Skip to content

SQSCANGHA-143 SubmitReview: Use Vault token#238

Open
pavel-mikula-sonarsource wants to merge 1 commit intomasterfrom
Pavel/SubmitReviewToken
Open

SQSCANGHA-143 SubmitReview: Use Vault token#238
pavel-mikula-sonarsource wants to merge 1 commit intomasterfrom
Pavel/SubmitReviewToken

Conversation

@pavel-mikula-sonarsource
Copy link
Copy Markdown
Contributor

@pavel-mikula-sonarsource pavel-mikula-sonarsource commented Apr 28, 2026

With the latest automation changes, we need the Vault-based token now. It's the same token as the one in RequestReview.yml file. Please take care of merging this, I have 200+ repos to update.

@sonar-review-alpha
Copy link
Copy Markdown

sonar-review-alpha Bot commented Apr 28, 2026
edited
Loading

Summary

This PR migrates the SubmitReview workflow from using GitHub Actions' built-in GITHUB_TOKEN to a Vault-managed token. The change fetches a repo-specific token from Vault alongside the existing JIRA credentials, and removes the now-unnecessary pull-requests: read permission. This aligns with the token pattern already established in RequestReview.yml.

What reviewers should know

What changed:

  • Token source: secrets.GITHUB_TOKEN (GitHub Actions built-in) → Vault secret via vault-action-wrapper
  • Removed unused pull-requests: read permission since GITHUB_TOKEN no longer needed
  • Added new Vault secret path: development/github/token/{REPO_OWNER_NAME_DASH}-jira token

Key points for review:

  • The placeholder {REPO_OWNER_NAME_DASH} in the Vault path suggests it's dynamically resolved by the vault-action-wrapper
  • The GITHUB_TOKEN value is now extracted from the Vault JSON response like the JIRA credentials already are
  • This is consistent with the RequestReview.yml pattern mentioned by the author—check that file to confirm the same approach if needed
  • Generate Walkthrough
  • Generate Diagram

🗣️ Give feedback

@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented Apr 28, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues
0 New dependency risks

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@hashicorp-vault-sonar-prod hashicorp-vault-sonar-prod Bot changed the title SubmitReview: Use Vault token SQSCANGHA-143 SubmitReview: Use Vault token Apr 28, 2026
@hashicorp-vault-sonar-prod
Copy link
Copy Markdown

hashicorp-vault-sonar-prod Bot commented Apr 28, 2026
edited by atlassian Bot
Loading

SQSCANGHA-143

sonar-review-alpha[bot]
sonar-review-alpha Bot reviewed Apr 28, 2026
View reviewed changes
Copy link
Copy Markdown

@sonar-review-alpha sonar-review-alpha Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! ✅

Clean, correct change. SubmitReview.yml now matches the Vault token pattern already in use by RequestReview.yml and PullRequestCreated.yml — the secret path, fromJSON extraction, and absence of pull-requests: read are all identical to those files.

One thing worth noting for a follow-up: PullRequestClosed.yml (not changed here) still uses secrets.GITHUB_TOKEN with pull-requests: read. If the goal is to fully migrate all backlog workflows to the Vault token, that file will need the same treatment.

🗣️ Give feedback

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sonar-review-alpha sonar-review-alpha[bot] sonar-review-alpha[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@pavel-mikula-sonarsource