fallintoplace opened a new pull request, #18362:
URL: https://github.com/apache/dolphinscheduler/pull/18362
## Purpose
`unit-test.yml` currently passes the SonarCloud token as a literal Maven
property. This PR reads the token from `secrets.SONAR_TOKEN` instead.
## Changes
- Add an explicit SonarCloud token preflight check.
- Fail trusted runs when `SONAR_TOKEN` is missing.
- Skip SonarCloud analysis for fork pull requests, where repository secrets
are intentionally unavailable.
- Pass the token to Maven through the step environment instead of committing
the value in the workflow.
I checked history and the literal value appears in older workflow revisions
too, so maintainers should rotate/revoke the exposed SonarCloud token and
decide separately whether any history cleanup or disclosure process is needed.
## Validation
- `go run github.com/rhysd/actionlint/cmd/actionlint@latest
.github/workflows/unit-test.yml`
- `ruby -e 'require "yaml";
YAML.load_file(".github/workflows/unit-test.yml"); puts "YAML OK"'`
- `git diff --check -- .github/workflows/unit-test.yml`
- scanned the repo for remaining hardcoded `sonar.login` / `sonar.token`
literals
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]