BUILD-4131 use GitHub token from vault instead of sonartech api token (…

…#4386) Co-authored-by: Mate Molnar <matemoln@users.noreply.github.com>
SonarSource · Nov 16, 2023 · 6fbcb4e · 6fbcb4e
1 parent 07c47d9
commit 6fbcb4e
Showing 1 changed file with 18 additions and 10 deletions.
diff --git a/.github/workflows/dogfood.yml b/.github/workflows/dogfood.yml
@@ -10,14 +10,22 @@ jobs:
   dogfood_merge:
     runs-on: ubuntu-latest
     name: Update dogfood branch
+    permissions:
+      id-token: write # required for SonarSource/vault-action-wrapper
     steps:
-    - name: git octopus step      
-      env:
-        GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
-      id: dogfood
-      uses: SonarSource/gh-action_dogfood_merge@v1
-      with:
-        dogfood-branch: 'dogfood-on-peach'
-    # Use the output from the `dogfood` step
-    - name: Get the name of the dogfood branch and its HEAD SHA1
-      run: echo "The dogfood branch was ${{ steps.dogfood.outputs.dogfood-branch }} and its HEAD SHA1 was ${{ steps.dogfood.outputs.sha1 }}"
+      - name: get secrets
+        id: secrets
+        uses: SonarSource/vault-action-wrapper@v2
+        with:
+          secrets: |
+            development/github/token/{REPO_OWNER_NAME_DASH}-dogfood-merge token | dogfood_token;
+      - name: git octopus step
+        env:
+          GITHUB_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).dogfood_token }}
+        id: dogfood
+        uses: SonarSource/gh-action_dogfood_merge@v1
+        with:
+          dogfood-branch: 'dogfood-on-peach'
+      # Use the output from the `dogfood` step
+      - name: Get the name of the dogfood branch and its HEAD SHA1
+        run: echo "The dogfood branch was ${{ steps.dogfood.outputs.dogfood-branch }} and its HEAD SHA1 was ${{ steps.dogfood.outputs.sha1 }}"