From 8cf1d263d15d7745027e70c38629bec483679214 Mon Sep 17 00:00:00 2001 From: Tim Hess Date: Thu, 28 May 2026 17:04:03 -0500 Subject: [PATCH] Address Sonar complaints - Move secrets from GHA template expressions into native shell variables - use double quotes so bash var expansion can work - Add SRI integrity hash to the Bootstrap CSS CDN link in _Layout.cshtml. --- .github/workflows/package.yml | 11 ++++++++--- .github/workflows/sonarcube.yml | 4 ++-- .../RazorPagesTestWebApp/Pages/Shared/_Layout.cshtml | 2 +- 3 files changed, 11 insertions(+), 6 deletions(-) diff --git a/.github/workflows/package.yml b/.github/workflows/package.yml index 39dad17f94..91e4dbf21a 100644 --- a/.github/workflows/package.yml +++ b/.github/workflows/package.yml @@ -162,13 +162,16 @@ jobs: subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - name: Sign packages + env: + AZURE_KEY_VAULT_URL: ${{ secrets.AZURE_KEY_VAULT_URL }} + AZURE_SIGN_CERTIFICATE_ID: ${{ secrets.AZURE_SIGN_CERTIFICATE_ID }} run: >- sign code azure-key-vault '**/*.nupkg' --base-directory '${{ github.workspace }}/packages' --azure-key-vault-managed-identity true --azure-credential-type 'azure-cli' - --azure-key-vault-url '${{ secrets.AZURE_KEY_VAULT_URL }}' - --azure-key-vault-certificate '${{ secrets.AZURE_SIGN_CERTIFICATE_ID }}' + --azure-key-vault-url "$AZURE_KEY_VAULT_URL" + --azure-key-vault-certificate "$AZURE_SIGN_CERTIFICATE_ID" --publisher-name 'Steeltoe' --description 'Steeltoe' --description-url 'https://steeltoe.io/' @@ -249,7 +252,9 @@ jobs: path: packages - name: Push packages to nuget.org - run: dotnet nuget push '${{ github.workspace }}/packages/*.nupkg' --skip-duplicate --api-key '${{ secrets.STEELTOE_NUGET_API_KEY }}' --source 'nuget.org' + env: + STEELTOE_NUGET_API_KEY: ${{ secrets.STEELTOE_NUGET_API_KEY }} + run: dotnet nuget push '${{ github.workspace }}/packages/*.nupkg' --skip-duplicate --api-key "$STEELTOE_NUGET_API_KEY" --source 'nuget.org' open_pr: name: Open pull request to bump Steeltoe version after stable release diff --git a/.github/workflows/sonarcube.yml b/.github/workflows/sonarcube.yml index cf7f52bc8c..38f397559f 100644 --- a/.github/workflows/sonarcube.yml +++ b/.github/workflows/sonarcube.yml @@ -87,7 +87,7 @@ jobs: env: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} run: >- - dotnet sonarscanner begin /k:"SteeltoeOSS_steeltoe" /o:"steeltoeoss" /d:sonar.token="${{ secrets.SONAR_TOKEN }}" + dotnet sonarscanner begin /k:"SteeltoeOSS_steeltoe" /o:"steeltoeoss" /d:sonar.token="$SONAR_TOKEN" /d:sonar.host.url="https://sonarcloud.io" /d:sonar.cs.opencover.reportsPaths=**/coverage.opencover.xml - name: Restore packages @@ -106,4 +106,4 @@ jobs: if: ${{ !cancelled() && steps.sonar_begin.outcome == 'success' }} env: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} - run: dotnet sonarscanner end /d:sonar.token="${{ secrets.SONAR_TOKEN }}" + run: dotnet sonarscanner end /d:sonar.token="$SONAR_TOKEN" diff --git a/src/Management/test/RazorPagesTestWebApp/Pages/Shared/_Layout.cshtml b/src/Management/test/RazorPagesTestWebApp/Pages/Shared/_Layout.cshtml index 4748f9de45..d46fa4ccc7 100644 --- a/src/Management/test/RazorPagesTestWebApp/Pages/Shared/_Layout.cshtml +++ b/src/Management/test/RazorPagesTestWebApp/Pages/Shared/_Layout.cshtml @@ -4,7 +4,7 @@ @ViewData["Title"] - Steeltoe.Management.Endpoint.RazorPagesTestWebApp - +