ci: Only give build-steps the secrets it needs

Signed-off-by: Larry Gritz <[email protected]>

Author: lgritz

.github/workflows/analysis.yml

@@ -51,8 +51,10 @@ jobs:
     # account credentials.
     if: github.repository == 'AcademySoftwareFoundation/OpenImageIO'
     uses: ./.github/workflows/build-steps.yml
-    # Must let the called steps workflow inherit our secrets
-    secrets: inherit
+    # Must let the called steps workflow inherit necessary secrets
+    secrets:
+      - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
     with:
       nametag: ${{ matrix.nametag || 'unnamed!' }}
       runner: ${{ matrix.runner || 'ubuntu-latest' }}

.github/workflows/build-steps.yml

@@ -64,6 +64,9 @@ on:
         type: string
       nametag:
         type: string
+    secrets:
+        - GITHUB_TOKEN
+        - SONAR_TOKEN
 
 permissions: read-all