[chore](workflow) Fix security issues in Code Checks (#24761)

The workflow `Code Checks` needs write permissions granted by the event `pull_request_target` to comment on pull requests. However, if the workflow ran users' code, the malicious code would do some dangerous actions on our repository.

The following changes are made in this PR:
1. Instead of applying patches, we use `sed` to modify the `entrypoint.sh` in action-sh-checker explicitly in the workflow.
2. Revoke the write permissions when generating `compile_commands.json` which is produced by executing the build script `build.sh`.

.github/actions/patches/action-sh-checker.patch

@@ -1,13 +0,0 @@
-diff --git a/entrypoint.sh b/entrypoint.sh
-index d3399e3..5c8ee7b 100755
---- a/entrypoint.sh
-+++ b/entrypoint.sh
-@@ -202,7 +202,7 @@ if ((CHECKBASHISMS_ENABLE == 1)); then
- fi
- 
- if ((shellcheck_code != 0 || shfmt_code != 0)); then
--	if [ "$GITHUB_EVENT_NAME" == "pull_request" ] && ((SH_CHECKER_COMMENT == 1)); then
-+	if [[ "$GITHUB_EVENT_NAME" == "pull_request" || "$GITHUB_EVENT_NAME" == "pull_request_target" ]] && ((SH_CHECKER_COMMENT == 1)); then
- 		_comment_on_github "$shellcheck_error" "$shfmt_error"
- 	fi
- fi

.github/workflows/code-checks.yml

@@ -40,7 +40,7 @@ jobs:
       - name: Patch
         run: |
           pushd .github/actions/action-sh-checker >/dev/null
-          git apply ../patches/action-sh-checker.patch
+          sed -i 's/\[ "$GITHUB_EVENT_NAME" == "pull_request" \]/\[\[ "$GITHUB_EVENT_NAME" == "pull_request" || "$GITHUB_EVENT_NAME" == "pull_request_target" \]\]/' entrypoint.sh
           popd >/dev/null
 
       - name: Run ShellCheck
@@ -51,10 +51,13 @@ jobs:
           sh_checker_comment: true
           sh_checker_exclude: .git .github ^docker ^thirdparty/src ^thirdparty/installed ^ui ^docs/node_modules ^tools/clickbench-tools ^extension ^output ^fs_brokers/apache_hdfs_broker/output (^|.*/)Dockerfile$ ^be/src/apache-orc ^be/src/clucene ^pytest
 
-  clang-tidy:
-    name: "Clang Tidy"
+  preparation:
+    name: "Clang Tidy Preparation"
     if: ${{ github.event_name == 'pull_request_target' }}
     runs-on: ubuntu-22.04
+    permissions: read-all
+    outputs:
+      should_check: ${{ steps.generate.outputs.should_check }}
     steps:
       - name: Checkout ${{ github.ref }} ( ${{ github.event.pull_request.head.sha }} )
         uses: actions/checkout@v3
@@ -73,28 +76,56 @@ jobs:
               - 'gensrc/thrift/**'
 
       - name: Generate compile_commands.json
-        if: ${{ steps.filter.outputs.be_changes == 'true' }}
+        id: generate
         run: |
-          export DEFAULT_DIR='/opt/doris'
+          if [[ "${{ steps.filter.outputs.be_changes }}" == 'true' ]]; then
+            export DEFAULT_DIR='/opt/doris'
 
-          mkdir "${DEFAULT_DIR}"
-          wget https://github.com/amosbird/ldb_toolchain_gen/releases/download/v0.18/ldb_toolchain_gen.sh \
-            -q -O /tmp/ldb_toolchain_gen.sh
-          bash /tmp/ldb_toolchain_gen.sh "${DEFAULT_DIR}/ldb-toolchain"
+            mkdir "${DEFAULT_DIR}"
+            wget https://github.com/amosbird/ldb_toolchain_gen/releases/download/v0.18/ldb_toolchain_gen.sh \
+              -q -O /tmp/ldb_toolchain_gen.sh
+            bash /tmp/ldb_toolchain_gen.sh "${DEFAULT_DIR}/ldb-toolchain"
 
-          sudo DEBIAN_FRONTEND=noninteractive apt install --yes tzdata byacc
+            sudo DEBIAN_FRONTEND=noninteractive apt install --yes tzdata byacc
 
-          pushd thirdparty
-          curl -L https://github.com/apache/doris-thirdparty/releases/download/automation/doris-thirdparty-prebuilt-linux-x86_64.tar.xz \
-            -o doris-thirdparty-prebuilt-linux-x86_64.tar.xz
-          tar -xvf doris-thirdparty-prebuilt-linux-x86_64.tar.xz
-          popd
+            pushd thirdparty
+            curl -L https://github.com/apache/doris-thirdparty/releases/download/automation/doris-thirdparty-prebuilt-linux-x86_64.tar.xz \
+              -o doris-thirdparty-prebuilt-linux-x86_64.tar.xz
+            tar -xvf doris-thirdparty-prebuilt-linux-x86_64.tar.xz
+            popd
 
-          export PATH="${DEFAULT_DIR}/ldb-toolchain/bin/:$(pwd)/thirdparty/installed/bin/:${PATH}"
-          DISABLE_JAVA_UDF=ON DORIS_TOOLCHAIN=clang OUTPUT_BE_BINARY=0 ./build.sh --be
+            export PATH="${DEFAULT_DIR}/ldb-toolchain/bin/:$(pwd)/thirdparty/installed/bin/:${PATH}"
+            DISABLE_JAVA_UDF=ON DORIS_TOOLCHAIN=clang ENABLE_PCH=OFF OUTPUT_BE_BINARY=0 ./build.sh --be
+          fi
+
+          echo "should_check=${{ steps.filter.outputs.be_changes }}" >>${GITHUB_OUTPUT}
+
+      - name: Upload
+        uses: actions/upload-artifact@v3
+        if: ${{ steps.filter.outputs.be_changes == 'true' }}
+        with:
+          name: compile_commands
+          path: ./be/build_Release/compile_commands.json
+
+  clang-tidy:
+    name: "Clang Tidy"
+    needs: preparation
+    if: ${{ needs.preparation.outputs.should_check == 'true' }}
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Checkout ${{ github.ref }} ( ${{ github.event.pull_request.head.sha }} )
+        uses: actions/checkout@v3
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+          submodules: recursive
+
+      - name: Download
+        uses: actions/download-artifact@v3
+        with:
+          name: compile_commands
+          path: ./be/build_Release
 
       - name: Run clang-tidy review
-        if: ${{ steps.filter.outputs.be_changes == 'true' }}
         uses: ./.github/actions/clang-tidy-review
         id: review
         with:
@@ -103,4 +134,4 @@ jobs:
 
       # clang-tidy review not required now
       # - if: steps.review.outputs.total_comments > 0
-      #   run: exit 1
+      #   run: exit 1