Security/477 switch sonar token to env (#478)

* Switch `sonar:check` to use `SONAR_TOKEN` from the environment

* Remove non-ASCII Unicodes in issue / PR templates

* Relock dependencies to resolve vulnerabilities for urllib3

* As env variable not guaranteed, type hint needed to be updated

Author: ArBridgeman

.github/ISSUE_TEMPLATE/blank.md

@@ -1,7 +1,7 @@
 ---
-name: 📝 Blank Issue 
+name: Blank Issue 
 about: Blank Issue
-title: 📝 <Insert Title>
+title: <Insert Title>
 labels: 
 assignees: ''
 

.github/ISSUE_TEMPLATE/documentation.md

@@ -1,7 +1,7 @@
 ---
-name: 📚 Documentation
+name: Documentation
 about: Add/Improve Documentation
-title: 📚 <Insert Title>
+title: <Insert Title>
 labels: documentation
 assignees: ''
 

.github/ISSUE_TEMPLATE/feature.md

@@ -1,7 +1,7 @@
 ---
-name: ✨ Feature
+name: Feature
 about: Add/Implement Feature
-title: ✨ <Insert Title>
+title: <Insert Title>
 labels: feature
 assignees: ''
 

.github/ISSUE_TEMPLATE/refactoring.md

@@ -1,7 +1,7 @@
 ---
-name: 🔧 Refactoring
+name: Refactoring
 about: Refactor
-title: 🔧 <Insert Title>
+title: <Insert Title>
 labels: refactoring
 assignees: ''
 

.github/ISSUE_TEMPLATE/security.md

@@ -1,7 +1,7 @@
 ---
-name: 🔐 Security Issue
+name: Security Issue
 about: Fix Security Issue
-title: 🔐 <Insert Title>
+title: <Insert Title>
 labels: security
 assignees: ''
 

.github/PULL_REQUEST_TEMPLATE/pull_request_template.md

@@ -1,4 +1,4 @@
-# ✔ Checklist
+# Checklist
 
 * [ ] Have you updated the changelog?
 * [ ] Have you updated the cookiecutter-template?

.github/workflows/report.yml

@@ -36,7 +36,9 @@ jobs:
         run: poetry run -- nox -s project:report -- --format json | tee metrics.json
 
       - name: Upload to sonar
-        run: poetry run -- nox -s sonar:check -- ${{ secrets.SONAR_TOKEN }}
+        env:
+          SONAR_TOKEN: "${{ secrets.SONAR_TOKEN }}"
+        run: poetry run -- nox -s sonar:check
 
       - name: Upload Artifacts
         uses: actions/upload-artifact@v4.6.2

doc/changes/unreleased.md

@@ -1 +1,4 @@
 # Unreleased
+
+## Security
+* #477: Switched `sonar:check` to use `SONAR_TOKEN` from the environment

exasol/toolbox/nox/_artifacts.py

@@ -1,10 +1,12 @@
 import json
+import os
 import re
 import shutil
 import sqlite3
 import sys
 from collections.abc import Iterable
 from pathlib import Path
+from typing import Optional
 
 import nox
 from nox import Session
@@ -186,7 +188,9 @@ def _prepare_coverage_xml(session: Session, source: Path) -> None:
     session.run(*command)
 
 
-def _upload_to_sonar(session: Session, sonar_token: str, config: Config) -> None:
+def _upload_to_sonar(
+    session: Session, sonar_token: Optional[str], config: Config
+) -> None:
     command = [
         "pysonar",
         "--sonar-token",
@@ -208,6 +212,6 @@ def _upload_to_sonar(session: Session, sonar_token: str, config: Config) -> None
 @nox.session(name="sonar:check", python=False)
 def upload_artifacts_to_sonar(session: Session) -> None:
     """Upload artifacts to sonar for analysis"""
-    sonar_token = session.posargs[0]
+    sonar_token = os.getenv("SONAR_TOKEN")
     _prepare_coverage_xml(session, PROJECT_CONFIG.source)
     _upload_to_sonar(session, sonar_token, PROJECT_CONFIG)

exasol/toolbox/templates/github/workflows/report.yml

@@ -33,7 +33,9 @@ jobs:
         run: poetry run -- nox -s artifacts:validate
 
       - name: Upload to sonar
-        run: poetry run -- nox -s sonar:check -- ${{ secrets.SONAR_TOKEN }}
+        env:
+          SONAR_TOKEN: "${{ secrets.SONAR_TOKEN }}"
+        run: poetry run -- nox -s sonar:check
 
       - name: Generate Report
         run: poetry run -- nox -s project:report -- --format json | tee metrics.json