PLUGINAPI-187 SubmitReview: Use Vault token

[pavel-mikula-sonarsource]

With the latest automation changes, we need the Vault-based token now. It's the same token as the one in RequestReview.yml file. Please take care of merging this, I have 200+ repos to update.

[hashicorp-vault-sonar-prod]

PLUGINAPI-187

[sonar-review-alpha]

Summary

This PR migrates the GitHub token in the SubmitReview workflow from GitHub Secrets to Vault, aligning it with the same pattern already established in RequestReview.yml and other secrets in this workflow. The Vault secret retrieves a token from development/github/token/{REPO_OWNER_NAME_DASH}-jira and passes it to the SubmitReview action. The unused pull-requests: read permission is also removed.

What reviewers should know

Key change: Line 29 — the github-token parameter now pulls from the Vault output instead of GitHub Secrets.

New Vault retrieval: Line 23 — adds the GitHub token fetch from Vault alongside the existing JIRA credentials (already Vault-based).

Verify: Check that the Vault secret path development/github/token/{REPO_OWNER_NAME_DASH}-jira exists and matches what RequestReview.yml uses. The JIRA credentials lines are unchanged — they already use the Vault approach.

---

• Generate Walkthrough
• Generate Diagram

🗣️ Give feedback

[sonar-review-alpha]

LGTM! ✅

Clean and correct change. The final state of SubmitReview.yml now exactly mirrors RequestReview.yml — same Vault secret path, same fromJSON expression for the token, same minimal permissions block. Dropping pull-requests: read is appropriate because RequestReview.yml has never needed it, and the Vault-sourced token carries the necessary repository-level permissions.

🗣️ Give feedback

[sonarqube-next]

Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
0 Dependency risks
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarQube

[claire-villard-sonarsource]

LGTM