Skip to content

SCANCLI-220 SubmitReview: Use Vault token#272

Open
pavel-mikula-sonarsource wants to merge 1 commit intomasterfrom
Pavel/SubmitReviewToken
Open

SCANCLI-220 SubmitReview: Use Vault token#272
pavel-mikula-sonarsource wants to merge 1 commit intomasterfrom
Pavel/SubmitReviewToken

Conversation

@pavel-mikula-sonarsource
Copy link
Copy Markdown
Contributor

@pavel-mikula-sonarsource pavel-mikula-sonarsource commented Apr 28, 2026

With the latest automation changes, we need the Vault-based token now. It's the same token as the one in RequestReview.yml file. Please take care of merging this, I have 200+ repos to update.

@hashicorp-vault-sonar-prod hashicorp-vault-sonar-prod Bot changed the title SubmitReview: Use Vault token SCANCLI-220 SubmitReview: Use Vault token Apr 28, 2026
@hashicorp-vault-sonar-prod
Copy link
Copy Markdown

hashicorp-vault-sonar-prod Bot commented Apr 28, 2026
edited by atlassian Bot
Loading

SCANCLI-220

@sonar-review-alpha
Copy link
Copy Markdown

sonar-review-alpha Bot commented Apr 28, 2026
edited
Loading

Summary

What changed: The SubmitReview workflow now retrieves the GitHub token from Vault instead of using the default secrets.GITHUB_TOKEN, aligning it with the RequestReview workflow pattern. The change includes fetching a Vault-managed token via vault-action-wrapper and passing it to the SubmitReview action.

Why: This migration to Vault-based token management is part of the latest automation changes. It enables centralized token management and consistency across workflows. The same token is already used in RequestReview.yml.

What reviewers should know

What to review:

  • The new Vault secret path: development/github/token/{REPO_OWNER_NAME_DASH}-jira token — verify the path syntax is correct and matches your Vault configuration
  • The token is extracted from the vault output and passed to the action: fromJSON(steps.secrets.outputs.vault).GITHUB_TOKEN
  • Removed pull-requests: read permission — no longer needed since we're not using default GitHub token credentials

Context: This is one of 200+ repos being updated to this pattern. The changes are minimal and follow the RequestReview.yml pattern, so if that workflow is working correctly, this should work the same way.

  • Generate Walkthrough
  • Generate Diagram

🗣️ Give feedback

sonar-review-alpha[bot]
sonar-review-alpha Bot reviewed Apr 28, 2026
View reviewed changes
Copy link
Copy Markdown

@sonar-review-alpha sonar-review-alpha Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! ✅

Clean, minimal change. The resulting SubmitReview.yml is now structurally identical to RequestReview.yml, which already uses this same Vault token pattern successfully. The removal of pull-requests: read is correct — that permission scoped the built-in GITHUB_TOKEN; the Vault-managed token carries its own permissions and doesn't need it.

🗣️ Give feedback

@sonarqube-next
Copy link
Copy Markdown

sonarqube-next Bot commented Apr 28, 2026

Quality Gate passed Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
0 Dependency risks
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarQube

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sonar-review-alpha sonar-review-alpha[bot] sonar-review-alpha[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@pavel-mikula-sonarsource