From 2cb8f4a24fdb059d64def6cec481f9a907730044 Mon Sep 17 00:00:00 2001
From: Joey Orlando <joey.orlando@grafana.com>
Date: Thu, 19 Sep 2024 16:05:16 -0400
Subject: [PATCH] ci: fix snyk security scans (#5046)

# What this PR does

Similar to https://github.com/grafana/gops-labels/pull/137, use common
vault secret rather than the org github secret
---
 .github/workflows/snyk-security-scan.yml | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/snyk-security-scan.yml b/.github/workflows/snyk-security-scan.yml
index e4758f40..0ecedc75 100644
--- a/.github/workflows/snyk-security-scan.yml
+++ b/.github/workflows/snyk-security-scan.yml
@@ -15,12 +15,19 @@ jobs:
       # only required for workflows in private repositories
       actions: read
       contents: read
+      # required for Vault secrets
+      id-token: write
     steps:
       - uses: actions/checkout@v4
       - name: Setup Python
         uses: ./.github/actions/setup-python
       - name: Install frontend dependencies
         uses: ./.github/actions/install-frontend-dependencies
+      - name: Get Vault secrets
+        uses: grafana/shared-workflows/actions/get-vault-secrets@main
+        with:
+          common_secrets: |
+            SNYK_TOKEN=snyk_scan_github_action:token
       - name: Install Snyk
         uses: snyk/actions/setup@master
       # NOTE: on the snyk monitor and snyk test commands, we are excluding the dev and tools directories
@@ -31,15 +38,11 @@ jobs:
       - name: snyk monitor
         # https://docs.snyk.io/snyk-cli/commands/monitor
         run: snyk monitor --all-projects --severity-threshold=high --exclude=dev,tools
-        env:
-          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
       - name: snyk test
         # https://docs.snyk.io/snyk-cli/commands/test
         # yamllint disable rule:line-length
         run: snyk test --all-projects --severity-threshold=high --exclude=dev,tools --fail-on=all --show-vulnerable-paths=all
         # yamllint enable rule:line-length
-        env:
-          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
       # TODO: setup snyk container monitor & snyk container test
       # will require building the docker image and storing it in the local docker registry..
       # will need to refactor .github/workflows/build-engine-docker-image-and-publish-to-dockerhub.yml