Enable SonarQube analysis on forked PRs

[ihhub]

According to this approach it is possible to enable SonarQube analysis for forked pull requests. Since we don't do compilation for SQ stage this will not impact much on the performance of Github Actions.

[oleg-derevenetz]

These approaches are insecure. The whole point with forks is to run SonarCloud analysis with no access to the upstream repo (because it involves for example running CMake with CMakeLists.txt from the PR branch - in our case, or, like this guy does for Java code, running gradlew with Gradlew scripts from the PR branch), and then we should take the results of the analysis and handle them somehow in the separate secure workflow with access to upstream tokens. This is currently impossible with SonarCloud, because it doesn't have a separate steps for analysis and for handling results (uploading, PR decoration and so on). This is done by the SonarCloud in one shot.

Running the analysis like they do is absolutely insecure. What if malicious author of pull request just add some code to his CMakeLists.txt (in our case) or build.gradle (in the case of that guy) and steal the upstream repo tokens? Also I'm not sure that SonarQube source scanner itself is so secure that it could be run on untrusted code while having an access to the upstream secrets.