From e48f3a1ab4c867e455b6c7ff617c867a36d8492a Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Thu, 19 Mar 2026 14:09:48 +0000
Subject: [PATCH 1/2] build(deps): bump azure/login from 2.3.0 to 3.0.0

Bumps [azure/login](https://github.com/azure/login) from 2.3.0 to 3.0.0.
- [Release notes](https://github.com/azure/login/releases)
- [Commits](https://github.com/azure/login/compare/a457da9ea143d694b1b9c7c869ebb04ebe844ef5...532459ea530d8321f2fb9bb10d1e0bcf23869a43)

---
updated-dependencies:
- dependency-name: azure/login
  dependency-version: 3.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 .github/workflows/sonarcloud.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/sonarcloud.yml b/.github/workflows/sonarcloud.yml
index 114e07b..21d07d8 100644
--- a/.github/workflows/sonarcloud.yml
+++ b/.github/workflows/sonarcloud.yml
@@ -39,7 +39,7 @@ jobs:
 
       - name: Azure login (OIDC)
         if: ${{ github.event_name != 'pull_request' || (github.event.pull_request.head.repo.fork == false && contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), github.event.pull_request.author_association)) }}
-        uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5
+        uses: azure/login@532459ea530d8321f2fb9bb10d1e0bcf23869a43
         with:
           client-id: ${{ vars.AZURE_CLIENT_ID }}
           tenant-id: ${{ vars.AZURE_TENANT_ID }}

From fb8dbb5cd9466a5ece367422fba6d8e84c79a759 Mon Sep 17 00:00:00 2001
From: Mehdi <mehdi@blagui.com>
Date: Sat, 21 Mar 2026 05:00:17 +0000
Subject: [PATCH 2/2] ci: harden sonarcloud workflow

---
 .github/workflows/sonarcloud.yml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/sonarcloud.yml b/.github/workflows/sonarcloud.yml
index 21d07d8..3e37b10 100644
--- a/.github/workflows/sonarcloud.yml
+++ b/.github/workflows/sonarcloud.yml
@@ -20,6 +20,7 @@ jobs:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
         with:
@@ -48,11 +49,13 @@ jobs:
       - name: Read SonarCloud token from Key Vault
         if: ${{ github.event_name != 'pull_request' || (github.event.pull_request.head.repo.fork == false && contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), github.event.pull_request.author_association)) }}
         id: sonar_token
+        env:
+          AZURE_KEYVAULT_NAME: ${{ vars.AZURE_KEYVAULT_NAME }}
         shell: bash
         run: |
           set -euo pipefail
           SONAR_TOKEN="$(az keyvault secret show \
-            --vault-name "${{ vars.AZURE_KEYVAULT_NAME }}" \
+            --vault-name "$AZURE_KEYVAULT_NAME" \
             --name "sonar-cloud-token" \
             --query value -o tsv)"
           if [ -z "${SONAR_TOKEN}" ]; then