Skip to content

SCANPY-246 SubmitReview: Use Vault token#316

Merged
Seppli11 merged 1 commit into
masterfrom
Pavel/SubmitReviewToken
Apr 30, 2026
Merged

SCANPY-246 SubmitReview: Use Vault token#316
Seppli11 merged 1 commit into
masterfrom
Pavel/SubmitReviewToken

Conversation

@pavel-mikula-sonarsource
Copy link
Copy Markdown
Contributor

@pavel-mikula-sonarsource pavel-mikula-sonarsource commented Apr 28, 2026

With the latest automation changes, we need the Vault-based token now. It's the same token as the one in RequestReview.yml file. Please take care of merging this, I have 200+ repos to update.

@hashicorp-vault-sonar-prod hashicorp-vault-sonar-prod Bot changed the title SubmitReview: Use Vault token SCANPY-246 SubmitReview: Use Vault token Apr 28, 2026
@hashicorp-vault-sonar-prod
Copy link
Copy Markdown

hashicorp-vault-sonar-prod Bot commented Apr 28, 2026
edited by atlassian Bot
Loading

SCANPY-246

@sonar-review-alpha
Copy link
Copy Markdown

sonar-review-alpha Bot commented Apr 28, 2026
edited
Loading

Summary

Switches the SubmitReview workflow to use a Vault-based GitHub token instead of GitHub's built-in secrets, bringing it into alignment with automation infrastructure changes and the RequestReview workflow. The GitHub token is now retrieved from Vault alongside the existing JIRA credentials, enabling centralized secret management. The pull-requests: read permission is removed as it's no longer needed when using the Vault token.

What reviewers should know

File to review: .github/workflows/SubmitReview.yml

Key change: Line 24 switches the token source from secrets.GITHUB_TOKEN to the Vault-based token extracted in the previous step.

What to verify:

  • The Vault path development/github/token/{REPO_OWNER_NAME_DASH}-jira correctly resolves the token name (confirm consistency with RequestReview.yml)
  • The token will be available in the Vault instance used by this workflow
  • Verify the removed pull-requests: read permission is genuinely unnecessary with the Vault approach (likely true, but worth confirming)
  • Generate Walkthrough
  • Generate Diagram

🗣️ Give feedback

sonar-review-alpha[bot]
sonar-review-alpha Bot reviewed Apr 28, 2026
View reviewed changes
Copy link
Copy Markdown

@sonar-review-alpha sonar-review-alpha Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! ✅

Clean, minimal change that aligns SubmitReview with the established pattern in RequestReview.yml. The Vault path, variable names, and fromJSON extraction are identical between the two files, and removing pull-requests: read is correct — that permission only governs the built-in GitHub Actions token, which the Vault step doesn't use.

🗣️ Give feedback

@sonarqube-next
Copy link
Copy Markdown

sonarqube-next Bot commented Apr 28, 2026

Quality Gate passed Quality Gate passed for 'Python Scanner'

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
0 Dependency risks
No data about Coverage
No data about Duplication

See analysis details on SonarQube

Seppli11
Seppli11 approved these changes Apr 30, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@Seppli11 Seppli11 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@Seppli11 Seppli11 merged commit 1b42207 into master Apr 30, 2026
21 checks passed
@Seppli11 Seppli11 deleted the Pavel/SubmitReviewToken branch April 30, 2026 09:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sonar-review-alpha sonar-review-alpha[bot] sonar-review-alpha[bot] left review comments

@Seppli11 Seppli11 Seppli11 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@pavel-mikula-sonarsource @Seppli11