Include shadowJar artifact to release workflow (#8)

[GumpacG]

Description

Modified release-drafter to include shadowJar to the release artifacts.
Modified JenkinsFile to publish shadowJar along with JDBC driver files to the artifacts bucket.

Issues Resolved

#98

Check List

• New functionality includes testing.
  • All tests pass, including unit test, integration test and doctest
• New functionality has been documented.
  • New functionality has javadoc added
  • New functionality has user manual doc added
• Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[GumpacG]

@prudhvigodithi and @gaiksaya could you take a look at the jenkinsfile change to ensure that I have provided the correct arguments as this is difficult to test? Thanks in advance.

[gaiksaya]

Tha shadow jar need to be bundled within artifacts.tar.gz. The jenkins server will only download that 1 artifact and unzip it.
See how can you bundle all in one tar.

Thanks!

[GumpacG]

Thanks for responding @gaiksaya, my worry is that including the shadowJar in the artifacts.tar is that Jenkins will also upload it to Maven which not ideal as per Bit-Quill#8 (comment).

What we need is:

1. have maven include non-shadowJar driver files and exclude shadowJar
2. OpenSearch downloads page to include shadowJar and non-shadowJar driver files.

Would you know if it is possible to exclude a file from artifacts.tar from getting published to Maven?

[gaiksaya]

Yes that is possible. What is published to maven is decided by these lines https://github.com/opensearch-project/sql-jdbc/pull/106/files#diff-619ac2b62b38c4694d7b69e89c001d78c5f853c5b39979c34d01012f778d26f0R12-R15

Right now if you unzip artifacts.tar.gz, these are the contents:

tree repository
repository
└── org
    └── opensearch
        └── driver
            └── opensearch-sql-jdbc
                ├── 1.4.0.0
                │   ├── opensearch-sql-jdbc-1.4.0.0-javadoc.jar
                │   ├── opensearch-sql-jdbc-1.4.0.0-javadoc.jar.md5
                │   ├── opensearch-sql-jdbc-1.4.0.0-javadoc.jar.sha1
                │   ├── opensearch-sql-jdbc-1.4.0.0-sources.jar
                │   ├── opensearch-sql-jdbc-1.4.0.0-sources.jar.md5
                │   ├── opensearch-sql-jdbc-1.4.0.0-sources.jar.sha1
                │   ├── opensearch-sql-jdbc-1.4.0.0.jar
                │   ├── opensearch-sql-jdbc-1.4.0.0.jar.md5
                │   ├── opensearch-sql-jdbc-1.4.0.0.jar.sha1
                │   ├── opensearch-sql-jdbc-1.4.0.0.pom
                │   ├── opensearch-sql-jdbc-1.4.0.0.pom.md5
                │   └── opensearch-sql-jdbc-1.4.0.0.pom.sha1
                ├── maven-metadata.xml
                ├── maven-metadata.xml.md5
                └── maven-metadata.xml.sha1

We can also zip the shadow jar outside repository folder.

Question: Do we want all the below files or just the jar?

ll build/libs
total 12872
-rw-r--r--  1 gaiksaya  staff   261B Jul 26 11:08 opensearch-sql-jdbc-1.4.0.0-javadoc.jar
-rw-r--r--  1 gaiksaya  staff   109K Jul 26 11:08 opensearch-sql-jdbc-1.4.0.0-sources.jar
-rw-r--r--  1 gaiksaya  staff   192K Jul 26 11:08 opensearch-sql-jdbc-1.4.0.0.jar
-rw-r--r--  1 gaiksaya  staff   5.9M Jul 26 11:08 opensearch-sql-jdbc-shadow-1.4.0.0.jar

[GumpacG]

Sorry, my assumptions were actually wrong. What we actually want is to have:

1. only non-shadowJar files in Maven
2. only shadowJar file in the artifacts bucket

