Migrate GitLab CI to GitHub Actions with branch-specific pipeline behavior

[Copilot]

Restructures the GitHub Actions CI/CD pipeline migrated from GitLab, implementing proper branch-specific behavior and fixing issues on self-hosted runners.

Pipeline Behavior

Branch	Maven goals	Tests	JAR publish	Docker publish	Scans
Feature branches	clean install	✅ run	❌	❌	License
release/*	clean deploy -P snapshot-release	✅ run	✅ snapshot	✅ xxx-next + xxx-next-jammy	License + Trivy
develop/master/main	clean deploy -P snapshot-release -DskipTests	❌ skipped	✅ snapshot	✅ :next + :next-jammy	License + Trivy
Tags	clean deploy -P release -DskipTests	❌ skipped	✅ release	✅ tagged + tagged-jammy	License

Changes

• Restructured ci.yml: Implements branch-specific Maven goals, publishing, and scanning per the pipeline goals above
• Fixed Docker config path: Changed /home/runner/.docker/ to $HOME/.docker/ to support varying home directories on self-hosted runners
• Removed Docker auth from Maven build step: Docker publishing is handled by separate jobs; Maven builds do not need Docker credentials
• Fixed validate-license-compliance: Now downloads both build-artifacts (THIRD-PARTY.txt) and orbital-ui (licenses.csv) before running processLicenses.js
• Added scan-trivy job to ci.yml: Trivy vulnerability scan runs after Docker publish on develop/master/main/release/* branches
• Added UI artifact dependencies: Publish jobs depend on build-orbital-ui and download orbital-ui artifacts
• Added -Daws.region=eu-west-2 to Maven deploy commands, syncing with the develop branch's .gitlab-ci.yml
• Synced .gitlab-ci.yml with develop branch
• Simplified verify.yml: Retained only manual regression tests (license and Trivy scans moved into ci.yml)
• Updated .gitignore: Added .npm/ and .m2/ cache directories
• Documentation: Added JOOQ_REPO_USERNAME and JOOQ_REPO_PASSWORD to required secrets list in migration guide

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[martypitt]

@copilot Let's take a step back and review the github actions.

These are the goals of the build pipeline.

Feature Branches (anything that isn't release/xxxx)

• Build, and test, do not publish anywhere
• License scan

Release branches (release/xxxx)

• Build, and test
• publish snapshot jars
• license and vuln scan
• publish xxx-next tag (eg., 0.36:next)

Develop, Master, Main

• Build. Skip tests, as we assume passed on branches
• License scan
• Trivvy vuln scan
• Publish snapshot jars
• Publish docker images with :next tag

Tags

• Build
• Publish release jars
• Publish tagged docker images (eg., 0.36.2)

In all cases when publishing docker images, we always publish xxx and xxx-jammy (which uses the ubuntu jammy as the base image)

By the above logic, once implemented, the PR should end up with a passing build, but not publishing anything.

Also, rebase develop onto this branch, and re-check the .gitlab-ci.yml file, to see if there's anything else in there that we do, which isn't covered here.

[Copilot]

@copilot Let's take a step back and review the github actions.

These are the goals of the build pipeline.
...

Done. Here's a summary of what was changed (commits 69ac070 and 7ad4564):

ci.yml completely rewritten to implement the goals:

Branch	Maven goals	Tests	JAR publish	Docker publish	Scans
Feature branches	clean install	✅ run	❌	❌	License
release/*	clean deploy -P snapshot-release	✅ run	✅ snapshot	✅ xxx-next (+ jammy)	License + Trivy
develop/master/main	clean deploy -P snapshot-release -DskipTests	❌ skipped	✅ snapshot	✅ :next (+ jammy)	License + Trivy
Tags	clean deploy -P release -DskipTests	❌ skipped	✅ release	✅ tagged (+ jammy)	License

Other changes:

• validate-license-compliance now correctly downloads both build-artifacts (THIRD-PARTY.txt) and orbital-ui (licenses.csv) before running processLicenses.js
• scan-trivy moved into ci.yml (runs after Docker publish on develop/master/release/*)
• Removed Docker auth from the Maven build step (Docker publishing is in separate jobs)
• Added main as a trunk branch alongside develop/master
• verify.yml simplified to only manual regression tests
• .gitlab-ci.yml synced with develop (added back -Daws.region=eu-west-2)

This PR is a feature branch (copilot/sub-pr-25), so CI should build + test with clean install and run the license check, but not publish anything.