From 6fbcb4e5c368a60cc3252a7a49100214643f2bea Mon Sep 17 00:00:00 2001 From: Sebastien Vermeille Date: Thu, 16 Nov 2023 09:59:34 +0100 Subject: [PATCH] BUILD-4131 use GitHub token from vault instead of sonartech api token (#4386) Co-authored-by: Mate Molnar --- .github/workflows/dogfood.yml | 28 ++++++++++++++++++---------- 1 file changed, 18 insertions(+), 10 deletions(-) diff --git a/.github/workflows/dogfood.yml b/.github/workflows/dogfood.yml index 9d57f887cc1..0363335d241 100644 --- a/.github/workflows/dogfood.yml +++ b/.github/workflows/dogfood.yml @@ -10,14 +10,22 @@ jobs: dogfood_merge: runs-on: ubuntu-latest name: Update dogfood branch + permissions: + id-token: write # required for SonarSource/vault-action-wrapper steps: - - name: git octopus step - env: - GITHUB_TOKEN: ${{ secrets.GH_TOKEN }} - id: dogfood - uses: SonarSource/gh-action_dogfood_merge@v1 - with: - dogfood-branch: 'dogfood-on-peach' - # Use the output from the `dogfood` step - - name: Get the name of the dogfood branch and its HEAD SHA1 - run: echo "The dogfood branch was ${{ steps.dogfood.outputs.dogfood-branch }} and its HEAD SHA1 was ${{ steps.dogfood.outputs.sha1 }}" + - name: get secrets + id: secrets + uses: SonarSource/vault-action-wrapper@v2 + with: + secrets: | + development/github/token/{REPO_OWNER_NAME_DASH}-dogfood-merge token | dogfood_token; + - name: git octopus step + env: + GITHUB_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).dogfood_token }} + id: dogfood + uses: SonarSource/gh-action_dogfood_merge@v1 + with: + dogfood-branch: 'dogfood-on-peach' + # Use the output from the `dogfood` step + - name: Get the name of the dogfood branch and its HEAD SHA1 + run: echo "The dogfood branch was ${{ steps.dogfood.outputs.dogfood-branch }} and its HEAD SHA1 was ${{ steps.dogfood.outputs.sha1 }}"