Protect GitHub Actions secrets via local environment variables

SteveDesmond-ca · SteveDesmond-ca · commit 6e8d406d6e6a · 2026-02-11T11:23:01.000-05:00
diff --git a/.github/workflows/Sonar.yml b/.github/workflows/Sonar.yml
@@ -30,7 +30,9 @@ jobs:
         run: dotnet restore
 
       - name: Start Sonar Analysis
-        run: dotnet-sonarscanner begin /d:sonar.host.url="https://sonarcloud.io" /d:sonar.login="${{ secrets.SONAR_TOKEN }}" /o:"ecoapm" /k:"ecoAPM_dotnet-libyear" /d:sonar.cs.vstest.reportsPaths="test/**/results.trx" /d:sonar.cs.opencover.reportsPaths="test/**/coverage.opencover.xml"
+        run: dotnet-sonarscanner begin /d:sonar.host.url="https://sonarcloud.io" /d:sonar.login="$SONAR_TOKEN" /o:"ecoapm" /k:"ecoAPM_dotnet-libyear" /d:sonar.cs.vstest.reportsPaths="test/**/results.trx" /d:sonar.cs.opencover.reportsPaths="test/**/coverage.opencover.xml"
+        env:
+          SONAR_TOKEN: ${{secrets.SONAR_TOKEN}}
 
       - name: Build
         run: dotnet build --no-restore
@@ -41,6 +43,7 @@ jobs:
         run: dotnet test --no-build --logger "trx;LogFileName=results.trx" --collect:"XPlat Code Coverage" -- DataCollectionRunSettings.DataCollectors.DataCollector.Configuration.Format=opencover
 
       - name: Finish Sonar Analysis
-        run: dotnet-sonarscanner end /d:sonar.login="${{ secrets.SONAR_TOKEN }}"
+        run: dotnet-sonarscanner end /d:sonar.login="$SONAR_TOKEN"
         env:
+          SONAR_TOKEN: ${{secrets.SONAR_TOKEN}}
           GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
diff --git a/.github/workflows/nuget.yml b/.github/workflows/nuget.yml
@@ -23,7 +23,9 @@ jobs:
       run: dotnet pack -c Release -p:ContinuousIntegrationBuild=true
 
     - name: Publish app
-      run: dotnet nuget push src/LibYear/bin/Release/LibYear.$(echo ${{ github.ref }} | sed 's/refs\/tags\///').nupkg -k ${{ secrets.NUGET_TOKEN }} -s https://api.nuget.org/v3/index.json
+      run: dotnet nuget push src/LibYear/bin/Release/LibYear.$(echo ${{ github.ref }} | sed 's/refs\/tags\///').nupkg -k $NUGET_TOKEN -s https://api.nuget.org/v3/index.json
+      env:
+        NUGET_TOKEN: ${{secrets.NUGET_TOKEN}}
 
     - name: Publish library
-      run: dotnet nuget push src/LibYear.Core/bin/Release/LibYear.Core.$(echo ${{ github.ref }} | sed 's/refs\/tags\///').nupkg -k ${{ secrets.NUGET_TOKEN }} -s https://api.nuget.org/v3/index.json
+      run: dotnet nuget push src/LibYear.Core/bin/Release/LibYear.Core.$(echo ${{ github.ref }} | sed 's/refs\/tags\///').nupkg -k $NUGET_TOKEN -s https://api.nuget.org/v3/index.json
