Skip to content

SonarSource/vault-action-wrapper

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

55 Commits
.github
.github
 
 
.markdownlint.yaml
.markdownlint.yaml
 
 
.pre-commit-config.yaml
.pre-commit-config.yaml
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
SECURITY.md
SECURITY.md
 
 
action.yaml
action.yaml
 
 

Repository files navigation

vault-action-wrapper

Ease the usage of hashicorp/vault-action within Sonar

Usage

This wrapper will select https://vault.sonar.build:8200 automatically.

- name: get secrets
  id: secrets
  uses: SonarSource/vault-action-wrapper@v3
  with:
    secrets: |
      development/artifactory/token/{REPO_OWNER_NAME_DASH}-test access_token | jf_access_token;
- run: login-command ${{ fromJSON(steps.secrets.outputs.vault).jf_access_token }}

The secrets parameter will be pre-processed before passing it to the vault-action. The following placeholders will be replaced:

  • {GITHUB_REPOSITORY} => octocat/Hello-World
  • {GITHUB_REPOSITORY_OWNER} => octocat
  • {REPO_NAME} => Hello-World
  • {REPO_OWNER_NAME_DASH} => octocat-Hello-World

The secrets can be accessed via fromJSON(steps.secrets.outputs.vault).name, where name is the variable at the end of every line of the secrets (jf_access_token in the above example).

Permissions

The action is using OIDC to authenticate. This requires write permissions for id-token to fetch a JWT.

jobs:
  foo:
    permissions:
      id-token: write
      ...

For further information, see HashiCorp Vault GitHub Action.

Examples

SonarCloud Scan

jobs:
  sonarcloud:
    runs-on: ubuntu-latest
    permissions:
      id-token: write     # required by SonarSource/vault-action-wrapper
      contents: read      # required by actions/checkout
      pull-requests: read # required by SonarSource/sonarcloud-github-action
    steps:
      - uses: actions/checkout@v4
        with:
          # Disabling shallow clone is recommended for improving relevancy of reporting
          fetch-depth: 0
      - id: secrets
        uses: SonarSource/vault-action-wrapper@v3
        with:
          secrets: |
            development/kv/data/sonarcloud token | sonarcloud_token;
      - uses: SonarSource/sonarcloud-github-action@master
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          SONAR_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).sonarcloud_token }}

Real-world examples

FAQ

Error: You must provide a valid path and key. Input "some/path/to/secret | ..."

This error can be raised for multiple reasons:

  • the requested secret is wrongly written or does not exist

  • the repository is not granted access to this secret by the RE-team

    Due to security reason, the Vault will not tell it knows something about a secret if the user is not granted to reach it.

Timeout error

Such error could be raised in case the Vault instance is unreachable.

Error: Unable to get ACTIONS_ID_TOKEN_REQUEST_URL env variable

id-token: write permission is missing.

Release

Create a release from a maintained branches, then update the v* shortcut:

git fetch --tags
git update-ref -m "reset: update branch v3 to tag 3.0.0" refs/heads/v3 3.0.0
git push origin v3

About

Ease the usage of hashicorp/vault-action within Sonar

Resources

Readme

License

LGPL-3.0 license

Security policy

Security policy
Activity
Custom properties

Stars

2 stars

Watchers

13 watching

Forks

0 forks
Report repository

Releases 13

3.0.2 Latest
Oct 28, 2024
+ 12 releases

Packages

No packages published

Contributors 7