Skip to content

JAVASE-199 SubmitReview: Use Vault token#85

Merged
rombirli merged 1 commit intomasterfrom
Pavel/SubmitReviewToken
Apr 28, 2026
Merged

JAVASE-199 SubmitReview: Use Vault token#85
rombirli merged 1 commit intomasterfrom
Pavel/SubmitReviewToken

Conversation

@pavel-mikula-sonarsource
Copy link
Copy Markdown
Contributor

@pavel-mikula-sonarsource pavel-mikula-sonarsource commented Apr 28, 2026

With the latest automation changes, we need the Vault-based token now. It's the same token as the one in RequestReview.yml file. Please take care of merging this, I have 200+ repos to update.

@hashicorp-vault-sonar-prod hashicorp-vault-sonar-prod Bot changed the title SubmitReview: Use Vault token JAVASE-199 SubmitReview: Use Vault token Apr 28, 2026
@hashicorp-vault-sonar-prod
Copy link
Copy Markdown
Contributor

hashicorp-vault-sonar-prod Bot commented Apr 28, 2026
edited by atlassian Bot
Loading

JAVASE-199

@sonar-review-alpha
Copy link
Copy Markdown

sonar-review-alpha Bot commented Apr 28, 2026
edited
Loading

Summary

This PR updates the SubmitReview GitHub workflow to fetch the GitHub token from Vault instead of using a static repository secret. The change replaces the plain secrets.GITHUB_TOKEN reference with a dynamically fetched token retrieved from the Vault service during workflow execution.

What changed:

  • Added Vault secret retrieval for GITHUB_TOKEN via development/github/token/{REPO_OWNER_NAME_DASH}-jira
  • Updated the github-token input to the SubmitReview action to use the Vault-fetched token
  • Removed the pull-requests: read permission (no longer needed with Vault-based token)

This aligns the workflow with the same pattern already used in RequestReview.yml, providing more secure token management across the CI/CD automation.

What reviewers should know

Key points for review:

  1. Token source change — Line 25 adds the Vault secret retrieval. Verify the secret path development/github/token/{REPO_OWNER_NAME_DASH}-jira is correct and matches what's used in RequestReview.yml
  2. Action input update — Line 29 changes from ${{secrets.GITHUB_TOKEN}} to ${{ fromJSON(steps.secrets.outputs.vault).GITHUB_TOKEN }}, ensuring the Vault-fetched token is used
  3. Permission removalpull-requests: read is safe to remove since the Vault token has the necessary permissions
  4. Scale consideration — The author mentions 200+ repos need this same change, so ensure this pattern is the standard to roll out elsewhere
  • Generate Walkthrough
  • Generate Diagram

🗣️ Give feedback

sonar-review-alpha[bot]
sonar-review-alpha Bot reviewed Apr 28, 2026
View reviewed changes
Copy link
Copy Markdown

@sonar-review-alpha sonar-review-alpha Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! ✅

Clean, correct change. The updated pattern (Vault secret path, fromJSON output parsing, no pull-requests: read permission) is identical to what RequestReview.yml and PullRequestCreated.yml already use — this PR simply brings SubmitReview.yml into alignment with the established convention.

🗣️ Give feedback

@sonarqube-next
Copy link
Copy Markdown

sonarqube-next Bot commented Apr 28, 2026

Quality Gate passed Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
0 Dependency risks
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarQube

rombirli
rombirli approved these changes Apr 28, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@rombirli rombirli left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@rombirli rombirli merged commit 9c24517 into master Apr 28, 2026
9 checks passed
@rombirli rombirli deleted the Pavel/SubmitReviewToken branch April 28, 2026 12:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sonar-review-alpha sonar-review-alpha[bot] sonar-review-alpha[bot] left review comments

@rombirli rombirli rombirli approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@pavel-mikula-sonarsource @rombirli