Add CI, publish, and upstream-tracking workflows + README

[joewiz]

Summary

Stands up the operational shape this repo needs so eXist-db/exist#6364 can resolve org.exist-db.thirdparty.org.apache.jackrabbit:jackrabbit-webdav:2.22.3-jakarta-ee10 from CI. Five of the six deliverables from the tasking are bundled here; the remaining two (eXist consumer pom wiring + tracking issue) come after the first publish.

What lands

• README.md — what this is, versioning scheme, how the transform works, how upstream tracking works, how to cut a release, how to add the GitHub Packages credential locally, license/attribution.
• .github/workflows/ci.yml — every PR + push to main. Runs mvn verify on JDK 21 and three smoke assertions:
  1. WebdavRequestImpl's public constructors accept jakarta.servlet.* types and no javax.servlet.* types.
  2. WebdavRequestImpl constructs cleanly against a Mockito-stubbed jakarta.servlet.http.HttpServletRequest.
  3. The compiled WebdavRequestImpl.class bytecode contains jakarta/servlet and does not contain javax/servlet.
• .github/workflows/publish.yml — v* tag push + workflow_dispatch. Uses secrets.GITHUB_TOKEN with packages: write (same-org publish, no PAT). Deploys to maven.pkg.github.com/eXist-db/jackrabbit-webdav-jakarta.
• .github/workflows/check-upstream.yml — Mondays 09:00 UTC + manual dispatch. Queries apache/jackrabbit tags, downloads the new *-sources.jar from Maven Central, re-extracts into src/main/java + src/main/resources, runs mvn rewrite:run to re-apply the Jakarta EE 10 transform, bumps pom.xml version, opens a PR labelled upstream-bump. Idempotent: skips if the bump branch already exists.
• pom.xml — adds <distributionManagement> for GitHub Packages, plus JUnit Jupiter 5.11.4, Mockito 5.14.2, and maven-surefire-plugin 3.5.2 so the smoke test runs.

Discrepancy with the tasking, worth flagging

The tasking describes the transform as happening "inline at build time" via the rewrite-maven-plugin. In reality the plugin in pom.xml has no <executions> binding, and src/main/java/ is already committed as the post-transform output. Day-to-day builds are plain mvn compile against already-jakarta source. The transform actually re-runs in the upstream-bump workflow via mvn rewrite:run. The README, smoke test, and bump workflow all reflect this corrected mental model.

Verified locally

mvn test on JDK 21 (Zulu 21.38.21): 3 tests pass.

Remaining tasking items

• Cut first release tag v2.22.3-jakarta-ee10 after this merges → verify artifact resolves
• Wire exist-parent/pom.xml <repository> block in PR #6364
• Open "Setup checklist" tracking issue on this repo

Test plan

• CI passes on this PR
• After merge: push tag v2.22.3-jakarta-ee10, confirm publish workflow goes green and artifact appears in GitHub Packages
• Manually dispatch check-upstream.yml with target_version: 2.22.3 and confirm it correctly detects "no bump needed"
• Resolve the published artifact from a local eXist build using the <repository> block in exist-parent/pom.xml

🤖 Generated with Claude Code

[duncdrum]

this looks a bit like rewriting dependabot, can we use dependabot for alerts for new releases?

[joewiz]

[This response was co-authored with Claude Code. -Joe]

Both fair calls, thanks @duncdrum — implemented in 315aada and 1dcf2f7 (also addresses your second comment below about action versions).

On "rewriting Dependabot" — you're right. check-upstream.yml is deleted. The new design:

• pom.xml declares org.apache.jackrabbit:jackrabbit-webdav in a tracker-only <dependencyManagement> block (no corresponding <dependencies> entry, so it stays off the classpath — wouldn't want the un-transformed upstream colliding with our vendored sources). Dependabot's Maven manifest scan sees the coordinate and opens a PR on each upstream release.
• .github/dependabot.yml gets a Maven ecosystem block, weekly, labelled upstream-bump.
• .github/workflows/bump-on-dependabot.yml triggers on Dependabot's PR, runs a checked-in script that re-vendors sources.jar from Maven Central and re-applies OpenRewrite, commits back to the Dependabot branch. CI smoke test gates merge.

Net: ~100 lines of polling YAML gone, replaced with ~10 lines of pom + ~7 lines of dependabot config + the irreducible bump mechanics. Polling is Dependabot's job; only sources-jar vendoring and OpenRewrite re-application remain custom, because nothing in Dependabot's model can do those.

On stale actions — bumped checkout@v4→v6, setup-java@v4→v5, create-pull-request@v7→v8, and added a github-actions ecosystem to dependabot.yml so they don't drift again. Same weekly schedule as the Maven one.

[duncdrum]

most action versions are out of date. dependabot to the rescue part 2

[joewiz]

[This response was co-authored with Claude Code. -Joe]

Both fair calls, thanks @duncdrum — implemented in 315aada and 1dcf2f7.

On "rewriting Dependabot" — you're right. check-upstream.yml is deleted. The new design:

• pom.xml declares org.apache.jackrabbit:jackrabbit-webdav in a tracker-only <dependencyManagement> block (no corresponding <dependencies> entry, so it stays off the classpath — wouldn't want the un-transformed upstream colliding with our vendored sources). Dependabot's Maven manifest scan sees the coordinate and opens a PR on each upstream release.
• .github/dependabot.yml gets a Maven ecosystem block, weekly, labelled upstream-bump.
• .github/workflows/bump-on-dependabot.yml triggers on Dependabot's PR, runs a checked-in script that re-vendors sources.jar from Maven Central and re-applies OpenRewrite, commits back to the Dependabot branch. CI smoke test gates merge.

Net: ~100 lines of polling YAML gone, replaced with ~10 lines of pom + ~7 lines of dependabot config + the irreducible bump mechanics. Polling is Dependabot's job; only sources-jar vendoring and OpenRewrite re-application remain custom, because nothing in Dependabot's model can do those.

On stale actions — bumped checkout@v4→v6, setup-java@v4→v5, create-pull-request@v7→v8, and added a github-actions ecosystem to dependabot.yml so they don't drift again. Same weekly schedule as the Maven one.