security: avoid persisting GitHub SSH keys in PR pipelines (#4477)
## Summary - remove `git.setSshKey(GIT_CREDENTIALS_ID)` from PR / ghpr pipelines that run untrusted repository code - keep private-repo access scoped to the checkout step via `prow.checkoutRefs(..., credentialsId = GIT_CREDENTIALS_ID, ...)` - switch the affected TiFlash PR pipelines from empty checkout credentials to checkout-scoped SSH credentials so submodule/private fetch still works without leaving a reusable key on disk
## Risk Being Fixed The audited PR pipelines cloned private repositories or private submodules with the `github-sre-bot-ssh` credential and then persisted the SSH private key into `~/.ssh/id_rsa` via `git.setSshKey()`.
Once that happened, build/test scripts coming from the target PR repository could reuse the same key to: - print or copy the key material - clone additional private repositories - push new refs or delete remote refs that the key can access
This PR removes that persistent-key path from PR jobs and narrows credential availability to the checkout helper's `sshagent` scope.
## Audit Notes Confirmed safe patterns that were left unchanged: - `prow.checkoutRefs(..., credentialsId = GIT_CREDENTIALS_ID, ...)` because it scopes SSH auth to the checkout helper - `component.checkout(...)` / `checkoutPRWithPreMerge(...)` because they use Jenkins checkout or `sshagent` during checkout only - legacy `jenkins/` GitSCM checkouts that use `credentialsId` without copying keys into `~/.ssh/id_rsa`
## Validation - `git diff --check` - verified no PR / ghpr pipeline under `pipelines/` still contains `git.setSshKey(...)` - verified the TiFlash PR jobs that previously relied on `git.setSshKey()` now use checkout-scoped credentials instead of `credentialsId = ''`
## Scope This intentionally updates PR / ghpr pipelines only. Remaining `git.setSshKey()` usage is in merged / trusted jobs and can be reviewed separately if we want to remove that pattern repo-wide later. (commit: bbfd59c)
