ci: add Scalpel-based POM dependency detection alongside grep

[gnodet]

Summary

• Adds Maveniverse Scalpel as a parallel POM dependency detection mechanism in incremental-build.sh
• Scalpel compares effective POM models between base and PR branches, catching managed dependencies, plugin version changes, BOM imports, and transitive dependency impacts that the existing grep approach misses
• Both methods run in parallel; results are merged (union) before testing. If Scalpel fails, the script falls back to grep-only with no regression

What this fixes

The grep-based approach has 5 structural limitations (documented in CI-ARCHITECTURE.md). For example, when Dependabot bumps azure-sdk-bom-version (PR #21744), grep finds only camel-azure/pom.xml but misses all 12 child Azure modules that inherit via the BOM without explicit ${property} references. Scalpel catches all of them via effective POM model comparison.

How it works

1. Temporarily injects Scalpel extension (0.1.0-SNAPSHOT) into .mvn/extensions.xml
2. Creates a settings file with the Sonatype Central Portal snapshots repository
3. Runs mvn validate -Dscalpel.mode=report (~60-90s, no compilation needed)
4. Parses target/scalpel-report.json for affected modules, changed properties, managed deps/plugins
5. Merges results with grep detection (union, deduplicated)
6. Restores extensions.xml via trap (fail-safe)

PR comment enhancements

The CI comment now shows Scalpel-detected information: changed managed dependencies, changed managed plugins, and a note crediting Scalpel when it contributes to detection.

Test plan

• Verify Scalpel extension resolves from Sonatype Central Portal snapshots
• Verify report generation and jq parsing on a PR that bumps a version in parent/pom.xml
• Verify grep-only fallback when Scalpel fails (e.g., extension resolution failure)
• Compare grep vs Scalpel detection on Dependabot PRs (chore(deps): Bump pulsar-version from 4.1.3 to 4.2.0 #22397, chore(deps): Bump com.azure:azure-sdk-bom from 1.3.3 to 1.3.5 #21744) to validate Scalpel catches additional modules
• Verify no regression on PRs with no POM changes (Scalpel step is skipped)

🤖 Generated with Claude Code

Claude Code on behalf of Guillaume Nodet

[github-actions]

🌟 Thank you for your contribution to the Apache Camel project! 🌟
🤖 CI automation will test this PR automatically.

🐫 Apache Camel Committers, please review the following items:

• First-time contributors require MANUAL approval for the GitHub Actions to run
• You can use the command /component-test (camel-)component-name1 (camel-)component-name2.. to request a test from the test bot although they are normally detected and executed by CI.
• You can label PRs using skip-tests and test-dependents to fine-tune the checks executed by this PR.
• Build and test logs are available in the summary page. Only Apache Camel committers have access to the summary.

⚠️ Be careful when sharing logs. Review their contents before sharing them publicly.

[gnodet]

Superseded by #22510 which uses the released Scalpel 0.1.0 instead of a SNAPSHOT with temporary extension injection.

Claude Code on behalf of Guillaume Nodet