I've updated the PR and with updated paths for the artifacts bucket. The new tree for artifacts is

artifacts
├── repository
│   └── org
│       └── opensearch
│           └── driver
│               └── opensearch-sql-jdbc
│                   ├── 1.4.0.0
│                   │   ├── opensearch-sql-jdbc-1.4.0.0-javadoc.jar
│                   │   ├── opensearch-sql-jdbc-1.4.0.0-javadoc.jar.md5
│                   │   ├── opensearch-sql-jdbc-1.4.0.0-javadoc.jar.sha1
│                   │   ├── opensearch-sql-jdbc-1.4.0.0-sources.jar
│                   │   ├── opensearch-sql-jdbc-1.4.0.0-sources.jar.md5
│                   │   ├── opensearch-sql-jdbc-1.4.0.0-sources.jar.sha1
│                   │   ├── opensearch-sql-jdbc-1.4.0.0.jar
│                   │   ├── opensearch-sql-jdbc-1.4.0.0.jar.md5
│                   │   ├── opensearch-sql-jdbc-1.4.0.0.jar.sha1
│                   │   ├── opensearch-sql-jdbc-1.4.0.0.pom
│                   │   ├── opensearch-sql-jdbc-1.4.0.0.pom.md5
│                   │   └── opensearch-sql-jdbc-1.4.0.0.pom.sha1
│                   ├── maven-metadata.xml
│                   ├── maven-metadata.xml.md5
│                   └── maven-metadata.xml.sha1
└── shadowJar
    └── opensearch-sql-jdbc-shadow-1.4.0.0.jar

Could you take a look at the jenkinsFile again to ensure that it is correct? In particular the role for publishing to the artifacts bucket.

[gaiksaya]

Hi @GumpacG,

One important thing is signing the artifacts that are uploaded to artifacts.opensearch.org. We have 2 options:
Create a detached signature such as .sig or .asc file based on shadow jar (will create opensearch-sql-jdbc-shadow-1.4.0.0.jar.sig or opensearch-sql-jdbc-shadow-1.4.0.0.jar.asc)or use jar signer that signs the actual jar. (Adding @rishabh6788 here for visibility)
How would the maintainers like to proceed?

We are yet to integrate our jarsigner with the signing system and would like to take this opportunity to do the same.
Also, when is the next release for sql-jdbc planned?

[GumpacG]

I believe we want jarsigner. @Yury-Fridlyand could you confirm and also wondering if you have a time line for next release?

[Yury-Fridlyand]

Yes, we need a jarsigner.
Thank you @gaiksaya

[GumpacG]

Thanks @Yury-Fridlyand and @gaiksaya! Any more actions you need from me for this PR?

[gaiksaya]

Thanks @Yury-Fridlyand and @gaiksaya! Any more actions you need from me for this PR?

I would hold on to this PR until jarsigner is integrated by @rishabh6788 . Will come back and comment on this with necessary changes.
cc: @bbarani

[GumpacG]

Sounds good. Thanks!

[GumpacG]

Hi @rishabh6788, would you have a timeline for this?

[prudhvigodithi]

Hey quick thought, we are using jarsigner for the .taco files (related issues: opensearch-project/opensearch-build#2469), for .jar files should we use PGP, just like how we sigh the other jars. @rishabh6788 @gaiksaya @peterzhuamazon.

[gaiksaya]

Hey quick thought, we are using jarsigner for the .taco files (related issues: opensearch-project/opensearch-build#2469), for .jar files should we use PGP, just like how we sigh the other jars. @rishabh6788 @gaiksaya @peterzhuamazon.

That's because maven wants .asc files for publishing. In this case we are not publishing the shadow jar to maven but just to artifacts.opensearch.org. So instead of having 2 files, one the actual jar and other one signature we can try signing it with jar signer.

[gaiksaya]

Thanks for the patience. The jar_signer is now integrated with jenkins.
Please update the lib to 5.6.1. (First line of jenkinsFile, not allowing me to add comment to unchanged line.)

lib = library(identifier: '[email protected]', retriever: modernSCM([
    $class: 'GitSCMSource',
    remote: 'https://github.com/opensearch-project/opensearch-build-libraries.git',
]))

[Yury-Fridlyand]

@gaiksaya can you re-review please?

[gaiksaya]

LGTM! Thank you for the patience.