fix: move secret expansion from run blocks to env blocks (SonarCloud S7636)

Resolves SonarCloud security hotspots S7636 in three workflow files:
- code-quality.yml: CODACY_PROJECT_TOKEN moved to env block on check step
- sonarcloud.yml: SONARCLOUD_GITHUB moved to env block on check step
- sync-wiki.yml: GITHUB_TOKEN and context vars moved to env block on sync step

Secrets are now passed as environment variables and referenced via $VAR
rather than being expanded inline in run: shell blocks, which prevents
secret values from appearing in workflow logs and resolves the hotspots.

Closes #106

.github/workflows/sonarcloud.yml

@@ -39,8 +39,10 @@ jobs:
 
       - name: Check if SonarCloud token is set
         id: check_token
+        env:
+          SONARCLOUD_GITHUB: ${{ secrets.SONARCLOUD_GITHUB }}
         run: |
-          if [ -z "${{ secrets.SONARCLOUD_GITHUB }}" ]; then
+          if [ -z "$SONARCLOUD_GITHUB" ]; then
             echo "SONARCLOUD_GITHUB is not set, skipping SonarCloud analysis"
             echo "skip=true" >> $GITHUB_OUTPUT
           else