BUILD-4733: Use COVERAGE_GITHUB_TOKEN from the vault instead of the default GITHUB_TOKEN

.cirrus.yml

@@ -1,5 +1,5 @@
 env:
-  GITHUB_TOKEN: VAULT[development/github/token/${CIRRUS_REPO_OWNER}-${CIRRUS_REPO_NAME}-ro token]
+  COVERAGE_GITHUB_TOKEN: VAULT[development/github/token/${CIRRUS_REPO_OWNER}-${CIRRUS_REPO_NAME}-ro token]
   SONAR_HOST_URL: VAULT[development/kv/data/next data.url]
   SONAR_TOKEN: VAULT[development/kv/data/next data.token]
   SONAR_SCANNER_VERSION: 5.0.1.3006

.github/workflows/add_language.yml

@@ -14,11 +14,16 @@ on:
 
 jobs:
   add_language_to_rule:
-    runs-on: ubuntu-latest
-    env:
-      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    runs-on: ubuntu-latest    
 
     steps:
+    - name: 'get secrets'
+      id: secrets
+      uses: SonarSource/vault-action-wrapper@7160b50d75c02fe48eb3c8d354ca4fd7029f546a # tag=2.5.0-4
+      with:
+        secrets: |
+          development/github/token/SonarSource-rspec-coverage token | COVERAGE_GITHUB_TOKEN;
+
     - uses: actions/checkout@v4
       with:
         persist-credentials: true
@@ -38,5 +43,7 @@ jobs:
       run: pipenv install
 
     - name: 'Add Language'
+      env:
+        COVERAGE_GITHUB_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).COVERAGE_GITHUB_TOKEN }}
       working-directory: 'rspec/rspec-tools'
       run: pipenv run rspec-tools add-lang-to-rule --user ${{ github.actor }} --language "${{ github.event.inputs.language }}" --rule "${{ github.event.inputs.rule }}"

.github/workflows/create_new_rspec.yml

@@ -12,10 +12,15 @@ on:
 jobs:
   create_new_rule:
     runs-on: ubuntu-latest
-    env:
-      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
     steps:
+    - name: 'get secrets'
+      id: secrets
+      uses: SonarSource/vault-action-wrapper@7160b50d75c02fe48eb3c8d354ca4fd7029f546a # tag=2.5.0-4
+      with:
+        secrets: |
+          development/github/token/SonarSource-rspec-coverage token | COVERAGE_GITHUB_TOKEN;
+
     - uses: actions/checkout@v4
       with:
         persist-credentials: true
@@ -35,5 +40,7 @@ jobs:
       run: pipenv install
 
     - name: 'Create Rule'
+      env:
+        COVERAGE_GITHUB_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).COVERAGE_GITHUB_TOKEN }}
       working-directory: 'rspec/rspec-tools'
       run: pipenv run rspec-tools create-rule --user ${{ github.actor }} --languages "${{ github.event.inputs.languages }}"

.github/workflows/main.yml

@@ -12,6 +12,13 @@ jobs:
       pull-requests: read # Get the list and metadata of open new-rule PRs
       contents: write # Get the contents of open new-rule PRs, the 'master'; write to 'gh-pages' branch
     steps:
+      - name: 'get secrets'
+        id: secrets
+        uses: SonarSource/vault-action-wrapper@7160b50d75c02fe48eb3c8d354ca4fd7029f546a # tag=2.5.0-4
+        with:
+          secrets: |
+            development/github/token/SonarSource-rspec-coverage token | COVERAGE_GITHUB_TOKEN;
+
       - name: Checkout 🛎️
         uses: actions/checkout@v4 # If you're using actions/checkout you must set persist-credentials to false in most cases for the deployment to work correctly.
         with:
@@ -27,12 +34,12 @@ jobs:
           npm run predeploy
         env:
           NODE_OPTIONS: "--max-old-space-size=3048"
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          COVERAGE_GITHUB_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).COVERAGE_GITHUB_TOKEN }}
       - name: Deploy 🚀
         uses: JamesIves/github-pages-deploy-action@releases/v3
         with:
           SINGLE_COMMIT: true
           CLEAN: true
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          COVERAGE_GITHUB_TOKEN: ${{ secrets.COVERAGE_GITHUB_TOKEN }}
           BRANCH: gh-pages # The branch the action should deploy to.
           FOLDER: frontend/build # The folder the action should deploy.

.github/workflows/update_coverage.yml

@@ -40,7 +40,7 @@ jobs:
 
     - name: 'Regenerate coverage information'
       env:
-        GITHUB_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).COVERAGE_GITHUB_TOKEN }}
+        COVERAGE_GITHUB_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).COVERAGE_GITHUB_TOKEN }}
       id: gen-coverage
       working-directory: 'rspec/rspec-tools'
       run: |
@@ -73,7 +73,7 @@ jobs:
       uses: fountainhead/action-wait-for-check@v1.0.0
       id: wait-for-build
       with:
-        token: ${{ secrets.GITHUB_TOKEN }}
+        token: ${{ secrets.COVERAGE_GITHUB_TOKEN }}
         checkName: all_required_checks
         ref: ${{ env.TMP_BRANCH }}
         timeoutSeconds: 2400
@@ -93,7 +93,7 @@ jobs:
       if: always() && steps.create-temp-branch.conclusion == 'success'
       uses: dawidd6/action-delete-branch@v3
       with:
-        github_token: ${{ secrets.GITHUB_TOKEN}}
+        COVERAGE_GITHUB_TOKEN: ${{ secrets.COVERAGE_GITHUB_TOKEN}}
         branches: ${{ env.TMP_BRANCH}}
 
     - name: 'Fail if the change breaks CI'

