[Maven] Create an onboarding process for signing and releasing

[peternied]

We have several components to OpenSearch that are released outside of the distribution build process, but still need to be made available for consumption on Maven. There should have a centralized process for this as it has been done in a one-off method for the OpenSearch core and OpenSearch-java components which could be generalized.

See this reference implementation opensearch-project/opensearch-java#51 for a starting point.

Consider a centralized Jenkins job that can take artifacts and sign/publish them which is triggered by another job so the logic for branch specific builds can be isolated from the common logic.

Acceptance Criteria:

• Documentation for what steps a component needs to take to be ready to onboard.
• A template ticket that provides the details for OpenSearch-build to update/modify CI systems for the job.
• Mechanism to request a release and monitor its acceptance and completion.
• Mechanics to take artifacts, sign and release.

[peternied]

@gaiksaya @abhinavGupta16 We've been talking about the onboarding process a lot recently, what do you think about adding to the readme a section to cover this and make a PR this so we've got something we can point teams towards?

[gaiksaya]

Taking a stab at this.
Since this is issue is more specific to Maven, I can think of 2 ways we can proceed with the process:

1. Build -> Sign -> Publish
   Take the commit_id from the component owner, build the artifacts using that commit_id, Sign it using our signing system and then publish it to sonatype.
   Example: Add workflow to stage maven release opensearch-java#51

2. Grab Artifacts -> Sign -> Publish
   In this case, we won't be building anything but depending on a component owner provided storage location, Grab the artifacts from that location, Sign them and then finally publish them on sonatype.

Option 2 seems to make more sense in order to make this process generic. A single tool/process/workflow can be used for all stand-alone components to release the artifacts to maven. Whereas Option 1 would may or maynot differ for each component as each component might build differently.

Once we finalize on the right approach then we can start working on Acceptance Criteria tasks.
What do you guys think?

[peternied]

I'd recommend going with #2 because we can expand it to support #1 at a future time

[abhinavGupta16]

Currently, signing is a painstaking process on all standalone clients. This issue can be extended to all standalone artifacts and not just Maven. Thoughts?

[peternied]

This issue was specifically for Maven / Releasing signing and you are absolutely correct unifying all signing would be a great benefit for all OpenSearch components. Let's carve out a section of #1234 where we go into detail about signing.

[zelinh]

[Triage] Adding to our product backlog since we have an approach now.

[gaiksaya]

We now have automated way to publish any artifact to maven along with signing.
See #2398
Onboarding process: https://github.com/opensearch-project/opensearch-build/blob/main/ONBOARDING.md#onboarding-to-universal--1-click-release-process

Closing this issue!
Thanks!