Sonarcloud Analysis once a week. (#5137)

* fixing the sonarcloud building in gha
* update to temurin 17
* adds checksums on sonarqube plugins
* ignore generated for spdx
* runs at midnight Tuesday mornings UTC

---------

Signed-off-by: Joshua Fernandes <joshua.fernandes@consensys.net>
Signed-off-by: Justin Florentine <justin+github@florentine.us>
Co-authored-by: Joshua Fernandes <joshua.fernandes@consensys.net>

.github/workflows/sonarcloud.yml

@@ -0,0 +1,42 @@
+
+name: SonarCloud analysis
+
+on:
+  schedule:
+    # * is a special character in YAML so you have to quote this string
+    # expression evaluates to midnight on Tuesdays UTC
+    - cron:  '0 0 * * 2'
+
+permissions:
+  pull-requests: read # allows SonarCloud to decorate PRs with analysis results
+
+jobs:
+  Analysis:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: checkout
+        uses: actions/checkout@v3
+      - name: Set up JDK 17
+        uses: actions/setup-java@v3
+        with:
+          distribution: 'temurin'
+          java-version: '17'
+      - name: Cache SonarCloud packages
+        uses: actions/cache@v1
+        with:
+          path: ~/.sonar/cache
+          key: ${{ runner.os }}-sonar
+          restore-keys: ${{ runner.os }}-sonar
+      - name: Cache Gradle packages
+        uses: actions/cache@v1
+        with:
+          path: ~/.gradle/caches
+          key: ${{ runner.os }}-gradle-${{ hashFiles('**/*.gradle') }}
+          restore-keys: ${{ runner.os }}-gradle
+      - name: Build and analyze
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}  # Needed to get PR information, if any
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+        run: ./gradlew build sonarqube --info
+