Publish to RubyGems

[bbarani]

Ruby client is published to RubyGems.org.

Note: The signing for ruby takes place when the artifact is built. (Need to check if we have a work around) In order to replicate the build environment of ruby clients they need to be build on docker images which can be also used by release pipeline

• [ ] Install necessary packages required for publishing on docker image: https://github.com/opensearch-project/opensearch-build/blob/main/docker/ci/dockerfiles/current/release.centos.clients.x64.arm64.dockerfile

Acceptance Criteria:

• [x] The library should check if the artifact is signed and only then publish the artifacts to rubygems.org

[gaiksaya]

Adding the approach here as discussed with @opensearch-project/engineering-effectiveness

Apart from building and maintaining the build environment for building the gems, another approach is to use the AWS secrets manager integrated with GitHub Actions to fetch the key and sign the gems while they are being built in Github Actions. Reference:

• https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services
• https://aws.plainenglish.io/no-more-aws-access-keys-in-github-secrets-6fea25c9e1a4

The above publishToRubyGems jenkins library would then just grab the gem from release artifacts and publish them using the API https://guides.rubygems.org/rubygems-org-api/

curl --data-binary @sample-0.2.1.gem \
       -H 'Authorization:rubygems_api_key' \
       https://rubygems.org/api/v1/gems

[gaiksaya]

After debugging alot the missing piece was the content header in above curl:

curl -X POST --data-binary @hello_world.gem -H 'Authorization:rubygems_sample_key' -H "Content-Type: application/octet-stream"  https://rubygems.org/api/v1/gems