CAMEL-23274: Disable SonarCloud temporarily and fix script injection

[gnodet]

CAMEL-23274

Summary

• Temporarily disable sonar-build and sonar-scan workflows until the SonarCloud quality gate is adjusted (INFRA-27808)
• Fix BLOCKER vulnerability githubactions:S7630 in sonar-build.yml: user-controlled expressions (github.event.pull_request.head.ref) used directly in run blocks enable script injection — moved to env variables

Why disable?

The quality gate requires ≥80% coverage, but only core modules produce coverage data. This causes failures on all PRs touching components and on main branch builds. A request to adjust the gate has been filed as INFRA-27808.

To re-enable: remove the false && from the if conditions in both workflow files.

Test plan

• sonar-build.yml job condition evaluates to false, workflow is skipped
• sonar-scan.yml job condition evaluates to false, workflow is skipped
• Script injection fix uses env variables instead of direct expression interpolation

[github-actions]

🌟 Thank you for your contribution to the Apache Camel project! 🌟
🤖 CI automation will test this PR automatically.

🐫 Apache Camel Committers, please review the following items:

• First-time contributors require MANUAL approval for the GitHub Actions to run
• You can use the command /component-test (camel-)component-name1 (camel-)component-name2.. to request a test from the test bot although they are normally detected and executed by CI.
• You can label PRs using build-all, build-dependents, skip-tests and test-dependents to fine-tune the checks executed by this PR.
• Build and test logs are available in the summary page. Only Apache Camel committers have access to the summary.

⚠️ Be careful when sharing logs. Review their contents before sharing them publicly.