BUILD-4733: update secrets to use vault instead of github

SonarSource · Jun 24, 2024 · 7e40d76 · 7e40d76
1 parent 5bff87a
commit 7e40d76
Showing 1 changed file with 10 additions and 1 deletion.
diff --git a/.github/workflows/update_coverage.yml b/.github/workflows/update_coverage.yml
@@ -5,6 +5,8 @@ on:
 
 jobs:
   update_coverage:
+    permissions:
+      id-token: write
     runs-on: ubuntu-latest
     env:
       TMP_BRANCH: temporary/coverage_update
@@ -93,10 +95,17 @@ jobs:
         steps.wait-for-build.outputs.conclusion != 'success'
       run: exit 1
 
+    - name: get secrets
+        id: secrets
+        uses: SonarSource/vault-action-wrapper@3996073b47b49ac5c58c750d27ab4edf469401c8 # 3.0.1
+        with:
+          secrets: |
+            development/kv/data/slack token | slack_token;
+
     - name: 'Notify on slack about the failure'
       if: ${{ failure() }}
       env:
-        SLACK_API_TOKEN: ${{ secrets.SLACK_API_TOKEN }}
+        SLACK_API_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).slack_token }}
       working-directory: 'rspec/rspec-tools'
       run: |
         pipenv run rspec-tools notify-failure-on-slack \