From 30238ebebe9af9e41f763503126b12a0fc85cb89 Mon Sep 17 00:00:00 2001
From: marcusquinn <6428977+marcusquinn@users.noreply.github.com>
Date: Thu, 19 Mar 2026 21:57:19 +0000
Subject: [PATCH] fix: move secrets from run blocks to env blocks to resolve
 S7636 hotspots (issue #106)

---
 .github/workflows/code-quality.yml |  4 +++-
 .github/workflows/sonarcloud.yml   |  4 +++-
 .github/workflows/sync-wiki.yml    | 10 ++++++++--
 3 files changed, 14 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/code-quality.yml b/.github/workflows/code-quality.yml
index ca07297..4168b70 100644
--- a/.github/workflows/code-quality.yml
+++ b/.github/workflows/code-quality.yml
@@ -143,8 +143,10 @@ jobs:
 
       - name: Check if Codacy token is set
         id: check_codacy_token
+        env:
+          CODACY_PROJECT_TOKEN: ${{ secrets.CODACY_PROJECT_TOKEN }}
         run: |
-          if [ -z "${{ secrets.CODACY_PROJECT_TOKEN }}" ]; then
+          if [ -z "$CODACY_PROJECT_TOKEN" ]; then
             echo "CODACY_PROJECT_TOKEN is not set, running Codacy without upload"
             echo "skip_upload=true" >> $GITHUB_OUTPUT
           else
diff --git a/.github/workflows/sonarcloud.yml b/.github/workflows/sonarcloud.yml
index c756522..b60838a 100644
--- a/.github/workflows/sonarcloud.yml
+++ b/.github/workflows/sonarcloud.yml
@@ -39,8 +39,10 @@ jobs:
 
       - name: Check if SonarCloud token is set
         id: check_token
+        env:
+          SONARCLOUD_GITHUB: ${{ secrets.SONARCLOUD_GITHUB }}
         run: |
-          if [ -z "${{ secrets.SONARCLOUD_GITHUB }}" ]; then
+          if [ -z "$SONARCLOUD_GITHUB" ]; then
             echo "SONARCLOUD_GITHUB is not set, skipping SonarCloud analysis"
             echo "skip=true" >> $GITHUB_OUTPUT
           else
diff --git a/.github/workflows/sync-wiki.yml b/.github/workflows/sync-wiki.yml
index 5ce4498..677747c 100644
--- a/.github/workflows/sync-wiki.yml
+++ b/.github/workflows/sync-wiki.yml
@@ -23,10 +23,16 @@ jobs:
           git config --global user.email "actions@github.com"
 
       - name: Clone wiki repository
+        env:
+          GH_REPOSITORY: ${{ github.repository }}
         run: |
-          git clone https://github.com/${{ github.repository }}.wiki.git wiki
+          git clone "https://github.com/${GH_REPOSITORY}.wiki.git" wiki
 
       - name: Sync wiki content
+        env:
+          GH_ACTOR: ${{ github.actor }}
+          GH_REPOSITORY: ${{ github.repository }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
           # Remove all files from wiki repository except .git
           find wiki -mindepth 1 -maxdepth 1 -not -name '.git' -exec rm -rf {} \;
@@ -50,4 +56,4 @@ jobs:
           git commit -m "Sync wiki from source repository"
 
           # Push changes
-          git push https://${{ github.actor }}:${{ secrets.GITHUB_TOKEN }}@github.com/${{ github.repository }}.wiki.git
+          git push "https://${GH_ACTOR}:${GH_TOKEN}@github.com/${GH_REPOSITORY}.wiki.git"