feat: verify sonar cube token is set before running checks

[stetsche]

Description:

This pull request updates the SonarQube GitHub Actions workflow to improve security and reliability by conditionally running the analysis only if the required secret is set, and by pinning the SonarQube scan action to a specific commit for reproducibility.

Workflow improvements:

• Added a new check-sonar-token job that checks if the SONAR_TOKEN secret is set, and only allows the main build job to run if the token is present. This prevents workflow failures when the secret is missing.
• Updated the permissions for the build job to explicitly set contents: read, following the principle of least privilege.

Dependency management:

• Pinned the SonarSource/sonarqube-scan-action used in the frontend scan step to a specific commit hash (c7ee0f9...), improving security and reproducibility by avoiding potential issues with future updates to the action.

Checklist:

Make sure you tick all the boxes below if they are true or do not apply before you ask for review

Required for all pull requests:

• I have performed a self-review of my code
• I have made my code as simple as possible
• I have removed all commented code
• I have described the PR and added a meaningful title in the Conventional Commits format
  If applicable to this PR:
• I have added relevant tests for my changes and the code coverage has not dropped substantially
• I have updated the documentation in all relevant places (Javadoc, Swagger, MDs...)

[Copilot]

Pull request overview

This PR updates the SonarQube GitHub Actions workflow to avoid running the SonarQube build/scan job when the SONAR_TOKEN secret is unavailable, preventing failures in contexts where secrets aren’t provided.

Changes:

• Added a check-sonar-token job that detects whether SONAR_TOKEN is present and exposes the result as a job output.
• Gated the build (build + Sonar analysis) job behind that output so it only runs when the token is available.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 86.04%. Comparing base (4cc0af3) to head (f0a8498).

Additional details and impacted files

@@            Coverage Diff            @@
##             master    #1157   +/-   ##
=========================================
  Coverage     86.04%   86.04%           
  Complexity     2312     2312           
=========================================
  Files           291      291           
  Lines          6442     6442           
  Branches        402      402           
=========================================
  Hits           5543     5543           
  Misses          645      645           
  Partials        254      254           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[Copilot]

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated no new comments.