This issue takes dependency-track:master from "actively merged into" to "frozen, ready for deletion." The deletion
itself happens during the apiserver cutover. Multiple PRs land on dependency-track:master and dependency-track:4.14.x
in this issue, but they are sequenced. Each step depends on the previous.

1. Scope dependabot.yml to 4.14.x only

master is going EOL. Dependabot must stop opening PRs against it.

Edit .github/dependabot.yml. Remove the unscoped (default-branch) entries for maven, docker, github-actions, and
bundler. Keep only the entries with target-branch: 4.14.x.

After merge, no new dependabot PRs land against master. That is the acceptance signal.

Coordinate timing with the next step. Both should land around the public freeze announcement.

2. Land MIGRATION.md on both master and 4.14.x, plus a freeze banner

Land MIGRATION.md on both branches. master gets it because users still land on the default-branch view during
prep. 4.14.x gets it because it is the branch that survives the deletion of master. Triage comments in the next step
link to ./blob/4.14.x/MIGRATION.md for that reason.

The migration guide covers, at minimum:

• The timeline. v5 GA target date. v4 EOL window, around 6 months post-GA.
• The repo moves. hyades-apiserver becomes dependency-track. hyades-frontend becomes frontend. Where to file v5
  issues now (hyades-apiserver before cutover, dependency-track after).
• The image name change. hyades-apiserver becomes apiserver. hyades-frontend becomes frontend. Both registries.
• The :latest policy. Stays on v4 until v4 EOL. v5 users must pin :5, :5.0, or a specific version. After v4 EOL,
  :latest flips to v5.
• The :snapshot policy. Bare :snapshot stays on v4 nightly until v4 EOL. v5 nightly is :5-snapshot. After v4 EOL,
  bare :snapshot is deprecated, not flipped (see the v4 EOL flip issue).
• Pin recommendations. Prefer digest pins. Otherwise :5.0 or :5. Never :latest for production.
• Helm values changes. Image name and tag updates from the helm-charts v5 pin.
• Where to file v4 patches. dependency-track:4.14.x. No further minor releases on v4.
• CI references that may break. Hardcoded hyades-apiserver or hyades-frontend URLs in user CI.
• The fate of pre-cutover release tags. v5 alpha tags (5.0.0 through 5.6.0, plus 5.7.0-alpha.X) remain in archived
  hyades-* repos only. New tag history starts at 5.0.0 GA on dependency-track. Existing release assets remain
  pullable from the archived repo at their original URLs.
• The soak-window freeze rule. During the apiserver soak, hyades-apiserver:main is frozen for new PRs. All v5 fixes go
  to dependency-track:main. The same freeze applies to hyades-frontend:main during the frontend soak.

In the same PR, add a top-of-README.md banner with the freeze date.

The day this PR merges is the day we publish the freeze announcement on the comms channels.

3. Triage every open PR against master

master is being deleted on the apiserver cutover day. Every open PR has to be retargeted, merged, or closed first.
Anything still open at deletion time is silently lost.

For each open PR, decide which of three branches it belongs in:

• It is patch-worthy for v4. Retarget to 4.14.x.
• It is v5-bound. Ask the author to re-open it against hyades-apiserver:main.
• Neither. Close it with the templated comment below.

Use the templated comments verbatim. Each link to MIGRATION.md uses the 4.14.x copy so the link survives the deletion
of master.

Close comment:

Hi, thanks for this contribution. Dependency-Track is in the middle of the v5 GA cutover. As part of that, the master
branch on this repo is being deleted on <DATE> (see MIGRATION.md).

This PR doesn't appear to be patch-worthy for v4 maintenance (4.14.x) or applicable to v5 (hyades-apiserver:main or
dependency-track:main post-cutover), so we're closing it to keep master clear for the deletion.

If you'd like to revive this work:

• For v4 patches, please open a new PR against 4.14.x.
• For v5, please open a new PR against hyades-apiserver:main (pre-cutover) or dependency-track:main (post-cutover).

Apologies for the friction, and thanks for understanding.

Retarget comment:

Hi, retargeting this PR to 4.14.x, which is the active v4 maintenance branch (see
MIGRATION.md). v4 master is going EOL and being deleted as part of the v5 GA cutover.

v5-redirect comment:

Hi, this looks like it should land on v5 rather than v4. Could you please re-open this against
DependencyTrack/hyades-apiserver:main (pre-cutover) or
DependencyTrack/dependency-track:main (post-cutover)? See MIGRATION.md. Closing here
for now. Happy to help on the new PR.

Wait 7 calendar days for an author response after a retarget or v5-redirect comment, then close with the templated comment.

4. Stop merging to master

When the migration guide is in and the open PRs are substantially triaged, lock master down.

Configure branch protection on master. Either require admin override on every merge, or set CODEOWNERS to a
maintainer-only group. Pin the freeze date in MIGRATION.md.