Add GitHub token for private rspec repository access in update-rule-metadata

nils-werner-sonarsource · claude · nils-werner-sonarsource · commit d726e1449045 · 2026-02-13T16:34:41.000+01:00
The rspec repository is now private, requiring authentication. This adds
a GitHub token from vault and passes it as GITHUB_TOKEN env variable to
the rule-api execution step.

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/.github/workflows/test-update-rule-metadata.yml b/.github/workflows/test-update-rule-metadata.yml
@@ -165,6 +165,56 @@ jobs:
           echo "✓ All expected outputs are defined"
           echo "✓ Output schema validation complete"
 
+  vault-and-env-tests:
+    name: Test Vault Secrets and Environment Variables
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Verify GitHub token vault secret is configured
+        run: |
+          echo "Testing that vault secrets include GitHub token..."
+
+          # Test that the vault step retrieves a GitHub token for private rspec repo access
+          if grep -A10 "Get vault secrets" update-rule-metadata/action.yml | grep -q "development/github/token/{REPO_OWNER_NAME_DASH}-its"; then
+            echo "✓ GitHub token vault secret path found"
+          else
+            echo "✗ GitHub token vault secret path not found in vault step"
+            exit 1
+          fi
+
+          # Test that the GitHub token is mapped to GITHUB_TOKEN
+          if grep -A10 "Get vault secrets" update-rule-metadata/action.yml | grep -q "GITHUB_TOKEN"; then
+            echo "✓ GITHUB_TOKEN mapping found in vault secrets"
+          else
+            echo "✗ GITHUB_TOKEN mapping not found in vault secrets"
+            exit 1
+          fi
+
+      - name: Verify GITHUB_TOKEN is passed to rule-api execution step
+        run: |
+          echo "Testing that rule-api step has GITHUB_TOKEN in env..."
+
+          # Extract the rule-api step block (from "Run rule-api" to the next step marker)
+          STEP_BLOCK=$(sed -n '/name: Run rule-api to update metadata/,/^    - name: Remove rule-api/p' update-rule-metadata/action.yml)
+
+          if echo "$STEP_BLOCK" | grep -q "GITHUB_TOKEN"; then
+            echo "✓ GITHUB_TOKEN found in rule-api execution step"
+          else
+            echo "✗ GITHUB_TOKEN not found in rule-api execution step"
+            exit 1
+          fi
+
+          # Verify it references the vault output
+          if echo "$STEP_BLOCK" | grep -q "fromJSON(steps.secrets.outputs.vault).GITHUB_TOKEN"; then
+            echo "✓ GITHUB_TOKEN references vault output correctly"
+          else
+            echo "✗ GITHUB_TOKEN does not reference vault output"
+            exit 1
+          fi
+
   integration-tests:
     name: Integration Tests
     runs-on: ubuntu-latest
@@ -212,7 +262,7 @@ jobs:
   validation-summary:
     name: Test Summary
     runs-on: ubuntu-latest
-    needs: [input-parameter-tests, branch-parameter-tests, output-validation, integration-tests]
+    needs: [input-parameter-tests, branch-parameter-tests, output-validation, integration-tests, vault-and-env-tests]
     if: always()
 
     steps:
@@ -225,11 +275,13 @@ jobs:
           echo "Branch Parameter Tests: ${{ needs.branch-parameter-tests.result }}"
           echo "Output Validation: ${{ needs.output-validation.result }}"
           echo "Integration Tests: ${{ needs.integration-tests.result }}"
+          echo "Vault & Env Variable Tests: ${{ needs.vault-and-env-tests.result }}"
           echo "================================"
 
           if [[ "${{ needs.input-parameter-tests.result }}" == "success" && \
                 "${{ needs.branch-parameter-tests.result }}" == "success" && \
-                "${{ needs.output-validation.result }}" == "success" ]]; then
+                "${{ needs.output-validation.result }}" == "success" && \
+                "${{ needs.vault-and-env-tests.result }}" == "success" ]]; then
             echo "✓ All validation tests passed!"
             echo "✓ Action is properly configured and ready to use"
           else
diff --git a/update-rule-metadata/README.md b/update-rule-metadata/README.md
@@ -14,7 +14,7 @@ The action performs the following operations:
 ## Dependencies
 
