Skip to content

BUILD-10632 Improve Vault diagnostic error messages with actionable guidance#72

Merged
jayadeep-km-sonarsource merged 1 commit intomasterfrom
fix/jd/BUILD-10632-improveVaultDiagnosticMessages
Mar 17, 2026
Merged

BUILD-10632 Improve Vault diagnostic error messages with actionable guidance#72
jayadeep-km-sonarsource merged 1 commit intomasterfrom
fix/jd/BUILD-10632-improveVaultDiagnosticMessages

Conversation

@jayadeep-km-sonarsource
Copy link
Copy Markdown
Contributor

@jayadeep-km-sonarsource jayadeep-km-sonarsource commented Mar 10, 2026
edited
Loading

BUILD-10632

Why

Error messages in the Vault diagnostic step are terse and developer-facing. Users hitting failures get no remediation steps, no links, and jargon like "KV" or "dynamic secrets" — leading to avoidable support requests in #ask-squad-eng-xp.

What changed

All changes are in action.yaml, in the "Diagnose secret access failures" step. No changes to the diagnostic logic itself (capability checks, login flow, path parsing).

Constants extracted

Repeated strings (SUPPORT_CHANNEL, TERRAFORM_REPO, PORT_SELF_SERVICE, DEBUG_HINT) are now defined once at the top of the script block for easy maintenance.

Error branches — before vs after

Scenario Before After
5xx server error (not handled — fell through to the generic 4xx message) Dedicated branch: suggests rerunning the workflow, links to the status page, then #ask-squad-eng-xp
4xx auth error (role missing/misconfigured) Cannot diagnose individual secrets — Vault login failed (status). The role "..." may not exist or is misconfigured. Explains the likely cause (repo not onboarded / role misconfigured), links to the terraform repo to fix, includes the debug hint
Auth exception (network/token error) Cannot diagnose individual secrets: <error> Includes the debug hint + support channel
Denied paths Vault secrets retrieval failed — N path(s) denied: path1, path2 + a generic core.info link to the terraform repo Splits paths into KV vs non-KV using the /kv/ heuristic. KV paths → Port self-service portal link (user can fix themselves). Non-KV paths → terraform repo link. Lists the actual denied paths under each category.
Unknown failure (no denied paths found) Vault secrets retrieval failed but all paths appear individually accessible. The error may be transient or caused by a different issue. Includes the debug hint + support channel

Consistent escalation path

Every error branch now follows: specific remediation action → Claude Code debug-github-actions skill (with workflow run URL) → #ask-squad-eng-xp as last resort.

Code reordering

secretPaths parsing moved after the auth block — it's not needed if auth fails, and this avoids a confusing "could not parse secret paths" error when the real problem is auth.

Behavioral notes

  • Error messages are intentionally longer — the goal is to reduce back-and-forth by giving users everything they need in one message.
  • The /kv/ path heuristic matches all current Vault mount conventions at SonarSource.

@jayadeep-km-sonarsource @claude
BUILD-10632 Improve Vault diagnostic error messages with actionable g…
e31011e 
…uidance

- Extract repeated strings (support channel, repo URLs, debug hint)
  into constants for maintainability
- Add consistent escalation path across all error branches:
  specific fix → debug-github-actions skill → #ask-squad-eng-xp
- Split denied paths into KV (Port self-service portal) vs
  infrastructure secrets (terraform repo) with plain-language
  descriptions listing the actual affected paths
- Add debug hint with awesome-ai repo link to 4xx auth and
  denied-paths errors where it was previously missing
- Add 5xx server error branch suggesting rerun and status page check

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@jayadeep-km-sonarsource
Copy link
Copy Markdown
Contributor Author

jayadeep-km-sonarsource commented Mar 17, 2026

Tested in https://github.com/SonarSource/sonar-dummy/pull/571

@jayadeep-km-sonarsource jayadeep-km-sonarsource marked this pull request as ready for review March 17, 2026 14:58
@jayadeep-km-sonarsource jayadeep-km-sonarsource requested a review from a team as a code owner March 17, 2026 14:58
Copilot AI review requested due to automatic review settings March 17, 2026 14:58
Copilot AI reviewed Mar 17, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Improves the “Diagnose secret access failures” step in the composite Vault action to provide more actionable, user-oriented failure messages and clearer remediation paths when Vault authentication or secret access checks fail.

Changes:

  • Extracted reusable message/link constants (support channel, infra repo, self-service portal, debug hint) and added workflow run URL context.
  • Refined Vault login failure handling (separate 5xx vs 4xx) with expanded guidance and debug instructions.
  • Enhanced denied-path reporting by splitting KV vs non-KV paths and directing users to the appropriate remediation route.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

@jayadeep-km-sonarsource jayadeep-km-sonarsource enabled auto-merge (rebase) March 17, 2026 15:02
@jayadeep-km-sonarsource jayadeep-km-sonarsource merged commit c154b4a into master Mar 17, 2026
6 checks passed
@jayadeep-km-sonarsource jayadeep-km-sonarsource deleted the fix/jd/BUILD-10632-improveVaultDiagnosticMessages branch March 17, 2026 16:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@tomverin tomverin tomverin approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jayadeep-km-sonarsource @tomverin