[refactor] Modernize Maven 3 build pipeline and release automation

[duncdrum]

Summary

Ports the lessons from the deferred Maven 4 experiment (#6276) into a
production-ready Maven 3 pipeline. Replaces maven-release-plugin with a
two-workflow GitHub Actions pattern, simplifies the profile graph, modernizes
macOS notarization (notarytool + API key auth), and adds Windows Authenticode
signing via Azure Key Vault. Maven Central publishing migrated from legacy
OSSRH to the new Central Portal (central-publishing-maven-plugin).

What changed

POM modernization

• All 59 POMs switched to ${revision} (CI-friendly versions). <revision>7.0.0-SNAPSHOT> set as default in exist-parent.
• flatten-maven-plugin 1.7.3 added — flattenMode=resolveCiFriendliesOnly — so deployed POMs resolve ${revision} to a literal version. flatten.clean execution bound to clean phase so mvn package is idempotent.
• Minimum Maven version bumped to 3.9.16.

Profile simplification

• Removed activeByDefault from installer / concurrency-stress-tests / micro-benchmarks — they no longer leak into contributor builds.
• New umbrella profiles: local-build (default), release-build (adds installer + GPG signing + Central publishing), perf-tests (stress + benchmarks).
• Removed redundant installer, concurrency-stress-tests, `micro-benumbrella restructure.

Release pipeline (CI)

• New ci-release-prepare.yml (workflow_dispatch): updates CITATION.cff, commits, creates annotated eXist-X.Y.Z tag, pushes via RELEASE_PAT.
• New ci-release.yml (tag-triggered): parallel build-linux (Maven Cbuild-mac(signed + notarized DMG),build-windows(signed installerJAR + Authenticode.exe), converging on publish-github-release`.
• release-preflight enforcer profile validates required secrets befor
• Workflows hardened: least-privilege permissions, tokens out of CLI args, third-party actions SHA-pinned.

macOS signing

• Migrated from deprecated altool --notarize-app to notarytool submitaple with App Store Connect API Key auth (no Apple ID, no 2FA).
• Decoupled mac-dmg-on-mac activation from mac-signing — contributors get an unsigned DMG automatically on macOS without extra flags.
• Removed default mac.codesign.identity.
• Jansi native code now signed in both jarfiles.

Windows signing

• Azure OIDC federated identity via azure/login@v2 (no long-lived sec
• JAR signing via azure-security-keyvault-jca; .exe Authenticode via AzureSignTool.

Documentation

• exist-versioning-release.md rewritten for the two-workflow pattern

Closes

• Closes [feature] provide maven profiles for specific use-cases #3394 — Maven profiles for specific use-cases
• Closes Distribution archives not built by default #3411 — distribution archives not built by default
• Closes [BUG] Wrong Docker tags are set as part of mvn:release #4117 — wrong Docker tags during release
• Closes Improve usage of GitHub-release plugin when publishing new versions of existdb  #4217 — improve GitHub-release plugin usage
• Closes [feature] revise pom/versioning #4519 — revise POM versioning
• Closes [feature] move installer generation to CI #5597 — move installer generation to CI
• Closes Build: make sure that dependency-check (NVD) is only executed in exist-distribution. #5641 — dependency-check only in exist-distribution
• Closes [feature] staple notarization ticket to DMG contents #6177 — staple notarization ticket to DMG
• Closes Cannot mvn package twice #6411 — cannot mvn package twice
• Closes [bug] mac.codesign.identity default in codesign-mac-app/dmg profiles causes "no identity found" for contributors without the matching certificate #6414 — default mac.codesign.identity causes contributor bui

see #6176