 This action depends on:
-- [SonarSource/vault-action-wrapper](https://github.com/SonarSource/vault-action-wrapper) for retrieving Artifactory credentials
+- [SonarSource/vault-action-wrapper](https://github.com/SonarSource/vault-action-wrapper) for retrieving Artifactory credentials and GitHub token
 - Java 17 runtime for executing the rule-api JAR
 - Git for detecting changes and creating pull requests
 - [peter-evans/create-pull-request](https://github.com/peter-evans/create-pull-request) for automated PR creation
@@ -105,6 +105,7 @@ jobs:
 
 The action uses a bash script that:
 - Authenticates with Artifactory using credentials from HashiCorp Vault
+- Retrieves a GitHub token from Vault for accessing the private rspec repository
 - Downloads and caches the specified rule-api JAR version
 - Automatically discovers all directories containing sonarpedia.json files (unless specific files are provided)
 - Changes into each directory and runs the rule-api update command
@@ -113,8 +114,11 @@ The action uses a bash script that:
 
 ## Prerequisites
 
-The action requires that the repository has the `development/artifactory/token/{REPO_OWNER_NAME_DASH}-private-reader` token configured in vault.
-This can be done using the SPEED self-service portal ([more info](https://xtranet-sonarsource.atlassian.net/wiki/spaces/Platform/pages/3553787989/Manage+Vault+Policy+-+SPEED)).
+The action requires the following tokens configured in vault:
+- `development/artifactory/token/{REPO_OWNER_NAME_DASH}-private-reader` for downloading the rule-api JAR from Artifactory
+- `development/github/token/{REPO_OWNER_NAME_DASH}-its` for authenticating with the private rspec repository
+
+These can be configured using the SPEED self-service portal ([more info](https://xtranet-sonarsource.atlassian.net/wiki/spaces/Platform/pages/3553787989/Manage+Vault+Policy+-+SPEED)).
 
 The repository must have:
 - Proper sonarpedia.json files in language-specific directories
@@ -123,7 +127,7 @@ The repository must have:
 
 ## Notes
 
-- This action requires access to SonarSource's HashiCorp Vault for Artifactory credentials
+- This action requires access to SonarSource's HashiCorp Vault for Artifactory credentials and a GitHub token for the private rspec repository
 - The action automatically discovers all sonarpedia.json files unless specific files are provided
 - Pull requests are created with the label `skip-qa` and target the specified branch (defaults to `master`)
 - The rule-api JAR is cached to improve performance on subsequent runs
diff --git a/update-rule-metadata/action.yml b/update-rule-metadata/action.yml
@@ -43,7 +43,8 @@ runs:
       with:
         secrets: |
           development/artifactory/token/{REPO_OWNER_NAME_DASH}-private-reader access_token | ARTIFACTORY_ACCESS_TOKEN;
-          development/artifactory/token/{REPO_OWNER_NAME_DASH}-private-reader role | ARTIFACTORY_ROLE;  
+          development/artifactory/token/{REPO_OWNER_NAME_DASH}-private-reader role | ARTIFACTORY_ROLE;
+          development/github/token/{REPO_OWNER_NAME_DASH}-its token | GITHUB_TOKEN;
 
     - name: Cache rule-api jar
       id: cache-rule-api
@@ -72,6 +73,8 @@ runs:
 
     - name: Run rule-api to update metadata
       shell: bash
+      env:
+        GITHUB_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).GITHUB_TOKEN }}
       run: |
         echo "" > rule-api-logs.txt
         
