ci: require Sonar token from Azure Key Vault only

Codex CLI · Codex CLI · commit 6e23fa0019e2 · 2026-02-07T05:52:59.000Z
diff --git a/.github/workflows/sonarcloud.yml b/.github/workflows/sonarcloud.yml
@@ -27,31 +27,17 @@ jobs:
           tenant-id: ${{ vars.AZURE_TENANT_ID }}
           subscription-id: ${{ vars.AZURE_SUBSCRIPTION_ID }}
 
-      - name: Resolve SonarCloud token
+      - name: Read SonarCloud token from Key Vault
         shell: bash
-        env:
-          FALLBACK_SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
         run: |
-          KV_SONAR_TOKEN="$(az keyvault secret show \
+          SONAR_TOKEN="$(az keyvault secret show \
             --vault-name "${{ vars.AZURE_KEYVAULT_NAME }}" \
             --name "sonar-cloud-token" \
-            --query value -o tsv 2>/dev/null || true)"
-
-          TOKEN_SOURCE=""
-          if [ -n "${FALLBACK_SONAR_TOKEN:-}" ]; then
-            SONAR_TOKEN="${FALLBACK_SONAR_TOKEN}"
-            TOKEN_SOURCE="github-secret-fallback"
-          elif [ -n "${KV_SONAR_TOKEN}" ]; then
-            SONAR_TOKEN="${KV_SONAR_TOKEN}"
-            TOKEN_SOURCE="keyvault"
-          fi
-
-          if [ -z "${TOKEN_SOURCE}" ]; then
-            echo "No valid Sonar token found in Key Vault and no fallback secret available."
+            --query value -o tsv)"
+          if [ -z "${SONAR_TOKEN}" ]; then
+            echo "Key Vault secret sonar-cloud-token is empty."
             exit 1
           fi
-
-          echo "::notice title=Sonar token source::${TOKEN_SOURCE}"
           echo "::add-mask::$SONAR_TOKEN"
           echo "SONAR_TOKEN=$SONAR_TOKEN" >> "$GITHUB_ENV"
 
