fix(sage-monorepo): fix how PRs are checked out in Sonar cloud workfl…

…ow (#2570)

.github/workflows/sonar-scan.yml

@@ -1,4 +1,5 @@
-name: Scan affected projects with Sonar
+name: Sonar Scan
+
 on:
   push:
     branches:
@@ -11,27 +12,26 @@ on:
   pull_request_target:
     types: [opened, synchronize, reopened, labeled]
 
-env:
-  HEAD_REF: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.ref || github.ref_name }}
-  HEAD_REPOSITORY: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name || github.repository }}
-
 jobs:
   sonar:
     runs-on: ubuntu-latest
     steps:
-      - name: Check if the label `sonar-scan-approved` exists
+      - name: Check if the label `sonar-scan-approved` exists (PR only)
         if: ${{ github.event_name == 'pull_request_target' && contains(github.event.pull_request.labels.*.name, 'sonar-scan-approved') != true }}
-        run: echo "Add the label 'sonar-scan-approved' to this PR to activate Sonar scan"; exit 1
+        run: |
+          echo "WARNING: Please consider if this PR can be trusted with advanced privileges."
+          echo "If yes, add the label 'sonar-scan-approved' to this PR to enable Sonar scan."
+          exit 1
 
-      - uses: actions/checkout@v3
-        name: Checkout ${{ env.HEAD_REPOSITORY }}:${{ env.HEAD_REF }}
+      - uses: actions/checkout@v4
+        name: Checkout
         with:
-          ref: ${{ env.HEAD_REF }}
-          repository: ${{ env.HEAD_REPOSITORY }}
+          # We need to fetch all branches and commits so that Nx affected has a base to compare
+          # against.
           fetch-depth: 0
 
       - name: Derive appropriate SHAs for base and head for `nx affected` commands
-        uses: nrwl/nx-set-shas@v3
+        uses: nrwl/nx-set-shas@v4
 
       - name: Set up the dev container
         env: