Skip to content

SONARAZDO-575 SubmitReview: Use Vault token#570

Merged
claire-villard-sonarsource merged 1 commit intomasterfrom
Pavel/SubmitReviewToken
May 4, 2026
Merged

SONARAZDO-575 SubmitReview: Use Vault token#570
claire-villard-sonarsource merged 1 commit intomasterfrom
Pavel/SubmitReviewToken

Conversation

@pavel-mikula-sonarsource
Copy link
Copy Markdown
Contributor

@pavel-mikula-sonarsource pavel-mikula-sonarsource commented Apr 28, 2026

With the latest automation changes, we need the Vault-based token now. It's the same token as the one in RequestReview.yml file. Please take care of merging this, I have 200+ repos to update.

@hashicorp-vault-sonar-prod hashicorp-vault-sonar-prod Bot changed the title SubmitReview: Use Vault token SONARAZDO-575 SubmitReview: Use Vault token Apr 28, 2026
@hashicorp-vault-sonar-prod
Copy link
Copy Markdown

hashicorp-vault-sonar-prod Bot commented Apr 28, 2026
edited by atlassian Bot
Loading

SONARAZDO-575

@sonar-review-alpha
Copy link
Copy Markdown

sonar-review-alpha Bot commented Apr 28, 2026
edited
Loading

Summary

This PR switches the SubmitReview workflow to fetch the GitHub token from Vault instead of relying on GitHub's native secrets. The token source changes from secrets.GITHUB_TOKEN to a Vault-based token matching the pattern used in RequestReview.yml. The pull-requests: read permission is removed as it's no longer needed with this approach.

What reviewers should know

What changed: Two related updates to .github/workflows/SubmitReview.yml:

  1. Added a new Vault secret fetch for development/github/token/{REPO_OWNER_NAME_DASH}-jira with output alias GITHUB_TOKEN
  2. Updated the action input to use the Vault token instead of the GitHub secret

Why this matters: This standardizes token management across repos by using centralized Vault credentials instead of per-repo GitHub secrets, enabling easier rotation and audit across the 200+ repos being updated.

For reviewers:

  • Verify the Vault path development/github/token/{REPO_OWNER_NAME_DASH}-jira matches the pattern in RequestReview.yml
  • The removed pull-requests: read permission is safe — the action no longer needs PR read access
  • The token is fetched correctly in step "secrets" and referenced properly in the action invocation
  • Generate Walkthrough
  • Generate Diagram

🗣️ Give feedback

sonar-review-alpha[bot]
sonar-review-alpha Bot reviewed Apr 28, 2026
View reviewed changes
Copy link
Copy Markdown

@sonar-review-alpha sonar-review-alpha Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! ✅

Clean, minimal change. The resulting SubmitReview.yml is now consistent with RequestReview.yml — same Vault path, same fromJSON expression, same permissions block. The removal of pull-requests: read is correct: that permission only restricts the built-in GITHUB_TOKEN, which is no longer used here.

🗣️ Give feedback

@sonarqube-next
Copy link
Copy Markdown

sonarqube-next Bot commented Apr 28, 2026

Quality Gate passed Quality Gate passed for 'Azure DevOps extension for SonarQube Server'

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
0 Dependency risks
No data about Coverage
No data about Duplication

See analysis details on SonarQube

@sonarqube-next
Copy link
Copy Markdown

sonarqube-next Bot commented Apr 28, 2026

Quality Gate passed Quality Gate passed for 'Azure DevOps extension for SonarQube Cloud'

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
0 Dependency risks
No data about Coverage
No data about Duplication

See analysis details on SonarQube

@pavel-mikula-sonarsource pavel-mikula-sonarsource requested a review from a team May 4, 2026 12:04
@claire-villard-sonarsource claire-villard-sonarsource merged commit 8faf129 into master May 4, 2026
39 checks passed
@claire-villard-sonarsource claire-villard-sonarsource deleted the Pavel/SubmitReviewToken branch May 4, 2026 13:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sonar-review-alpha sonar-review-alpha[bot] sonar-review-alpha[bot] left review comments

@claire-villard-sonarsource claire-villard-sonarsource claire-villard-sonarsource approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@pavel-mikula-sonarsource @claire-villard-sonarsource