ci: scope Sonar token to scan steps after tests

Author: Mehdi-Bl

.github/workflows/sonarcloud.yml

@@ -20,6 +20,16 @@ jobs:
         with:
           fetch-depth: 0
 
+      - uses: actions/setup-python@v6
+        with:
+          python-version: '3.12'
+
+      - name: Install dependencies
+        run: make install-dev
+
+      - name: Run tests with coverage
+        run: make coverage-sonar
+
       - name: Azure login (OIDC)
         uses: azure/login@v2
         with:
@@ -28,6 +38,7 @@ jobs:
           subscription-id: ${{ vars.AZURE_SUBSCRIPTION_ID }}
 
       - name: Read SonarCloud token from Key Vault
+        id: sonar_token
         shell: bash
         run: |
           SONAR_TOKEN="$(az keyvault secret show \
@@ -39,23 +50,13 @@ jobs:
             exit 1
           fi
           echo "::add-mask::$SONAR_TOKEN"
-          echo "SONAR_TOKEN=$SONAR_TOKEN" >> "$GITHUB_ENV"
-
-      - uses: actions/setup-python@v6
-        with:
-          python-version: '3.12'
-
-      - name: Install dependencies
-        run: make install-dev
-
-      - name: Run tests with coverage
-        run: make coverage-sonar
+          echo "value=$SONAR_TOKEN" >> "$GITHUB_OUTPUT"
 
       - name: SonarCloud scan
         uses: SonarSource/sonarcloud-github-action@ffc3010689be73b8e5ae0c57ce35968afd7909e8
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          SONAR_TOKEN: ${{ env.SONAR_TOKEN }}
+          SONAR_TOKEN: ${{ steps.sonar_token.outputs.value }}
         with:
           args: >
             -Dsonar.host.url=https://sonarcloud.io
@@ -70,6 +71,6 @@ jobs:
         with:
           scanMetadataReportFile: dist/quality/sonar/scannerwork/report-task.txt
         env:
-          SONAR_TOKEN: ${{ env.SONAR_TOKEN }}
+          SONAR_TOKEN: ${{ steps.sonar_token.outputs.value }}
           SONAR_HOST_URL: https://sonarcloud.io
         timeout-minutes: 5