.github/workflows/update_quickfix_status.yml

@@ -26,9 +26,13 @@ jobs:
   update_quickfix_status:
     name: Update quick fix status
     runs-on: ubuntu-20.04
-    env:
-      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     steps:
+    - name: 'get secrets'
+      id: secrets
+      uses: SonarSource/vault-action-wrapper@7160b50d75c02fe48eb3c8d354ca4fd7029f546a # tag=2.5.0-4
+      with:
+        secrets: |
+          development/github/token/SonarSource-rspec-coverage token | COVERAGE_GITHUB_TOKEN;
     - uses: actions/checkout@v2
       with:
         persist-credentials: true
@@ -49,4 +53,6 @@ jobs:
 
     - name: 'Update quickfix status'
       working-directory: 'rspec/rspec-tools'
+      env:
+        COVERAGE_GITHUB_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).COVERAGE_GITHUB_TOKEN }}
       run: pipenv run rspec-tools update-quickfix-status --user ${{ github.actor }} --rule "${{ github.event.inputs.rule }}" --language "${{ github.event.inputs.language }}" --status "${{ github.event.inputs.status }}"

frontend/README.adoc

@@ -36,7 +36,7 @@ NOTE: If the script fails to clone or fetch due to an SSL certificate failure
       As a workaround you can https://github.com/nodegit/nodegit/issues/1742[disable the certificate check].
 
 NOTE: In the predeploy step (specifically the `prepare-rules` part of it) the script fetches all the open PRs locally.
-      You might want to set `GITHUB_TOKEN` to your personal GitHub token
+      You might want to set `COVERAGE_GITHUB_TOKEN` to your personal GitHub token
       to avoid GitHub throttling your requests during the predeploy stage.
 
 

frontend/src/deployment/pullRequestIndexing.ts

@@ -24,14 +24,14 @@ export interface PullRequest {
  */
 export async function process_incomplete_rspecs(tmpRepoDir: string,
                                                 callback: (srcDir: string, pr: PullRequest)=>void) {
-  const octokit = process.env.GITHUB_TOKEN ?
-    new Octokit({userAgent: 'rspec-tools', auth: process.env.GITHUB_TOKEN}):
+  const octokit = process.env.COVERAGE_GITHUB_TOKEN ?
+    new Octokit({userAgent: 'rspec-tools', auth: process.env.COVERAGE_GITHUB_TOKEN}):
     new Octokit({userAgent: 'rspec-tools'});
 
   const repo = await (() => {
     if (!fs.existsSync(path.join(tmpRepoDir, '.git'))) {
-      if (process.env.GITHUB_TOKEN) {
-        return Git.Clone.clone('https://' + process.env.GITHUB_TOKEN + '@github.com/SonarSource/rspec/', tmpRepoDir);
+      if (process.env.COVERAGE_GITHUB_TOKEN) {        
+        return Git.Clone.clone(`https://${process.env.COVERAGE_GITHUB_TOKEN}@github.com/SonarSource/rspec/`, tmpRepoDir);
       } else {
         return Git.Clone.clone('https://github.com/SonarSource/rspec/', tmpRepoDir);
       }

rspec-tools/rspec_tools/cli.py

@@ -45,7 +45,7 @@ def check_links(d):
 @click.option('--user', required=False)
 def create_rule(languages: str, user: Optional[str]):
   '''Create a new rule.'''
-  token = os.environ.get('GITHUB_TOKEN')
+  token = os.environ.get('COVERAGE_GITHUB_TOKEN')
   rspec_tools.create_rule.create_new_rule(languages, token, user)
 
 
@@ -55,7 +55,7 @@ def create_rule(languages: str, user: Optional[str]):
 @click.option('--user', required=False)
 def add_lang_to_rule(language: str, rule: str, user: Optional[str]):
   '''Add a new language to rule.'''
-  token = os.environ.get('GITHUB_TOKEN')
+  token = os.environ.get('COVERAGE_GITHUB_TOKEN')
   rspec_tools.create_rule.add_language_to_rule(language, rule, token, user)
 
 
@@ -66,7 +66,7 @@ def add_lang_to_rule(language: str, rule: str, user: Optional[str]):
 @click.option('--user', required=False)
 def update_quickfix_status(language: str, rule: str, status: str, user: Optional[str]):
   '''Update the status of quick fix for the given rule/language'''
-  token = os.environ.get('GITHUB_TOKEN')
+  token = os.environ.get('COVERAGE_GITHUB_TOKEN')
   rspec_tools.modify_rule.update_rule_quickfix_status(language, rule, status, token, user)
 
 

rspec-tools/rspec_tools/coverage.py

@@ -153,9 +153,9 @@ def all_implemented_rules():
 
 def checkout_repo(repo):
   git_url=f"https://github.com/SonarSource/{repo}"
-  token=os.getenv('GITHUB_TOKEN')
+  token=os.getenv('COVERAGE_GITHUB_TOKEN')
   if token:
-    git_url=f"https://oauth2:${token}@github.com/SonarSource/{repo}"
+    git_url=f"https://${token}@github.com/SonarSource/{repo}"
   if not os.path.exists(repo):
     return Repo.clone_from(git_url, repo)
   else:

rspec-tools/tests/test_cli.py

@@ -12,7 +12,7 @@ from rspec_tools.rules import RulesRepository
 class TestCLIUpdateQuickfixStatus:
   '''Unit test for quickfix status update through Command Line Interface.'''
 
-  @patch.dict(os.environ, {'GITHUB_TOKEN': 'TOKEN'})
+  @patch.dict(os.environ, {'COVERAGE_GITHUB_TOKEN': 'TOKEN'})
   @patch('rspec_tools.modify_rule.update_rule_quickfix_status')
   def test_basic_cli_usage(self, mock):
     arguments = [