feat: publish dapr-sdk-bom artifact for transitive dependency management

[javier-aliaga]

Description

• Adds a standalone dapr-sdk-bom module so consumers can import a single BOM to pin all Dapr SDK artifact versions and security-critical transitive dependency overrides
• The BOM is parentless (no <parent>) to avoid leaking the root POM's 1500+ internal managed dependencies (junit, mockito, spring-boot-dependencies, etc.) to consumers
• Includes security overrides for netty-bom (CVE-2026-33870/33871), jackson-bom, commons-compress, and commons-codec

Changes

New module: sdk-bom/pom.xml

• 20 Dapr SDK artifact entries (io.dapr + io.dapr.spring modules)
• Imported BOMs: netty-bom 4.1.132.Final, jackson-bom 2.21.2
• Direct overrides: commons-compress 1.26.0, commons-codec 1.17.2
• Maven Central metadata: license, developers, SCM

Root pom.xml

• Registered sdk-bom as the first module in <modules>

Consumer usage

<dependencyManagement>
  <dependencies>
    <dependency>
      <groupId>io.dapr</groupId>
      <artifactId>dapr-sdk-bom</artifactId>
      <version>${dapr.version}</version>
      <type>pom</type>
      <scope>import</scope>
    </dependency>
  </dependencies>
</dependencyManagement>

Test plan

• mvn install -pl sdk-bom builds successfully
• mvn validate passes with BOM in reactor alongside other modules
• Effective POM contains only 145 managed dependencies (20 Dapr + netty-bom + jackson-bom + 2 direct overrides) — no parent leakage
• Verify BOM resolves correct netty 4.1.132.Final in a consumer project that depends on dapr-sdk
• Verify mvn deploy includes dapr-sdk-bom artifact in staging

Closes #1720

Issue reference

We strive to have all PR being opened based on an issue, where the problem or feature have been discussed prior to implementation.

Please reference the issue this PR will close: #1720

Checklist

Please make sure you've completed the relevant tasks for this PR, out of the following list:

• Code compiles correctly
• Created/updated tests
• Extended the documentation

[javier-aliaga]

@dapr/maintainers-java-sdk thoughts?

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 72.90%. Comparing base (9b80cfc) to head (c596293).

Additional details and impacted files

@@             Coverage Diff              @@
##             master    #1722      +/-   ##
============================================
- Coverage     72.91%   72.90%   -0.02%     
- Complexity     2256     2257       +1     
============================================
  Files           242      242              
  Lines          7415     7415              
  Branches        738      738              
============================================
- Hits           5407     5406       -1     
- Misses         1646     1648       +2     
+ Partials        362      361       -1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.