Skip to content

SCANDOCKER-77 SubmitReview: Use Vault token#310

Merged
claire-villard-sonarsource merged 1 commit into
masterfrom
Pavel/SubmitReviewToken
May 4, 2026
Merged

SCANDOCKER-77 SubmitReview: Use Vault token#310
claire-villard-sonarsource merged 1 commit into
masterfrom
Pavel/SubmitReviewToken

Conversation

@pavel-mikula-sonarsource
Copy link
Copy Markdown
Contributor

@pavel-mikula-sonarsource pavel-mikula-sonarsource commented Apr 28, 2026

With the latest automation changes, we need the Vault-based token now. It's the same token as the one in RequestReview.yml file. Please take care of merging this, I have 200+ repos to update.

@hashicorp-vault-sonar-prod hashicorp-vault-sonar-prod Bot changed the title SubmitReview: Use Vault token SCANDOCKER-77 SubmitReview: Use Vault token Apr 28, 2026
@hashicorp-vault-sonar-prod
Copy link
Copy Markdown

hashicorp-vault-sonar-prod Bot commented Apr 28, 2026
edited by atlassian Bot
Loading

SCANDOCKER-77

@sonar-review-alpha
Copy link
Copy Markdown

sonar-review-alpha Bot commented Apr 28, 2026
edited
Loading

Summary

Migrates the GitHub token source in the SubmitReview workflow from GitHub's native secrets to HashiCorp Vault. The workflow now retrieves a Vault-based token (matching the pattern used in RequestReview.yml) and passes it to the SubmitReview action. The pull-requests: read permission was also removed since token scoping is now handled by Vault.

What reviewers should know

Key Changes

  • GitHub token now comes from Vault (development/github/token/{REPO_OWNER_NAME_DASH}-jira) instead of secrets.GITHUB_TOKEN
  • The token is extracted from the steps.secrets.outputs.vault JSON object in the SubmitReview step
  • Removed pull-requests: read from permissions (token scoping is managed by Vault)

For Reviewers

  • This mirrors the token retrieval pattern already used in RequestReview.yml
  • Verify the Vault secret path exists and has appropriate permissions
  • The {REPO_OWNER_NAME_DASH} placeholder should be replaced with the actual repo owner name during deployment
  • Generate Walkthrough
  • Generate Diagram

🗣️ Give feedback

sonar-review-alpha[bot]
sonar-review-alpha Bot reviewed Apr 28, 2026
View reviewed changes
Copy link
Copy Markdown

@sonar-review-alpha sonar-review-alpha Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! ✅

Clean, minimal change that aligns SubmitReview.yml with the pattern already established in RequestReview.yml. The final state of the two files is now structurally identical (same Vault paths, same token extraction, same permission set). No issues found.

🗣️ Give feedback

@sonarqube-next
Copy link
Copy Markdown

sonarqube-next Bot commented Apr 28, 2026

Quality Gate passed Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
0 Dependency risks
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarQube

@pavel-mikula-sonarsource pavel-mikula-sonarsource requested a review from a team May 4, 2026 12:05
@claire-villard-sonarsource claire-villard-sonarsource merged commit 58efab3 into master May 4, 2026
10 checks passed
@claire-villard-sonarsource claire-villard-sonarsource deleted the Pavel/SubmitReviewToken branch May 4, 2026 13:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sonar-review-alpha sonar-review-alpha[bot] sonar-review-alpha[bot] left review comments

@claire-villard-sonarsource claire-villard-sonarsource claire-villard-sonarsource approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@pavel-mikula-sonarsource @claire-villard-sonarsource