kibana/pull/252673","mergeCommit":{"message":"[One Workflow] fix: prevent alert rule actions from triggering disabled workflows (#252673)\n\n## Summary\n\n- Alert rule actions with a \"Run Workflow\" connector were executing\nworkflows even when the workflow was disabled (`enabled: false`). The\nbackend connector path checked for workflow existence, definition, and\nvalidity — but skipped the `enabled` check.\n- Extracted the shared validation logic into a reusable\n`validateWorkflowForExecution` assertion function that guards against\nnot-found, missing-definition, invalid, and **disabled** workflows\nbefore execution.\n- Added comprehensive unit tests covering all validation scenarios\nincluding the disabled workflow case.\n\n## References\n\nCloses elastic/security-team#15684\n\n\nMade with [Cursor](https://cursor.com)\n\nCo-authored-by: Cursor <cursoragent@cursor.com>","sha":"6b7b6f35672e10108689dd1cb1acc81b18e13913"}},"sourceBranch":"main","suggestedTargetBranches":["9.3"],"targetPullRequestStates":[{"branch":"9.3","label":"v9.3.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v9.4.0","branchLabelMappingKey":"^v9.4.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/252673","number":252673,"mergeCommit":{"message":"[One Workflow] fix: prevent alert rule actions from triggering disabled workflows (#252673)\n\n## Summary\n\n- Alert rule actions with a \"Run Workflow\" connector were executing\nworkflows even when the workflow was disabled (`enabled: false`). The\nbackend connector path checked for workflow existence, definition, and\nvalidity — but skipped the `enabled` check.\n- Extracted the shared validation logic into a reusable\n`validateWorkflowForExecution` assertion function that guards against\nnot-found, missing-definition, invalid, and **disabled** workflows\nbefore execution.\n- Added comprehensive unit tests covering all validation scenarios\nincluding the disabled workflow case.\n\n## References\n\nCloses elastic/security-team#15684\n\n\nMade with [Cursor](https://cursor.com)\n\nCo-authored-by: Cursor <cursoragent@cursor.com>","sha":"6b7b6f35672e10108689dd1cb1acc81b18e13913"}}]}] BACKPORT--> Co-authored-by: Tal <tal.borenstein@elastic.co> Co-authored-by: Cursor <cursoragent@cursor.com>
talboren
deleted the
15684-bug-alert-rule-actions-trigger-disabled-workflows
branch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
enabled: false). The backend connector path checked for workflow existence, definition, and validity — but skipped theenabledcheck.validateWorkflowForExecutionassertion function that guards against not-found, missing-definition, invalid, and disabled workflows before execution.References
Closes elastic/security-team#15684
Made with Cursor