feat: add otel.shadow-conventions plugin to centralize dist packaging and license handling

[dol]

Pull requests and discussion's involved:

• Update sampler docs #2383
• Publish jar for cel extension #2516 . This PR is an overlap. The end2end test makes sense, but I would set it up similar to

  opentelemetry-java-contrib/gcp-auth-extension/build.gradle.kts

  Line 70 in b7a3272

  val integrationTestUserCreds by registering(JvmTestSuite::class) {

  rather then relying on docker to be present for the test.

Summary

A new in-repo convention plugin otel.shadow-conventions was added to centralize creation of
runtime distribution jars and legal/SBOM handling. The plugin applies and configures Shadow
(fat-jar), CycloneDX (SBOM), and the dependency-license-report plugin, and wires generated outputs
into the distribution packaging in a lazy, incremental-friendly way.

Inspired by https://cwiki.apache.org/confluence/display/FLINK/Licensing# .

What changed

A new convention file was added under
buildSrc/src/main/kotlin/otel.shadow-conventions.gradle.kts which:

• applies the com.gradleup.shadow, org.cyclonedx.bom, and
  com.github.jk1.dependency-license-report plugins;
• centralizes licenseReport configuration and points it at the repo
  config/dependency-license/* policy files;
• configures CycloneDX to emit JSON-only SBOM and registers the BOM as a lazy input
  for packaging;
• adds a provider-based copyLegalDocs task that copies generated
  THIRD-PARTY-NOTICES.txt and the CycloneDX BOM into build/generated/legal-docs and
  renames the BOM to SBOM.json;
• configures shadowJar to set classifier dist, exclude dependency-provided
  LICENSE/NOTICE files, depend on the license and SBOM generator tasks, and include only the
  curated legal artifacts and project LICENSE into META-INF in the distribution jar.

buildSrc/build.gradle.kts was updated to include implementation dependencies for the Shadow,
dependency-license-report, and CycloneDX Gradle plugins so the new convention plugin compiles.

The cel-sampler module now applies otel.shadow-conventions and its README was updated to
recommend depending on the runtime distribution artifact (artifact with -dist classifier) for
extension usage.

Two configuration files were added under config/dependency-license/:

• allowed-licenses.json — an allowlist of acceptable licenses used by the license report check
• license-normalizer-bundle.json — rules to normalize license names across inputs

Rationale

Centralizing dist packaging and license handling in a convention plugin provides a consistent
workflow across modules: the normal library JAR remains clean for library consumers, while the
self-contained distribution jar (classifier dist) bundles dependencies, SBOM, and curated legal
materials for runtime use. The plugin uses Gradle Providers and dependsOn wiring so generated
outputs are included without eager file resolution, supporting up-to-date checks and
configuration-cache friendliness.

Dependency-provided LICENSE/NOTICE files are excluded from the fat jar to avoid duplicates and
conflicts; the plugin includes only the authorized/generated artifacts.

[dol]

Tests are failing due to Gradle-License-Report issue short coming with org.gradle.parallel=true and the dependency-license-report gradle plugin.

Temporary disabled org.gradle.parallel to verify if the test will complete successfully.

No longer applies as the problem is only in the jmx-scraper sub project. The new convention does not apply to jmx-scraper.