BUILD-4175 Use secrets from Vault

.cirrus.yml

@@ -1,5 +1,5 @@
 env:
-  COVERAGE_GITHUB_TOKEN: VAULT[development/github/token/${CIRRUS_REPO_OWNER}-${CIRRUS_REPO_NAME}-ro token]
+  GITHUB_TOKEN: VAULT[development/github/token/${CIRRUS_REPO_OWNER}-${CIRRUS_REPO_NAME}-ro token]
   SONAR_HOST_URL: VAULT[development/kv/data/next data.url]
   SONAR_TOKEN: VAULT[development/kv/data/next data.token]
   SONAR_SCANNER_VERSION: 5.0.1.3006

.github/workflows/add_language.yml

@@ -15,18 +15,10 @@ on:
 jobs:
   add_language_to_rule:
     runs-on: ubuntu-latest
-    permissions:
-      id-token: write # OIDC auth for Vault
-      contents: read # checkout
+    env:
+      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
     steps:
-    - name: 'get secrets'
-      id: secrets
-      uses: SonarSource/vault-action-wrapper@v3
-      with:
-        secrets: |
-          development/github/token/SonarSource-rspec-coverage token | COVERAGE_GITHUB_TOKEN;
-
     - uses: actions/checkout@v4
       with:
         persist-credentials: true
@@ -46,7 +38,5 @@ jobs:
       run: pipenv install
 
     - name: 'Add Language'
-      env:
-        COVERAGE_GITHUB_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).COVERAGE_GITHUB_TOKEN }}
       working-directory: 'rspec/rspec-tools'
       run: pipenv run rspec-tools add-lang-to-rule --user ${{ github.actor }} --language "${{ github.event.inputs.language }}" --rule "${{ github.event.inputs.rule }}"

.github/workflows/create_new_rspec.yml

@@ -12,18 +12,10 @@ on:
 jobs:
   create_new_rule:
     runs-on: ubuntu-latest
-    permissions:
-      id-token: write # OIDC auth for Vault
-      contents: read # checkout
+    env:
+      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
     steps:
-    - name: 'get secrets'
-      id: secrets
-      uses: SonarSource/vault-action-wrapper@v3
-      with:
-        secrets: |
-          development/github/token/SonarSource-rspec-coverage token | COVERAGE_GITHUB_TOKEN;
-
     - uses: actions/checkout@v4
       with:
         persist-credentials: true
@@ -43,7 +35,5 @@ jobs:
       run: pipenv install
 
     - name: 'Create Rule'
-      env:
-        COVERAGE_GITHUB_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).COVERAGE_GITHUB_TOKEN }}
       working-directory: 'rspec/rspec-tools'
       run: pipenv run rspec-tools create-rule --user ${{ github.actor }} --languages "${{ github.event.inputs.languages }}"

.github/workflows/main.yml

@@ -9,18 +9,9 @@ jobs:
   build-and-deploy:
     runs-on: ubuntu-20.04
     permissions:
-      id-token: write # OIDC auth for Vault
       pull-requests: read # Get the list and metadata of open new-rule PRs
       contents: write # Get the contents of open new-rule PRs, the 'master'; write to 'gh-pages' branch
-      pages: write # for github-pages-deploy-action
     steps:
-      - name: 'get secrets'
-        id: secrets
-        uses: SonarSource/vault-action-wrapper@v3
-        with:
-          secrets: |
-            development/github/token/SonarSource-rspec-coverage token | COVERAGE_GITHUB_TOKEN;
-
       - name: Checkout 🛎️
         uses: actions/checkout@v4 # If you're using actions/checkout you must set persist-credentials to false in most cases for the deployment to work correctly.
         with:
@@ -36,7 +27,7 @@ jobs:
           npm run predeploy
         env:
           NODE_OPTIONS: "--max-old-space-size=3048"
-          COVERAGE_GITHUB_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).COVERAGE_GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       - name: Deploy 🚀
         uses: JamesIves/github-pages-deploy-action@releases/v3
         with:

