Recently, SonarQube Cloud rightly complained about the way secrets are passed to the run command when copying and pasting the GitHub Actions workflow for .NET from SonarQube Cloud Analyze a project with a GitHub Action wizard.
The recommended way for passing secrets to a run command is as follows:
- name: Build and analyze
env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
shell: powershell
run: |
${{ runner.temp }}\scanner\dotnet-sonarscanner begin /k:"SONAR_PROJECT_KEY" /o:"SONAR_ORG_ID" /d:sonar.token="$env:SONAR_TOKEN"
dotnet build
${{ runner.temp }}\scanner\dotnet-sonarscanner end /d:sonar.token="$env:SONAR_TOKEN"
Instead of "${{ secrets.SONAR_TOKEN }}" use "$env:SONAR_TOKEN"
Can you please fix / improve this?