From 1f3b6637d08b61913f8ae0c95d21720097711fcf Mon Sep 17 00:00:00 2001
From: Oliver Wolff <23139298+cuioss@users.noreply.github.com>
Date: Tue, 3 Feb 2026 09:47:52 +0100
Subject: [PATCH] fix: replace secrets:inherit with explicit secret references

Replace `secrets: inherit` with explicit secret lists per workflow
to satisfy SonarCloud rule githubactions:S7635 (least privilege).

- maven.yml: pass only SONAR_TOKEN, OSS_SONATYPE_*, GPG_*
- release.yml: pass only RELEASE_APP_*, OSS_SONATYPE_*, GPG_*,
  PAGES_DEPLOY_TOKEN
- dependency-review.yml: remove secrets (uses none)
- scorecards.yml: remove secrets (uses none)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 .github/workflows/dependency-review.yml | 1 -
 .github/workflows/maven.yml             | 7 ++++++-
 .github/workflows/release.yml           | 9 ++++++++-
 .github/workflows/scorecards.yml        | 1 -
 4 files changed, 14 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
index 468834f..957ad7c 100644
--- a/.github/workflows/dependency-review.yml
+++ b/.github/workflows/dependency-review.yml
@@ -14,4 +14,3 @@ jobs:
     permissions:
       contents: read
       pull-requests: write
-    secrets: inherit
diff --git a/.github/workflows/maven.yml b/.github/workflows/maven.yml
index de106b2..722f44d 100644
--- a/.github/workflows/maven.yml
+++ b/.github/workflows/maven.yml
@@ -15,4 +15,9 @@ jobs:
     # This prevents duplicate runs: push handles internal branches, PR handles forks
     if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name != github.event.pull_request.base.repo.full_name
     uses: cuioss/cuioss-organization/.github/workflows/reusable-maven-build.yml@9ce5ba83776bab80eeffb695f7374e334cf6bd9f # v0.2.0
-    secrets: inherit
+    secrets:
+      SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+      OSS_SONATYPE_USERNAME: ${{ secrets.OSS_SONATYPE_USERNAME }}
+      OSS_SONATYPE_PASSWORD: ${{ secrets.OSS_SONATYPE_PASSWORD }}
+      GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
+      GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index c32f904..66cf892 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -16,4 +16,11 @@ jobs:
   release:
     if: github.event.pull_request.merged == true || github.event_name == 'workflow_dispatch'
     uses: cuioss/cuioss-organization/.github/workflows/reusable-maven-release.yml@9ce5ba83776bab80eeffb695f7374e334cf6bd9f # v0.2.0
-    secrets: inherit
+    secrets:
+      RELEASE_APP_ID: ${{ secrets.RELEASE_APP_ID }}
+      RELEASE_APP_PRIVATE_KEY: ${{ secrets.RELEASE_APP_PRIVATE_KEY }}
+      OSS_SONATYPE_USERNAME: ${{ secrets.OSS_SONATYPE_USERNAME }}
+      OSS_SONATYPE_PASSWORD: ${{ secrets.OSS_SONATYPE_PASSWORD }}
+      GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
+      GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
+      PAGES_DEPLOY_TOKEN: ${{ secrets.PAGES_DEPLOY_TOKEN }}
diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml
index 927605e..ce7fc32 100644
--- a/.github/workflows/scorecards.yml
+++ b/.github/workflows/scorecards.yml
@@ -22,4 +22,3 @@ jobs:
       issues: read
       pull-requests: read
       checks: read
-    secrets: inherit