.github/workflows/update_coverage.yml

@@ -2,13 +2,15 @@ name: Update rule coverage
 on:
   schedule:
     - cron: '17 2 * * *'
+  workflow_dispatch:
 
 jobs:
   update_coverage:
     runs-on: ubuntu-latest
     permissions:
-      id-token: write # OIDC auth for Vault
-      contents: read # checkout
+      id-token: write
+      contents: write
+      checks: read
     env:
       TMP_BRANCH: temporary/coverage_update
 
@@ -18,15 +20,16 @@ jobs:
       uses: SonarSource/vault-action-wrapper@v3
       with:
         secrets: |
-          development/github/token/SonarSource-rspec-coverage token | COVERAGE_GITHUB_TOKEN;
+          development/github/token/SonarSource-rspec-coverage token | coverage_github_token;
           development/kv/data/slack token | slack_token;
 
     - uses: actions/checkout@v4
       with:
         persist-credentials: true
-        ref: master
+        fetch-depth: 0
         path: 'rspec'
-        token: ${{ fromJSON(steps.secrets.outputs.vault).COVERAGE_GITHUB_TOKEN }}
+        token: ${{ fromJSON(steps.secrets.outputs.vault).coverage_github_token }}
+
     - uses: actions/setup-python@v4
       with:
         python-version: '3.9'
@@ -41,7 +44,7 @@ jobs:
 
     - name: 'Regenerate coverage information'
       env:
-        COVERAGE_GITHUB_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).COVERAGE_GITHUB_TOKEN }}
+        GITHUB_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).coverage_github_token }}
       id: gen-coverage
       working-directory: 'rspec/rspec-tools'
       run: |
@@ -74,7 +77,7 @@ jobs:
       uses: fountainhead/action-wait-for-check@v1.0.0
       id: wait-for-build
       with:
-        token: ${{ secrets.COVERAGE_GITHUB_TOKEN }}
+        token: ${{ secrets.GITHUB_TOKEN }}
         checkName: all_required_checks
         ref: ${{ env.TMP_BRANCH }}
         timeoutSeconds: 2400
@@ -94,7 +97,7 @@ jobs:
       if: always() && steps.create-temp-branch.conclusion == 'success'
       uses: dawidd6/action-delete-branch@v3
       with:
-        COVERAGE_GITHUB_TOKEN: ${{ secrets.COVERAGE_GITHUB_TOKEN}}
+        github_token: ${{ secrets.GITHUB_TOKEN }}
         branches: ${{ env.TMP_BRANCH}}
 
     - name: 'Fail if the change breaks CI'

.github/workflows/update_quickfix_status.yml

@@ -1,6 +1,6 @@
 name: Update quick fix status
 
-on:
+on: 
   workflow_dispatch:
     inputs:
       rule:
@@ -26,16 +26,9 @@ jobs:
   update_quickfix_status:
     name: Update quick fix status
     runs-on: ubuntu-20.04
-    permissions:
-      id-token: write # OIDC auth for Vault
-      contents: read # checkout
+    env:
+      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     steps:
-    - name: 'get secrets'
-      id: secrets
-      uses: SonarSource/vault-action-wrapper@v3
-      with:
-        secrets: |
-          development/github/token/SonarSource-rspec-coverage token | COVERAGE_GITHUB_TOKEN;
     - uses: actions/checkout@v2
       with:
         persist-credentials: true
@@ -56,6 +49,4 @@ jobs:
 
     - name: 'Update quickfix status'
       working-directory: 'rspec/rspec-tools'
-      env:
-        COVERAGE_GITHUB_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).COVERAGE_GITHUB_TOKEN }}
       run: pipenv run rspec-tools update-quickfix-status --user ${{ github.actor }} --rule "${{ github.event.inputs.rule }}" --language "${{ github.event.inputs.language }}" --status "${{ github.event.inputs.status }}"

frontend/README.adoc

@@ -36,7 +36,7 @@ NOTE: If the script fails to clone or fetch due to an SSL certificate failure
       As a workaround you can https://github.com/nodegit/nodegit/issues/1742[disable the certificate check].
 
 NOTE: In the predeploy step (specifically the `prepare-rules` part of it) the script fetches all the open PRs locally.
-      You might want to set `COVERAGE_GITHUB_TOKEN` to your personal GitHub token
+      You might want to set `GITHUB_TOKEN` to your personal GitHub token
       to avoid GitHub throttling your requests during the predeploy stage.
 
