Switch sonar:check to use SONAR_TOKEN from the environment

ArBridgeman · ArBridgeman · commit 1fba24a44f2b · 2025-06-25T13:51:38.000+02:00
diff --git a/.github/workflows/report.yml b/.github/workflows/report.yml
@@ -36,7 +36,9 @@ jobs:
         run: poetry run -- nox -s project:report -- --format json | tee metrics.json
 
       - name: Upload to sonar
-        run: poetry run -- nox -s sonar:check -- ${{ secrets.SONAR_TOKEN }}
+        env:
+          SONAR_TOKEN: "${{ secrets.SONAR_TOKEN }}"
+        run: poetry run -- nox -s sonar:check
 
       - name: Upload Artifacts
         uses: actions/upload-artifact@v4.6.2
diff --git a/doc/changes/unreleased.md b/doc/changes/unreleased.md
@@ -1 +1,4 @@
 # Unreleased
+
+## Security
+* #477: Switched `sonar:check` to use `SONAR_TOKEN` from the environment
diff --git a/exasol/toolbox/nox/_artifacts.py b/exasol/toolbox/nox/_artifacts.py
@@ -1,4 +1,5 @@
 import json
+import os
 import re
 import shutil
 import sqlite3
@@ -208,6 +209,6 @@ def _upload_to_sonar(session: Session, sonar_token: str, config: Config) -> None
 @nox.session(name="sonar:check", python=False)
 def upload_artifacts_to_sonar(session: Session) -> None:
     """Upload artifacts to sonar for analysis"""
-    sonar_token = session.posargs[0]
+    sonar_token = os.getenv("SONAR_TOKEN")
     _prepare_coverage_xml(session, PROJECT_CONFIG.source)
     _upload_to_sonar(session, sonar_token, PROJECT_CONFIG)
diff --git a/exasol/toolbox/templates/github/workflows/report.yml b/exasol/toolbox/templates/github/workflows/report.yml
@@ -33,7 +33,9 @@ jobs:
         run: poetry run -- nox -s artifacts:validate
 
       - name: Upload to sonar
-        run: poetry run -- nox -s sonar:check -- ${{ secrets.SONAR_TOKEN }}
+        env:
+          SONAR_TOKEN: "${{ secrets.SONAR_TOKEN }}"
+        run: poetry run -- nox -s sonar:check
 
       - name: Generate Report
         run: poetry run -- nox -s project:report -- --format json | tee metrics.json
