Skip to content

SLI-2606 Fix failing shadow scan CI#1722

Merged
nquinquenel merged 1 commit intomasterfrom
task/nq/fix-shadow-scan
Apr 10, 2026
Merged

SLI-2606 Fix failing shadow scan CI#1722
nquinquenel merged 1 commit intomasterfrom
task/nq/fix-shadow-scan

Conversation

@nquinquenel
Copy link
Copy Markdown
Member

@nquinquenel nquinquenel commented Apr 10, 2026

Following recent refactoring, the CI step was moved to a container, breaking IRIS scan. We should put this one in a separate task, not running in a container.

@hashicorp-vault-sonar-prod hashicorp-vault-sonar-prod bot changed the title Fix failing shadow scan CI SLI-2606 Fix failing shadow scan CI Apr 10, 2026
@hashicorp-vault-sonar-prod
Copy link
Copy Markdown

hashicorp-vault-sonar-prod bot commented Apr 10, 2026
edited by atlassian bot
Loading

SLI-2606

@nquinquenel nquinquenel requested a review from Krosovok April 10, 2026 14:06
@nquinquenel nquinquenel marked this pull request as ready for review April 10, 2026 14:06
@sonar-review-alpha
Copy link
Copy Markdown

sonar-review-alpha bot commented Apr 10, 2026
edited
Loading

Summary

What changed: The IRIS Analysis step has been extracted from the containerized shadow scan job into a separate, dedicated job that runs on a regular GitHub runner instead.

Why: Recent refactoring moved CI steps into a container, which broke IRIS scanning. IRIS analysis requires a non-containerized environment to function properly.

Impact: The IRIS scan will now run independently after the scan job completes, restoring functionality without blocking other CI steps or requiring them to adapt to container constraints.

What reviewers should know

Key changes:

  • New iris: job added to the workflow (separate from containerized scan job)
  • Job depends on scan job completing first (needs: scan)
  • Uses github-ubuntu-latest-m runner (non-containerized environment)
  • Includes appropriate permissions for IRIS action (id-token: write)

For reviewers:
The change is minimal and isolated to the workflow file. The IRIS step itself is unchanged; only its execution context is different. Verify that the job dependencies and runner type are appropriate for IRIS requirements.

  • Generate Walkthrough
  • Generate Diagram

🗣️ Give feedback

@sonarqube-next
Copy link
Copy Markdown

sonarqube-next bot commented Apr 10, 2026

Quality Gate passed Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
0 Dependency risks
No data about Coverage
No data about Duplication

See analysis details on SonarQube

sonar-review-alpha[bot]
sonar-review-alpha bot reviewed Apr 10, 2026
View reviewed changes
Copy link
Copy Markdown

@sonar-review-alpha sonar-review-alpha bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! ✅

Clean, minimal fix. The iris job is correctly structured as a standalone job that runs after scan completes — it uses a bare runner (no container: block), which is exactly what IRIS requires. Permissions are appropriately scoped (id-token: write for OIDC token exchange, contents: read only).

🗣️ Give feedback

@nquinquenel nquinquenel merged commit ac9a29b into master Apr 10, 2026
32 checks passed
@nquinquenel nquinquenel deleted the task/nq/fix-shadow-scan branch April 10, 2026 14:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sonar-review-alpha sonar-review-alpha[bot] sonar-review-alpha[bot] left review comments

@Krosovok Krosovok Krosovok approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@nquinquenel @Krosovok