BUILD-4175: use secrets from Vault

* Fix SQ issue Unexpected string concatenation * Allow testing of the coverage update workflow by checking out all branches and referencing the SHA of the triggering event * Fix repository url for coverage update * Add a manual trigger for coverage update
2024-07-16 15:58:10 +02:00 · 2024-07-16 15:58:10 +02:00 · c0a5024363
commit c0a5024363
parent 0f8222f73b
3 changed files with 20 additions and 7 deletions
--- a/.github/workflows/update_coverage.yml
+++ b/.github/workflows/update_coverage.yml
@ -2,20 +2,33 @@ name: Update rule coverage
 on:
  schedule:
    - cron: '17 2 * * *'
+  workflow_dispatch:

 jobs:
  update_coverage:
    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: write
+      checks: read
    env:
      TMP_BRANCH: temporary/coverage_update

    steps:
+    - name: 'get secrets'
+      id: secrets
+      uses: SonarSource/vault-action-wrapper@v3
+      with:
+        secrets: |
+          development/github/token/SonarSource-rspec-coverage token | coverage_github_token;
+          development/kv/data/slack token | slack_token;
+
    - uses: actions/checkout@v4
      with:
        persist-credentials: true
-        ref: master
+        fetch-depth: 0
        path: 'rspec'
-        token: ${{ secrets.COVERAGE_GITHUB_TOKEN }}
+        token: ${{ fromJSON(steps.secrets.outputs.vault).coverage_github_token }}

    - uses: actions/setup-python@v4
      with:
@ -31,7 +44,7 @@ jobs:

    - name: 'Regenerate coverage information'
      env:
-        GITHUB_TOKEN: ${{ secrets.COVERAGE_GITHUB_TOKEN }}
+        GITHUB_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).coverage_github_token }}
      id: gen-coverage
      working-directory: 'rspec/rspec-tools'
      run: |
@ -84,7 +97,7 @@ jobs:
      if: always() && steps.create-temp-branch.conclusion == 'success'
      uses: dawidd6/action-delete-branch@v3
      with:
-        github_token: ${{ secrets.GITHUB_TOKEN}}
+        github_token: ${{ secrets.GITHUB_TOKEN }}
        branches: ${{ env.TMP_BRANCH}}

    - name: 'Fail if the change breaks CI'
@ -96,7 +109,7 @@ jobs:
    - name: 'Notify on slack about the failure'
      if: ${{ failure() }}
      env:
-        SLACK_API_TOKEN: ${{ secrets.SLACK_API_TOKEN }}
+        SLACK_API_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).slack_token }}
      working-directory: 'rspec/rspec-tools'
      run: |
        pipenv run rspec-tools notify-failure-on-slack \
--- a/frontend/src/deployment/pullRequestIndexing.ts
+++ b/frontend/src/deployment/pullRequestIndexing.ts
@ -31,7 +31,7 @@ export async function process_incomplete_rspecs(tmpRepoDir: string,
  const repo = await (() => {
    if (!fs.existsSync(path.join(tmpRepoDir, '.git'))) {
      if (process.env.GITHUB_TOKEN) {
-        return Git.Clone.clone('https://' + process.env.GITHUB_TOKEN + '@github.com/SonarSource/rspec/', tmpRepoDir);
+        return Git.Clone.clone(`https://${process.env.GITHUB_TOKEN}@github.com/SonarSource/rspec/`, tmpRepoDir);
      } else {
        return Git.Clone.clone('https://github.com/SonarSource/rspec/', tmpRepoDir);
      }
--- a/rspec-tools/rspec_tools/coverage.py
+++ b/rspec-tools/rspec_tools/coverage.py
@ -155,7 +155,7 @@ def checkout_repo(repo):
  git_url=f"https://github.com/SonarSource/{repo}"
  token=os.getenv('GITHUB_TOKEN')
  if token:
-    git_url=f"https://{token}@github.com/SonarSource/{repo}"
+    git_url=f"https://oauth2:{token}@github.com/SonarSource/{repo}"
  if not os.path.exists(repo):
    return Repo.clone_from(git_url, repo)
  else: