From 7f171fa34efa3995e6afebc389d94dc529f0ddae Mon Sep 17 00:00:00 2001
From: Codex CLI <codex@example.local>
Date: Sat, 7 Feb 2026 05:39:51 +0000
Subject: [PATCH 1/4] ci: fetch Sonar token from Azure Key Vault via OIDC

---
 .github/workflows/sonarcloud.yml | 23 +++++++++++++++++++++--
 1 file changed, 21 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/sonarcloud.yml b/.github/workflows/sonarcloud.yml
index 4cdc3b8..fb4cac3 100644
--- a/.github/workflows/sonarcloud.yml
+++ b/.github/workflows/sonarcloud.yml
@@ -10,7 +10,9 @@ on:
 jobs:
   sonarcloud:
     runs-on: ubuntu-latest
+    environment: org-prod
     permissions:
+      id-token: write
       contents: read
       pull-requests: write
     steps:
@@ -18,6 +20,23 @@ jobs:
         with:
           fetch-depth: 0
 
+      - name: Azure login (OIDC)
+        uses: azure/login@v2
+        with:
+          client-id: ${{ vars.AZURE_CLIENT_ID }}
+          tenant-id: ${{ vars.AZURE_TENANT_ID }}
+          subscription-id: ${{ vars.AZURE_SUBSCRIPTION_ID }}
+
+      - name: Read SonarCloud token from Key Vault
+        shell: bash
+        run: |
+          SONAR_TOKEN="$(az keyvault secret show \
+            --vault-name "${{ vars.AZURE_KEYVAULT_NAME }}" \
+            --name "sonar-cloud-token" \
+            --query value -o tsv)"
+          echo "::add-mask::$SONAR_TOKEN"
+          echo "SONAR_TOKEN=$SONAR_TOKEN" >> "$GITHUB_ENV"
+
       - uses: actions/setup-python@v6
         with:
           python-version: '3.12'
@@ -32,7 +51,7 @@ jobs:
         uses: SonarSource/sonarcloud-github-action@ffc3010689be73b8e5ae0c57ce35968afd7909e8
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+          SONAR_TOKEN: ${{ env.SONAR_TOKEN }}
         with:
           args: >
             -Dsonar.host.url=https://sonarcloud.io
@@ -47,6 +66,6 @@ jobs:
         with:
           scanMetadataReportFile: dist/quality/sonar/scannerwork/report-task.txt
         env:
-          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+          SONAR_TOKEN: ${{ env.SONAR_TOKEN }}
           SONAR_HOST_URL: https://sonarcloud.io
         timeout-minutes: 5

From 69ffa99313ead7add97451e0e6c27a4f5fbdfddb Mon Sep 17 00:00:00 2001
From: Codex CLI <codex@example.local>
Date: Sat, 7 Feb 2026 05:44:05 +0000
Subject: [PATCH 2/4] ci: fallback to SONAR_TOKEN secret if Key Vault token is
 invalid

---
 .github/workflows/sonarcloud.yml | 29 ++++++++++++++++++++++++++---
 1 file changed, 26 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/sonarcloud.yml b/.github/workflows/sonarcloud.yml
index fb4cac3..5753609 100644
--- a/.github/workflows/sonarcloud.yml
+++ b/.github/workflows/sonarcloud.yml
@@ -27,13 +27,36 @@ jobs:
           tenant-id: ${{ vars.AZURE_TENANT_ID }}
           subscription-id: ${{ vars.AZURE_SUBSCRIPTION_ID }}
 
-      - name: Read SonarCloud token from Key Vault
+      - name: Resolve SonarCloud token
         shell: bash
+        env:
+          FALLBACK_SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
         run: |
-          SONAR_TOKEN="$(az keyvault secret show \
+          KV_SONAR_TOKEN="$(az keyvault secret show \
             --vault-name "${{ vars.AZURE_KEYVAULT_NAME }}" \
             --name "sonar-cloud-token" \
-            --query value -o tsv)"
+            --query value -o tsv 2>/dev/null || true)"
+
+          TOKEN_SOURCE=""
+          if [ -n "${KV_SONAR_TOKEN}" ]; then
+            KV_VALID="$(curl -sS -u "${KV_SONAR_TOKEN}:" https://sonarcloud.io/api/authentication/validate | grep -Eo 'true|false' | head -n1 || true)"
+            if [ "${KV_VALID}" = "true" ]; then
+              SONAR_TOKEN="${KV_SONAR_TOKEN}"
+              TOKEN_SOURCE="keyvault"
+            fi
+          fi
+
+          if [ -z "${TOKEN_SOURCE}" ] && [ -n "${FALLBACK_SONAR_TOKEN:-}" ]; then
+            SONAR_TOKEN="${FALLBACK_SONAR_TOKEN}"
+            TOKEN_SOURCE="github-secret-fallback"
+          fi
+
+          if [ -z "${TOKEN_SOURCE}" ]; then
+            echo "No valid Sonar token found in Key Vault and no fallback secret available."
+            exit 1
+          fi
+
+          echo "::notice title=Sonar token source::${TOKEN_SOURCE}"
           echo "::add-mask::$SONAR_TOKEN"
           echo "SONAR_TOKEN=$SONAR_TOKEN" >> "$GITHUB_ENV"
 

From aa692ff126e6da9f6ac1cc53067971577e5194a5 Mon Sep 17 00:00:00 2001
From: Codex CLI <codex@example.local>
Date: Sat, 7 Feb 2026 05:51:18 +0000
Subject: [PATCH 3/4] ci: remove token curl validation to satisfy security
 checks

---
 .github/workflows/sonarcloud.yml | 13 ++++---------
 1 file changed, 4 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/sonarcloud.yml b/.github/workflows/sonarcloud.yml
index 5753609..d40c619 100644
--- a/.github/workflows/sonarcloud.yml
+++ b/.github/workflows/sonarcloud.yml
@@ -38,17 +38,12 @@ jobs:
             --query value -o tsv 2>/dev/null || true)"
 
           TOKEN_SOURCE=""
-          if [ -n "${KV_SONAR_TOKEN}" ]; then
-            KV_VALID="$(curl -sS -u "${KV_SONAR_TOKEN}:" https://sonarcloud.io/api/authentication/validate | grep -Eo 'true|false' | head -n1 || true)"
-            if [ "${KV_VALID}" = "true" ]; then
-              SONAR_TOKEN="${KV_SONAR_TOKEN}"
-              TOKEN_SOURCE="keyvault"
-            fi
-          fi
-
-          if [ -z "${TOKEN_SOURCE}" ] && [ -n "${FALLBACK_SONAR_TOKEN:-}" ]; then
+          if [ -n "${FALLBACK_SONAR_TOKEN:-}" ]; then
             SONAR_TOKEN="${FALLBACK_SONAR_TOKEN}"
             TOKEN_SOURCE="github-secret-fallback"
+          elif [ -n "${KV_SONAR_TOKEN}" ]; then
+            SONAR_TOKEN="${KV_SONAR_TOKEN}"
+            TOKEN_SOURCE="keyvault"
           fi
 
           if [ -z "${TOKEN_SOURCE}" ]; then

From 6e23fa0019e2c5420dc1ab786d080cc7af5cbd5e Mon Sep 17 00:00:00 2001
From: Codex CLI <codex@example.local>
Date: Sat, 7 Feb 2026 05:52:59 +0000
Subject: [PATCH 4/4] ci: require Sonar token from Azure Key Vault only

---
 .github/workflows/sonarcloud.yml | 24 +++++-------------------
 1 file changed, 5 insertions(+), 19 deletions(-)

diff --git a/.github/workflows/sonarcloud.yml b/.github/workflows/sonarcloud.yml
index d40c619..0ba6678 100644
--- a/.github/workflows/sonarcloud.yml
+++ b/.github/workflows/sonarcloud.yml
@@ -27,31 +27,17 @@ jobs:
           tenant-id: ${{ vars.AZURE_TENANT_ID }}
           subscription-id: ${{ vars.AZURE_SUBSCRIPTION_ID }}
 
-      - name: Resolve SonarCloud token
+      - name: Read SonarCloud token from Key Vault
         shell: bash
-        env:
-          FALLBACK_SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
         run: |
-          KV_SONAR_TOKEN="$(az keyvault secret show \
+          SONAR_TOKEN="$(az keyvault secret show \
             --vault-name "${{ vars.AZURE_KEYVAULT_NAME }}" \
             --name "sonar-cloud-token" \
-            --query value -o tsv 2>/dev/null || true)"
-
-          TOKEN_SOURCE=""
-          if [ -n "${FALLBACK_SONAR_TOKEN:-}" ]; then
-            SONAR_TOKEN="${FALLBACK_SONAR_TOKEN}"
-            TOKEN_SOURCE="github-secret-fallback"
-          elif [ -n "${KV_SONAR_TOKEN}" ]; then
-            SONAR_TOKEN="${KV_SONAR_TOKEN}"
-            TOKEN_SOURCE="keyvault"
-          fi
-
-          if [ -z "${TOKEN_SOURCE}" ]; then
-            echo "No valid Sonar token found in Key Vault and no fallback secret available."
+            --query value -o tsv)"
+          if [ -z "${SONAR_TOKEN}" ]; then
+            echo "Key Vault secret sonar-cloud-token is empty."
             exit 1
           fi
-
-          echo "::notice title=Sonar token source::${TOKEN_SOURCE}"
           echo "::add-mask::$SONAR_TOKEN"
           echo "SONAR_TOKEN=$SONAR_TOKEN" >> "$GITHUB_ENV"