ci: guard Sonar secrets on trusted PRs only

Mehdi-Bl · Mehdi-Bl · commit c25f203452b9 · 2026-02-07T17:50:12.000Z
diff --git a/.github/workflows/sonarcloud.yml b/.github/workflows/sonarcloud.yml
@@ -38,7 +38,7 @@ jobs:
 
       - name: Azure login (OIDC)
         if: ${{ github.event_name != 'pull_request' || (github.event.pull_request.head.repo.fork == false && contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), github.event.pull_request.author_association)) }}
-        uses: azure/login@v2
+        uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5
         with:
           client-id: ${{ vars.AZURE_CLIENT_ID }}
           tenant-id: ${{ vars.AZURE_TENANT_ID }}
@@ -49,6 +49,7 @@ jobs:
         id: sonar_token
         shell: bash
         run: |
+          set -euo pipefail
           SONAR_TOKEN="$(az keyvault secret show \
             --vault-name "${{ vars.AZURE_KEYVAULT_NAME }}" \
             --name "sonar-cloud-token" \
