From 523574a93e6c41da6ec2f3528f3e5b191f85f120 Mon Sep 17 00:00:00 2001
From: marcusquinn <6428977+marcusquinn@users.noreply.github.com>
Date: Thu, 19 Mar 2026 03:17:06 +0000
Subject: [PATCH] fix: move secret expansion from run blocks to env blocks
 (SonarCloud S7636)

Resolves SonarCloud security hotspots S7636 in three workflow files:
- code-quality.yml: CODACY_PROJECT_TOKEN moved to env block on check step
- sonarcloud.yml: SONARCLOUD_GITHUB moved to env block on check step
- sync-wiki.yml: GITHUB_TOKEN and context vars moved to env block on sync step

Secrets are now passed as environment variables and referenced via $VAR
rather than being expanded inline in run: shell blocks, which prevents
secret values from appearing in workflow logs and resolves the hotspots.

Closes #106
---
 .github/workflows/code-quality.yml | 4 +++-
 .github/workflows/sonarcloud.yml   | 4 +++-
 .github/workflows/sync-wiki.yml    | 6 +++++-
 3 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/code-quality.yml b/.github/workflows/code-quality.yml
index ca07297..4168b70 100644
--- a/.github/workflows/code-quality.yml
+++ b/.github/workflows/code-quality.yml
@@ -143,8 +143,10 @@ jobs:
 
       - name: Check if Codacy token is set
         id: check_codacy_token
+        env:
+          CODACY_PROJECT_TOKEN: ${{ secrets.CODACY_PROJECT_TOKEN }}
         run: |
-          if [ -z "${{ secrets.CODACY_PROJECT_TOKEN }}" ]; then
+          if [ -z "$CODACY_PROJECT_TOKEN" ]; then
             echo "CODACY_PROJECT_TOKEN is not set, running Codacy without upload"
             echo "skip_upload=true" >> $GITHUB_OUTPUT
           else
diff --git a/.github/workflows/sonarcloud.yml b/.github/workflows/sonarcloud.yml
index c756522..b60838a 100644
--- a/.github/workflows/sonarcloud.yml
+++ b/.github/workflows/sonarcloud.yml
@@ -39,8 +39,10 @@ jobs:
 
       - name: Check if SonarCloud token is set
         id: check_token
+        env:
+          SONARCLOUD_GITHUB: ${{ secrets.SONARCLOUD_GITHUB }}
         run: |
-          if [ -z "${{ secrets.SONARCLOUD_GITHUB }}" ]; then
+          if [ -z "$SONARCLOUD_GITHUB" ]; then
             echo "SONARCLOUD_GITHUB is not set, skipping SonarCloud analysis"
             echo "skip=true" >> $GITHUB_OUTPUT
           else
diff --git a/.github/workflows/sync-wiki.yml b/.github/workflows/sync-wiki.yml
index 5ce4498..9b5b359 100644
--- a/.github/workflows/sync-wiki.yml
+++ b/.github/workflows/sync-wiki.yml
@@ -27,6 +27,10 @@ jobs:
           git clone https://github.com/${{ github.repository }}.wiki.git wiki
 
       - name: Sync wiki content
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_ACTOR: ${{ github.actor }}
+          GITHUB_REPOSITORY: ${{ github.repository }}
         run: |
           # Remove all files from wiki repository except .git
           find wiki -mindepth 1 -maxdepth 1 -not -name '.git' -exec rm -rf {} \;
@@ -50,4 +54,4 @@ jobs:
           git commit -m "Sync wiki from source repository"
 
           # Push changes
-          git push https://${{ github.actor }}:${{ secrets.GITHUB_TOKEN }}@github.com/${{ github.repository }}.wiki.git
+          git push https://$GITHUB_ACTOR:$GITHUB_TOKEN@github.com/$GITHUB_REPOSITORY.wiki.git