fix(ci): sonarqube-scan-action downloads Sonar Scanner CLI without verifying (#27079)

[dudinea]

Fixes: #27079

This PR provides a workaround for this sonarqube-scan-action vulnerability
until it's fixed by the action authors. I'm goind to submit a bug report
to SonarSource.

This PR adds a priliminary step before running the sonarqube-scan-action
that uses the manifest in the action source (pinned by commit SHA) to
download CLI binary, verify it's integrity and makes the action use the downloaded
and verified CLI binary.

While this fix is rather complex I hope it is temporary until it fixed upstream.

Checklist:

• Either (a) I've created an enhancement proposal and discussed it with the community, (b) this is a bug fix, or (c) this does not need to be in the release notes.
• The title of the PR states what changed and the related issues number (used for the release note).
• The title of the PR conforms to the Title of the PR
• I've included "Closes [ISSUE #]" or "Fixes [ISSUE #]" in the description to automatically close the associated issue.
• I've updated both the CLI and UI to expose my feature, or I plan to submit a second PR with them.
• Does this PR require documentation updates?
• I've updated documentation as required by this PR.
• I have signed off all my commits as required by DCO
• I have written unit and/or e2e tests for my change. PRs without these are unlikely to be merged.
• My build is green (troubleshooting builds).
• My new feature complies with the feature status guidelines.
• I have added a brief description of why this PR is necessary and/or what this PR solves.
• Optional. My organization is added to USERS.md.
• Optional. For bug fixes, I've indicated what older releases this fix should be cherry-picked into (this may or may not happen depending on risk/complexity).

[bunnyshell]

🔴 Preview Environment stopped on Bunnyshell

See: Environment Details | Pipeline Logs

Available commands (reply to this comment):

• 🔵 /bns:start to start the environment
• 🚀 /bns:deploy to redeploy the environment
• ❌ /bns:delete to remove the environment

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
⚠️ Please upload report for BASE (master@047c0ae). Learn more about missing BASE report.
⚠️ Report is 2 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff            @@
##             master   #27080   +/-   ##
=========================================
  Coverage          ?   63.35%           
=========================================
  Files             ?      415           
  Lines             ?    56553           
  Branches          ?        0           
=========================================
  Hits              ?    35830           
  Misses            ?    17344           
  Partials          ?     3379           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[reggie-k]

Thanks!
Will we need a follow-up PR for renovate/dependabot config to bump the version in 2 places?

[dudinea]

Will we need a follow-up PR for renovate/dependabot config to bump the version in 2 places?

updated the PR, now there is no need to change bots' configs for that, tested in the forked repo.