exasol · ArBridgeman · Jun 2, 2026 · Jun 2, 2026 · Jun 2, 2026 · Jun 2, 2026
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
diff --git a/doc/changes/unreleased.md b/doc/changes/unreleased.md
@@ -5,6 +5,7 @@
 ## Feature
 
 * #854: Added `workflow_dispatch` for `periodic-validation.yml`
+* #827: Modified `report.yml` to allow overriding the Sonar secret name via `BaseConfig`
 
 ## Refactoring
 

diff --git a/doc/user_guide/features/github_workflows/github_project_configuration.rst b/doc/user_guide/features/github_workflows/github_project_configuration.rst
@@ -48,5 +48,8 @@ map it to *environment variables* that are used by your CI/CD automation.
   `Python Package Index <pypi_>`_ (PyPi). Most projects will use the
   org-secret.
 * **SONAR_TOKEN**: See :ref:`Sonar Configuration <sonar_configuration>`.
+  If your repository uses a different secret name, override
+  :py:attr:`exasol.toolbox.config.BaseConfig.sonar_token_name` in your project
+  configuration.
 
 .. _pypi: https://pypi.org/
diff --git a/exasol/toolbox/config.py b/exasol/toolbox/config.py
@@ -200,6 +200,17 @@ class BaseConfig(BaseModel):
         are supported.
         """,
     )
+
+    @computed_field  # type: ignore[misc]
+    @property
+    def sonar_token_name(self) -> str:
+        """
+        GitHub secret name used by the Sonar step in `report.yml`.
+
+        Projects can override this property if they use a different secret name.
+        """
+        return "SONAR_TOKEN"
+
     model_config = ConfigDict(frozen=True, arbitrary_types_allowed=True)
 
     @computed_field  # type: ignore[misc]
@@ -300,6 +311,7 @@ def github_template_dict(self) -> dict[str, Any]:
             "minimum_python_version": self.minimum_python_version,
             "os_version": self.os_version,
             "python_versions": self.python_versions,
+            "sonar_token_name": self.sonar_token_name,
             "workflow_header": f"{WORKFLOW_HEADER_PREFIX}{__version__}.",
             "workflow_extension": {
                 "fast_tests": fast_tests_extension.is_file(),

diff --git a/exasol/toolbox/templates/github/workflows/ci.yml b/exasol/toolbox/templates/github/workflows/ci.yml
@@ -23,6 +23,7 @@ jobs:
       needs.merge-gate.result != 'skipped' &&
       needs.merge-gate.result != 'cancelled'
     uses: ./.github/workflows/report.yml
-    secrets: inherit
+    secrets:
+      (( sonar_token_name )): ${{ secrets.(( sonar_token_name )) }}
     permissions:
       contents: read
diff --git a/exasol/toolbox/templates/github/workflows/merge-gate.yml b/exasol/toolbox/templates/github/workflows/merge-gate.yml
@@ -24,7 +24,7 @@ jobs:
       - run-fast-tests
     uses: ./.github/workflows/report.yml
     secrets:
-      SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+      (( sonar_token_name )): ${{ secrets.(( sonar_token_name )) }}
     permissions:
       contents: read
 

diff --git a/exasol/toolbox/templates/github/workflows/periodic-validation.yml b/exasol/toolbox/templates/github/workflows/periodic-validation.yml
@@ -57,6 +57,6 @@ jobs:
       - run-slow-checks
     uses: ./.github/workflows/report.yml
     secrets:
-      SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+      (( sonar_token_name )): ${{ secrets.(( sonar_token_name )) }}
     permissions:
       contents: read
diff --git a/exasol/toolbox/templates/github/workflows/report.yml b/exasol/toolbox/templates/github/workflows/report.yml
@@ -4,7 +4,7 @@ name: Status Report
 on:
   workflow_call:
     secrets:
-      SONAR_TOKEN:
+      (( sonar_token_name )):
         required: true
 
 jobs:
@@ -45,7 +45,7 @@ jobs:
       - name: Upload to Sonar
         id: upload-to-sonar
         env:
-          SONAR_TOKEN: "${{ secrets.SONAR_TOKEN }}"
+          SONAR_TOKEN: "${{ secrets.(( sonar_token_name )) }}"
         run: poetry run -- nox -s sonar:check
 
       - name: Generate GitHub Summary

diff --git a/test/unit/config_test.py b/test/unit/config_test.py
@@ -4,6 +4,7 @@
 from unittest.mock import Mock
 
 import pytest
+from pydantic import computed_field
 from pydantic_core._pydantic_core import ValidationError
 
 from exasol.toolbox.config import (
@@ -50,6 +51,7 @@ def test_works_as_defined(tmp_path, test_project_config_factory):
                 "dependency_manager_version": "2.3.0",
                 "minimum_python_version": "3.10",
                 "os_version": "ubuntu-24.04",
+                "sonar_token_name": "SONAR_TOKEN",
                 "python_versions": (
                     "3.10",
                     "3.11",
@@ -61,6 +63,7 @@ def test_works_as_defined(tmp_path, test_project_config_factory):
             },
             "minimum_python_version": "3.10",
             "os_version": "ubuntu-24.04",
+            "sonar_token_name": "SONAR_TOKEN",
             "plugins_for_nox_sessions": (),
             "project_name": "test",
             "python_versions": ("3.10", "3.11", "3.12", "3.13", "3.14"),
@@ -110,6 +113,13 @@ class BaseConfigExpansion(BaseConfig):
     expansion1: str = "test1"
 
 
+class AlternateSonarConfig(BaseConfig):
+    @computed_field  # type: ignore[misc]
+    @property
+    def sonar_token_name(self) -> str:
+        return "SONAR_ANOTHER_TOKEN"
+
+
 def test_expansion_validation_fails_for_invalid_version():
     with pytest.raises(ValueError):
         BaseConfigExpansion(python_versions=("1.f.0",))
@@ -134,6 +144,13 @@ def test_minimum_python_version(test_project_config_factory):
     assert conf.minimum_python_version == "1.10"
 
 
+def test_sonar_token_name_can_be_overridden(tmp_path):
+    config = AlternateSonarConfig(project_name="test", root_path=tmp_path)
+
+    assert config.sonar_token_name == "SONAR_ANOTHER_TOKEN"
+    assert config.github_template_dict["sonar_token_name"] == "SONAR_ANOTHER_TOKEN"
+
+
 @pytest.mark.parametrize("minimum_python_version", ["3.10", "3.10.5"])
 def test_pyupgrade_argument(test_project_config_factory, minimum_python_version):
     conf = test_project_config_factory(