fix: move secret expansion from run blocks to env blocks (SonarCloud S7636)

Resolves SonarCloud security hotspots S7636 in three workflow files:
- code-quality.yml: CODACY_PROJECT_TOKEN moved to env block on check step
- sonarcloud.yml: SONARCLOUD_GITHUB moved to env block on check step
- sync-wiki.yml: GITHUB_TOKEN and context vars moved to env block on sync step

Secrets are now passed as environment variables and referenced via $VAR
rather than being expanded inline in run: shell blocks, which prevents
secret values from appearing in workflow logs and resolves the hotspots.

Closes #106

.github/workflows/sync-wiki.yml

@@ -23,16 +23,14 @@ jobs:
           git config --global user.email "actions@github.com"
 
       - name: Clone wiki repository
-        env:
-          GH_REPOSITORY: ${{ github.repository }}
         run: |
-          git clone "https://github.com/${GH_REPOSITORY}.wiki.git" wiki
+          git clone https://github.com/${{ github.repository }}.wiki.git wiki
 
       - name: Sync wiki content
         env:
-          GH_ACTOR: ${{ github.actor }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          GH_REPOSITORY: ${{ github.repository }}
+          GITHUB_ACTOR: ${{ github.actor }}
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_REPOSITORY: ${{ github.repository }}
         run: |
           # Remove all files from wiki repository except .git
           find wiki -mindepth 1 -maxdepth 1 -not -name '.git' -exec rm -rf {} \;
@@ -56,4 +54,4 @@ jobs:
           git commit -m "Sync wiki from source repository"
 
           # Push changes
-          git push "https://${GH_ACTOR}:${GH_TOKEN}@github.com/${GH_REPOSITORY}.wiki.git"
+          git push https://$GITHUB_ACTOR:$GITHUB_TOKEN@github.com/$GITHUB_REPOSITORY.wiki.git