From 7e40d7606ec1378ba9020e9ec0745cf15342b913 Mon Sep 17 00:00:00 2001
From: tomverin <thomas.verin@sonarsource.com>
Date: Mon, 24 Jun 2024 16:55:16 +0200
Subject: [PATCH] BUILD-4733: update secrets to use vault instead of github

---
 .github/workflows/update_coverage.yml | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/update_coverage.yml b/.github/workflows/update_coverage.yml
index 7ab51f4bb5d..73b032a20e1 100644
--- a/.github/workflows/update_coverage.yml
+++ b/.github/workflows/update_coverage.yml
@@ -5,6 +5,8 @@ on:
 
 jobs:
   update_coverage:
+    permissions:
+      id-token: write
     runs-on: ubuntu-latest
     env:
       TMP_BRANCH: temporary/coverage_update
@@ -93,10 +95,17 @@ jobs:
         steps.wait-for-build.outputs.conclusion != 'success'
       run: exit 1
 
+    - name: get secrets
+        id: secrets
+        uses: SonarSource/vault-action-wrapper@3996073b47b49ac5c58c750d27ab4edf469401c8 # 3.0.1
+        with:
+          secrets: |
+            development/kv/data/slack token | slack_token;
+
     - name: 'Notify on slack about the failure'
       if: ${{ failure() }}
       env:
-        SLACK_API_TOKEN: ${{ secrets.SLACK_API_TOKEN }}
+        SLACK_API_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).slack_token }}
       working-directory: 'rspec/rspec-tools'
       run: |
         pipenv run rspec-tools notify-failure-on-slack \