exasol · ArBridgeman · Jun 25, 2025 · Jun 25, 2025 · Jun 25, 2025 · Jun 25, 2025
diff --git a/.github/ISSUE_TEMPLATE/blank.md b/.github/ISSUE_TEMPLATE/blank.md
@@ -1,7 +1,7 @@
 ---
-name: 📝 Blank Issue 
+name: Blank Issue 
 about: Blank Issue
-title: 📝 <Insert Title>
+title: <Insert Title>
 labels: 
 assignees: ''
 

diff --git a/.github/ISSUE_TEMPLATE/documentation.md b/.github/ISSUE_TEMPLATE/documentation.md
@@ -1,7 +1,7 @@
 ---
-name: 📚 Documentation
+name: Documentation
 about: Add/Improve Documentation
-title: 📚 <Insert Title>
+title: <Insert Title>
 labels: documentation
 assignees: ''
 

diff --git a/.github/ISSUE_TEMPLATE/feature.md b/.github/ISSUE_TEMPLATE/feature.md
@@ -1,7 +1,7 @@
 ---
-name: ✨ Feature
+name: Feature
 about: Add/Implement Feature
-title: ✨ <Insert Title>
+title: <Insert Title>
 labels: feature
 assignees: ''
 

diff --git a/.github/ISSUE_TEMPLATE/refactoring.md b/.github/ISSUE_TEMPLATE/refactoring.md
@@ -1,7 +1,7 @@
 ---
-name: 🔧 Refactoring
+name: Refactoring
 about: Refactor
-title: 🔧 <Insert Title>
+title: <Insert Title>
 labels: refactoring
 assignees: ''
 

diff --git a/.github/ISSUE_TEMPLATE/security.md b/.github/ISSUE_TEMPLATE/security.md
@@ -1,7 +1,7 @@
 ---
-name: 🔐 Security Issue
+name: Security Issue
 about: Fix Security Issue
-title: 🔐 <Insert Title>
+title: <Insert Title>
 labels: security
 assignees: ''
 

diff --git a/.github/PULL_REQUEST_TEMPLATE/pull_request_template.md b/.github/PULL_REQUEST_TEMPLATE/pull_request_template.md
@@ -1,4 +1,4 @@
-# ✔ Checklist
+# Checklist
 
 * [ ] Have you updated the changelog?
 * [ ] Have you updated the cookiecutter-template?

diff --git a/.github/workflows/report.yml b/.github/workflows/report.yml
@@ -36,7 +36,9 @@ jobs:
         run: poetry run -- nox -s project:report -- --format json | tee metrics.json
 
       - name: Upload to sonar
-        run: poetry run -- nox -s sonar:check -- ${{ secrets.SONAR_TOKEN }}
+        env:
+          SONAR_TOKEN: "${{ secrets.SONAR_TOKEN }}"
+        run: poetry run -- nox -s sonar:check
 
       - name: Upload Artifacts
         uses: actions/upload-artifact@v4.6.2

diff --git a/doc/changes/unreleased.md b/doc/changes/unreleased.md
@@ -1 +1,4 @@
 # Unreleased
+
+## Security
+* #477: Switched `sonar:check` to use `SONAR_TOKEN` from the environment
diff --git a/exasol/toolbox/nox/_artifacts.py b/exasol/toolbox/nox/_artifacts.py
@@ -1,10 +1,12 @@
 import json
+import os
 import re
 import shutil
 import sqlite3
 import sys
 from collections.abc import Iterable
 from pathlib import Path
+from typing import Optional
 
 import nox
 from nox import Session
@@ -186,7 +188,9 @@ def _prepare_coverage_xml(session: Session, source: Path) -> None:
     session.run(*command)
 
 
-def _upload_to_sonar(session: Session, sonar_token: str, config: Config) -> None:
+def _upload_to_sonar(
+    session: Session, sonar_token: Optional[str], config: Config
+) -> None:
     command = [
         "pysonar",
         "--sonar-token",
@@ -208,6 +212,6 @@ def _upload_to_sonar(session: Session, sonar_token: str, config: Config) -> None
 @nox.session(name="sonar:check", python=False)
 def upload_artifacts_to_sonar(session: Session) -> None:
     """Upload artifacts to sonar for analysis"""
-    sonar_token = session.posargs[0]
+    sonar_token = os.getenv("SONAR_TOKEN")
     _prepare_coverage_xml(session, PROJECT_CONFIG.source)
     _upload_to_sonar(session, sonar_token, PROJECT_CONFIG)
diff --git a/exasol/toolbox/templates/github/workflows/report.yml b/exasol/toolbox/templates/github/workflows/report.yml
@@ -33,7 +33,9 @@ jobs:
         run: poetry run -- nox -s artifacts:validate
 
       - name: Upload to sonar
-        run: poetry run -- nox -s sonar:check -- ${{ secrets.SONAR_TOKEN }}
+        env:
+          SONAR_TOKEN: "${{ secrets.SONAR_TOKEN }}"
+        run: poetry run -- nox -s sonar:check
 
       - name: Generate Report
         run: poetry run -- nox -s project:report -- --format json | tee metrics.json

diff --git a/poetry.lock b/poetry.lock