Add README file to document the current CI/CD configuration

Author: jacopoc

.github/README.md

@@ -0,0 +1,59 @@
+# GitHub CI/CD Configuration
+
+## Workflows
+
+- `gradle.yaml`  
+  Build and checks (style, Javadoc)  
+  → Trigger: push / PR on `trunk` and `release*`
+
+- `codeql-analysis.yml`  
+  Security analysis (Java + JavaScript)  
+  → Trigger: push / PR + weekly on `trunk` and `release*`
+
+- `docker-image.yaml`  
+  Build and push images to `ghcr.io/apache/ofbiz`  
+  → Trigger: push on `trunk` / `release*` + tags
+
+- `dependency-review.yml`  
+  Vulnerability scanning for dependencies in PRs  
+  → Trigger: all PRs
+
+- `scorecard.yml`  
+  OpenSSF security scorecard  
+  → Trigger: `trunk` + weekly
+
+### Workflow behavior
+
+- `push` → uses the workflow from the target branch  
+- `pull_request` → uses the workflow from the source branch  
+- `schedule` → always uses `trunk`
+
+Workflows are maintained on all branches (`trunk` and `release*`) using the same triggers.
+
+New branches inherit workflow files from `trunk` at creation time.
+
+`scorecard.yml` runs only on `trunk` (default branch).
+
+## Dependabot
+
+Read **only from `trunk`**.
+
+Updates:
+- GitHub Actions
+- Docker base images
+- NPM (`themes/common-theme/.../js`)
+
+Each ecosystem includes:
+- one configuration for `trunk`
+- one configuration for each `release*` branch
+
+## New release branch checklist
+
+Before creating a new release branch from `trunk`, update `dependabot.yml` (on `trunk`) by adding a `target-branch` entry for:
+- npm
+- github-actions
+- docker
+
+Then create the release branch.
+
+Dependabot will automatically keep the new branch up to date.