Dependabot triggers sonarqube on forks, commenting on closed issues

Our current sonarqube implementation/usage is a little bit flacky.

There are two issues:

1. we can not share secrets with forks, thats why we checked in the sonar token within the code (this is still bad, and we need to address this as pointed out by @beatngu13 )
2. due to this, and the configuration forks will also do sonar analysis and upload the result to the same project. This is bad as it leads to comments on already closed tickets like #5

We do have multiple options regarding this.

1. we could change the sonar project key to be determined by the Repository name, instead of a hardcoded value. This would allow projects to still analyse the project, if they first create it. But we would not have those comments (i see this as a win). We would need to use the environment variable from GitHub Action (if present), transform it into a valid project key (replace / with _) and we should be good to go.
   • https://github.com/junit-pioneer/junit-pioneer/blob/master/build.gradle.kts#L102
   • https://docs.github.com/en/free-pro-team@latest/actions/reference/environment-variables#default-environment-variables
2. The secret part is more tricky. As this is not supported by GitHub Action. We could change the process of the sonarqube analysis. so we trigger the analysis by a different user - and just the analysis. As this seems to be a not so trivial task, we might create an own issue to start thinking about a solution. Still this infromation is relevant in here.

This relates to https://github.com/dependabot/dependabot-core/issues/2804 as dependabot and forks, are still a problem, because all of them will receive pull requests if default configuration is applied, and nobody took care about the security