[ISSUE #14469] Enable SpotBugs check enforcement in CI

[cxhello]

Fixes #14469

What is the purpose of the change

Following the removal of p3c-pmd in #14455, SpotBugs is the only static bug detection tool remaining. However, it was configured but not enforced — CI used spotbugs:spotbugs (report only), so detected bugs never blocked builds.

This PR enables spotbugs:check enforcement using a ratchet approach: suppress all existing High-level issues via an exclude filter, so new code introducing novel High-priority bug types will be blocked immediately. Existing issues will be fixed in follow-up PRs by gradually removing exclusions.

Brief changelog

• Fix property typo: soptbugs-maven-plugin.version → spotbugs-maven-plugin.version
• Add SpotBugs plugin <configuration> with effort=Max, threshold=High, and excludeFilterFile
• Create style/spotbugs-exclude.xml — excludes generated/ported code (istio, protobuf, packagescan) and 14 existing High-level bug patterns
• Switch CI from spotbugs:spotbugs to spotbugs:check
• Update PR template from findbugs:findbugs to spotbugs:check

Verifying this change

• Local mvn compile spotbugs:check -DskipTests -Drat.skip=true passes (all 46 modules SUCCESS)
• No Java source code was modified — only build config, CI workflow, and PR template

[KomachiSion]

Welcome to create issues to solve the found bugs which not in generated classes or import classes.

[cxhello]

Thanks for the suggestion! I will create separate issues for the existing bugs found by SpotBugs (excluding generated/imported classes) and fix them in follow-up PRs.

The plan is to remove the pattern exclusions from spotbugs-exclude.xml one by one while fixing the underlying issues. Starting with the simplest ones first, such as DM_BOXED_PRIMITIVE_FOR_PARSING (4 occurrences).

[github-actions]

Thanks for your this PR. 🙏
Please check again for your PR changes whether contains any usage/api/configuration change such as Add new API , Add new configuration, Change default value of configuration.
If so, please add or update documents(markdown type) in docs/next/ for repository nacos-group/nacos-group.github.io

---

感谢您提交的PR。 🙏
请再次查看您的PR内容，确认是否包含任何使用方式/API/配置参数的变更，如：新增API、新增配置参数、修改默认配置等操作。
如果是，请确保在提交之前，在仓库nacos-group/nacos-group.github.io中的docs/next/目录下添加或更新文档（markdown格式）。

[cxhello]

Force-pushed to add the Apache License header to style/spotbugs-exclude.xml — the previous push was missing it, which caused the RAT license check to fail. No other changes.

[wuyfee]

$\color{red}{FAILURE}$
DETAILS
✅ - docker: success
❌ - deploy (standalone & cluster & standalone_auth): failure
❌ - e2e-java-test (standalone & cluster & standalone_auth): skipped
❌ - e2e-go-test (standalone & cluster): skipped
❌ - e2e-cpp-test (standalone & cluster): skipped
❌ - e2e-csharp-test (standalone & cluster): skipped
❌ - e2e-nodejs-test (standalone & cluster): skipped
❌ - e2e-python-test (standalone & cluster): skipped
✅ - clean (standalone & cluster & standalone_auth): success

[cxhello]

The CI failure is due to a flaky test (MemoryMcpCacheIndexTest.testCleanupExpiredEntriesDoesNotAffectValidEntries) in the nacos-ai module — a race condition where this.properties is null when the background cleanup thread runs. This is unrelated to the changes in this PR.

@KomachiSion Could you please re-run the failed CI job? Thanks!

[wuyfee]

$\color{red}{FAILURE}$
DETAILS
✅ - docker: success
❌ - deploy (standalone & cluster & standalone_auth): failure
❌ - e2e-java-test (standalone & cluster & standalone_auth): skipped
❌ - e2e-go-test (standalone & cluster): skipped
❌ - e2e-cpp-test (standalone & cluster): skipped
❌ - e2e-csharp-test (standalone & cluster): skipped
❌ - e2e-nodejs-test (standalone & cluster): skipped
❌ - e2e-python-test (standalone & cluster): skipped
✅ - clean (standalone & cluster & standalone_auth): success