fix: move secret expansion from run blocks to env blocks (SonarCloud S7636)

Resolves SonarCloud security hotspots S7636 in three workflow files:
- code-quality.yml: CODACY_PROJECT_TOKEN moved to env block on check step
- sonarcloud.yml: SONARCLOUD_GITHUB moved to env block on check step
- sync-wiki.yml: GITHUB_TOKEN and context vars moved to env block on sync step

Secrets are now passed as environment variables and referenced via $VAR
rather than being expanded inline in run: shell blocks, which prevents
secret values from appearing in workflow logs and resolves the hotspots.

Closes #106

.github/workflows/sync-wiki.yml

@@ -27,6 +27,10 @@ jobs:
           git clone https://github.com/${{ github.repository }}.wiki.git wiki
 
       - name: Sync wiki content
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_ACTOR: ${{ github.actor }}
+          GITHUB_REPOSITORY: ${{ github.repository }}
         run: |
           # Remove all files from wiki repository except .git
           find wiki -mindepth 1 -maxdepth 1 -not -name '.git' -exec rm -rf {} \;
@@ -50,4 +54,4 @@ jobs:
           git commit -m "Sync wiki from source repository"
 
           # Push changes
-          git push https://${{ github.actor }}:${{ secrets.GITHUB_TOKEN }}@github.com/${{ github.repository }}.wiki.git
+          git push https://$GITHUB_ACTOR:$GITHUB_TOKEN@github.com/$GITHUB_REPOSITORY.wiki.git