Skip to content

SLE-1476 SubmitReview: Use Vault token#1040

Open
pavel-mikula-sonarsource wants to merge 1 commit intomasterfrom
Pavel/SubmitReviewToken
Open

SLE-1476 SubmitReview: Use Vault token#1040
pavel-mikula-sonarsource wants to merge 1 commit intomasterfrom
Pavel/SubmitReviewToken

Conversation

@pavel-mikula-sonarsource
Copy link
Copy Markdown
Contributor

@pavel-mikula-sonarsource pavel-mikula-sonarsource commented Apr 28, 2026

With the latest automation changes, we need the Vault-based token now. It's the same token as the one in RequestReview.yml file. Please take care of merging this, I have 200+ repos to update.

@hashicorp-vault-sonar-prod hashicorp-vault-sonar-prod Bot changed the title SubmitReview: Use Vault token SLE-1476 SubmitReview: Use Vault token Apr 28, 2026
@hashicorp-vault-sonar-prod
Copy link
Copy Markdown

hashicorp-vault-sonar-prod Bot commented Apr 28, 2026
edited by atlassian Bot
Loading

SLE-1476

@sonar-review-alpha
Copy link
Copy Markdown

sonar-review-alpha Bot commented Apr 28, 2026
edited
Loading

Summary

This PR migrates the SubmitReview workflow from using GitHub Actions' built-in secrets.GITHUB_TOKEN to retrieving the GitHub token from Vault via the vault-action-wrapper. This aligns the token management approach with the existing RequestReview.yml workflow and supports the new automation infrastructure. The change includes adding a new Vault secret retrieval step and removing the now-unnecessary pull-requests: read permission.

What reviewers should know

Key changes:

  • The GITHUB_TOKEN is now sourced from Vault (development/github/token/{REPO_OWNER_NAME_DASH}-jira token) instead of secrets.GITHUB_TOKEN
  • This is a drop-in replacement — the token is passed to the same github-token input, just from a different source
  • The pull-requests: read permission is removed because the workflow no longer relies on GitHub Actions' default token handling
  • Vault token retrieval is already set up in step secrets, so the SubmitReview action can access it via fromJSON(steps.secrets.outputs.vault)

Watch for:

  • Confirm that the Vault secret path and variable templating ({REPO_OWNER_NAME_DASH}) are correctly resolved in your environment
  • Verify that the token from Vault has the same permissions as the previous token (should be identical according to the author)
  • This is part of a broader migration — check if there are any environment-specific considerations or rollout concerns for the 200+ repos being updated
  • Generate Walkthrough
  • Generate Diagram

🗣️ Give feedback

sonar-review-alpha[bot]
sonar-review-alpha Bot reviewed Apr 28, 2026
View reviewed changes
Copy link
Copy Markdown

@sonar-review-alpha sonar-review-alpha Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! ✅

Clean, minimal change. The updated SubmitReview.yml is now a near-exact mirror of RequestReview.yml — same Vault secret paths, same fromJSON token extraction, same permissions block (only id-token: write). The pull-requests: read removal is correct: it was only needed for the built-in GITHUB_TOKEN, which is no longer used here.

🗣️ Give feedback

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sonar-review-alpha sonar-review-alpha[bot] sonar-review-alpha[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@pavel-mikula-sonarsource