Add April 2026 self-hosted changelog entry for ESC SSRF protection

[borisschlosser]

Summary

• Adds a new April 2026 entry to the self-hosted changelog covering SSRF protection added to Pulumi ESC providers (pulumi/pulumi-service#41398).
• Documents the PULUMI_DISABLE_ESC_SSRF_PROTECTION escape hatch (pulumi/pulumi-service#43159) as a breaking-change warning for admins running dependent services on private networks.

Test plan

• Verify the entry renders correctly under https://www.pulumi.com/docs/administration/self-hosting/changelog/
• Confirm the breaking-change callout phrasing matches the actual scope of the env var (set on API service vs. ESC service)

🤖 Generated with Claude Code

[claude]

Docs review

Small, focused change that fits cleanly into the existing changelog rhythm — sentence-case bullet, Breaking Change: warning callout matching the November 2025 precedent at line 40. A few notes:

Suggestions

1. Expand SSRF on first reference (line 27)

The acronym is used in the bullet and again in the callout body without expansion. Self-hosted admins are the audience here, but "SSRF" is still jargon worth glossing once. Consider:

* Added SSRF (server-side request forgery) protection to Pulumi ESC providers to prevent requests to internal network addresses

2. Consistency of scope wording between bullet and callout (lines 27, 30)

The bullet says "internal network addresses"; the callout says "private, loopback, and link-local IP addresses." The callout is the more precise description. Either is fine on its own, but a reader scanning the bullet then expanding to the callout shouldn't have to reconcile the two. Suggest tightening the bullet to mirror the callout's terms — e.g., "...prevent requests to private network addresses" — or letting the bullet remain general and pointing to the callout for specifics.

3. The PR's own test plan flags uncertainty about the env var scope (line 30)

"Confirm the breaking-change callout phrasing matches the actual scope of the env var (set on API service vs. ESC service)"

Worth confirming with the ESC team before merge — if the var is actually consumed by the ESC service (not the API service), the callout will mislead operators following the instruction literally. I can't verify from this repo since the linked pulumi/pulumi-service PRs aren't public.

4. Optional: link to fuller admin docs

The env var PULUMI_DISABLE_ESC_SSRF_PROTECTION doesn't appear anywhere else in content/docs/. If a dedicated admin reference for this setting is being added in a follow-up, a "see [link] for details" sentence would help operators who land on the changelog and need configuration steps. Not blocking — changelogs are appropriately terse.

Nothing else flagged

• Frontmatter unchanged; aliases preserved
• Section ordering correct (2026 above 2025)
• Heading case correct (H2 year is title case as numerals, H3 month is sentence case)
• Bullet style matches existing entries (no terminating period, sentence case)
• Warning callout uses {{< notes type=\"warning\" >}} consistent with line 39

---

Mention me (@claude) if you want another pass after addressing these or for any follow-up fixes.

[pulumi-bot]

Your site preview for commit 901622a is ready! 🎉

http://www-testing-pulumi-docs-origin-pr-18925-901622a4.s3-website.us-west-2.amazonaws.com