is there a way to allow users in SonarQube with group permissions to execute analysis but to disable accidentally publishing and overwriting the current issues.
For example, I have an automated pull request and I'd like my developers to be able to run sonarLint Intellij plugin with my set of rules but not to have the token that will allow them to publish it from sonar scanner or maven when they run testing prior to committing.
What you want is SonarLint's connected mode, which will execute most relevant rules in the profile associated with the project without updating the project in the SonarQube server.
Developers shouldn't need any special permissions to use SonarLint, so there's no need to share any user tokens at all.