 

frontend/src/deployment/pullRequestIndexing.ts

@@ -24,14 +24,14 @@ export interface PullRequest {
  */
 export async function process_incomplete_rspecs(tmpRepoDir: string,
                                                 callback: (srcDir: string, pr: PullRequest)=>void) {
-  const octokit = process.env.COVERAGE_GITHUB_TOKEN ?
-    new Octokit({userAgent: 'rspec-tools', auth: process.env.COVERAGE_GITHUB_TOKEN}):
+  const octokit = process.env.GITHUB_TOKEN ?
+    new Octokit({userAgent: 'rspec-tools', auth: process.env.GITHUB_TOKEN}):
     new Octokit({userAgent: 'rspec-tools'});
 
   const repo = await (() => {
     if (!fs.existsSync(path.join(tmpRepoDir, '.git'))) {
-      if (process.env.COVERAGE_GITHUB_TOKEN) {        
-        return Git.Clone.clone(`https://${process.env.COVERAGE_GITHUB_TOKEN}@github.com/SonarSource/rspec/`, tmpRepoDir);
+      if (process.env.GITHUB_TOKEN) {
+        return Git.Clone.clone(`https://${process.env.GITHUB_TOKEN}@github.com/SonarSource/rspec/`, tmpRepoDir);
       } else {
         return Git.Clone.clone('https://github.com/SonarSource/rspec/', tmpRepoDir);
       }

rspec-tools/rspec_tools/cli.py

@@ -45,7 +45,7 @@ def check_links(d):
 @click.option('--user', required=False)
 def create_rule(languages: str, user: Optional[str]):
   '''Create a new rule.'''
-  token = os.environ.get('COVERAGE_GITHUB_TOKEN')
+  token = os.environ.get('GITHUB_TOKEN')
   rspec_tools.create_rule.create_new_rule(languages, token, user)
 
 
@@ -55,7 +55,7 @@ def create_rule(languages: str, user: Optional[str]):
 @click.option('--user', required=False)
 def add_lang_to_rule(language: str, rule: str, user: Optional[str]):
   '''Add a new language to rule.'''
-  token = os.environ.get('COVERAGE_GITHUB_TOKEN')
+  token = os.environ.get('GITHUB_TOKEN')
   rspec_tools.create_rule.add_language_to_rule(language, rule, token, user)
 
 
@@ -66,7 +66,7 @@ def add_lang_to_rule(language: str, rule: str, user: Optional[str]):
 @click.option('--user', required=False)
 def update_quickfix_status(language: str, rule: str, status: str, user: Optional[str]):
   '''Update the status of quick fix for the given rule/language'''
-  token = os.environ.get('COVERAGE_GITHUB_TOKEN')
+  token = os.environ.get('GITHUB_TOKEN')
   rspec_tools.modify_rule.update_rule_quickfix_status(language, rule, status, token, user)
 
 

rspec-tools/rspec_tools/coverage.py

@@ -153,9 +153,9 @@ def all_implemented_rules():
 
 def checkout_repo(repo):
   git_url=f"https://github.com/SonarSource/{repo}"
-  token=os.getenv('COVERAGE_GITHUB_TOKEN')
+  token=os.getenv('GITHUB_TOKEN')
   if token:
-    git_url=f"https://${token}@github.com/SonarSource/{repo}"
+    git_url=f"https://oauth2:{token}@github.com/SonarSource/{repo}"
   if not os.path.exists(repo):
     return Repo.clone_from(git_url, repo)
   else:

rspec-tools/tests/test_cli.py

@@ -12,7 +12,7 @@
 class TestCLIUpdateQuickfixStatus:
   '''Unit test for quickfix status update through Command Line Interface.'''
 
-  @patch.dict(os.environ, {'COVERAGE_GITHUB_TOKEN': 'TOKEN'})
+  @patch.dict(os.environ, {'GITHUB_TOKEN': 'TOKEN'})
   @patch('rspec_tools.modify_rule.update_rule_quickfix_status')
   def test_basic_cli_usage(self, mock):
     arguments = [