I’m onboarding SonarCloud code coverage for my GitHub Actions-powered .NET project and exposing GITHUB_TOKEN
and SONAR_TOKEN
as environment variables to the entire build process makes me worried.
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
I searched the GITHUB_TOKEN
and SONAR_TOKEN
strings in the sonar-scanner-msbuild
repo and they only showed up in non-code files. Does that mean that these environment variables are unused and that I can just not use them?