Resolves SonarCloud security hotspots S7636 in three workflow files:
- code-quality.yml: CODACY_PROJECT_TOKEN moved to env block on check step
- sonarcloud.yml: SONARCLOUD_GITHUB moved to env block on check step
- sync-wiki.yml: GITHUB_TOKEN and context vars moved to env block on sync step
Secrets are now passed as environment variables and referenced via $VAR
rather than being expanded inline in run: shell blocks, which prevents
secret values from appearing in workflow logs and resolves the hotspots.
Closes#106
marcusquinn
523574a93e