RUST-139 SubmitReview: Use Vault token#230
Conversation
hashicorp-vault-sonar-prod
Bot
changed the title
SummaryThis PR migrates the SubmitReview workflow to retrieve the GitHub token from Vault instead of relying on a repository secret. A new secret fetch step retrieves This brings SubmitReview.yml in line with the RequestReview.yml pattern and is part of standardizing token management across 200+ repositories. What reviewers should knowKey changes:
For reviewers:
|
![sonar-review-alpha[bot]](https://avatars.githubusercontent.com/in/3025063?s=60&v=4){kind=small}
There was a problem hiding this comment.
LGTM! ✅
This PR correctly aligns SubmitReview.yml with the already-updated RequestReview.yml. The Vault path, fromJSON expression syntax, token field name, and permissions block are now identical between the two files. {REPO_OWNER_NAME_DASH} is a Vault-native template variable resolved at runtime by vault-action-wrapper — not an unsubstituted placeholder. Removing pull-requests: read is correct; RequestReview.yml never needed it either, as the Vault-issued token carries its own GitHub App permissions.
|
2 participants
With the latest automation changes, we need the Vault-based token now. It's the same token as the one in RequestReview.yml file. Please take care of merging this, I have 200+ repos to update.