BUILD-4131 Use GitHub token from Vault instead of Github stored token (…

…#4550) That way it can be rotated in an easier manner
SonarSource · Nov 17, 2023 · 0e81b6e · 0e81b6e
1 parent 4a2dac8
commit 0e81b6e
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/.github/workflows/dogfood.yml b/.github/workflows/dogfood.yml
@@ -20,17 +20,17 @@ jobs:
     name: Update dogfood branch
     permissions:
       id-token: write # required for SonarSource/vault-action-wrapper
-      contents: write # required to grant GITHUB_TOKEN writing permission
     steps:
     - name: get secrets
       id: secrets
       uses: SonarSource/vault-action-wrapper@d1c1ab4ca5ad07fd9cdfe1eff038a39673dfca64  # tag=2.4.2-1
       with:
         secrets: |
           development/kv/data/slack webhook | SLACK_WEBHOOK;
+          development/github/token/{REPO_OWNER_NAME_DASH}-dogfood-merge token | dogfood_token;
     - name: git octopus step
       env:
-        GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
+        GITHUB_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).dogfood_token }}
       id: dogfood
       uses: SonarSource/gh-action_dogfood_merge@v1
       with: