BUILD-10311 Auto-select Vault role based on GITHUB_REF#70
Merged
jayadeep-km-sonarsource merged 1 commit intomasterfrom Feb 5, 2026
Merged
Conversation
jayadeep-km-sonarsource
force-pushed
the
feat/jd/BUILD-10311-wrapperAutoRoleSelection
branch
from
5467190 to
3cddf6d
Compare
There was a problem hiding this comment.
Pull request overview
This PR implements automatic Vault JWT role selection based on the Git ref to enable branch-based secret protection. Protected branches (main, master) and tags automatically use a -protected role suffix, while other refs (feature branches, PRs) use the base role.
Changes:
- Adds optional
roleinput parameter for explicit role override (maintains backward compatibility) - Implements auto-selection logic that chooses between
github-{org}-{repo}-protectedandgithub-{org}-{repo}based on GITHUB_REF patterns - Adds documentation explaining role selection behavior in README and new CLAUDE.md file
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
| action.yaml | Adds role input parameter and implements auto-selection logic with pattern matching for protected refs (main, master, tags/*) |
| README.md | Documents the role selection feature with examples and explains the branch-based protection model |
| CLAUDE.md | New developer documentation file summarizing the project, role selection, and release process |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Add automatic role selection for branch-based secret protection:
- Protected refs (main, master, branch-*, tags/*) use github-{org}-{repo}-protected
- Other refs use github-{org}-{repo}
New optional `role` input allows explicit override for backward compatibility.
Debug logging shows selected role and detection reason.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
jayadeep-km-sonarsource
force-pushed
the
feat/jd/BUILD-10311-wrapperAutoRoleSelection
branch
from
3cddf6d to
664935d
Compare
julien-carsique-sonarsource
approved these changes
Feb 5, 2026
jayadeep-km-sonarsource
deleted the
feat/jd/BUILD-10311-wrapperAutoRoleSelection
branch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
BUILD-10311 Auto-select Vault role based on GITHUB_REF
Implements automatic role selection for branch-based secret protection as part of the BUILD-10240 epic.
Changes
roleinput: Optional parameter to explicitly specify the Vault JWT role (backward compatible)roleis not provided, selects based onGITHUB_REF:refs/heads/main,refs/heads/master,refs/tags/*) →github-{org}-{repo}-protectedgithub-{org}-{repo}core.info()Dependencies
Related