From 9806902e7978eff47e54d08123b68d234b2c3fbe Mon Sep 17 00:00:00 2001
From: Darshit Chanpura <dchanp@amazon.com>
Date: Thu, 16 Oct 2025 17:34:21 -0400
Subject: [PATCH 1/2] Onboard to s3 snapshots (#4320)

* Onboard to s3 snapshots

Signed-off-by: Darshit Chanpura <dchanp@amazon.com>

* Remove oss sonatype maven reference

Signed-off-by: Darshit Chanpura <dchanp@amazon.com>

---------

Signed-off-by: Darshit Chanpura <dchanp@amazon.com>
(cherry picked from commit 3950a87f0f93ee107c64ce75830d0aac82c05694)
---
 .github/workflows/maven-publish.yml | 10 ++++++++--
 build-tools/repositories.gradle     |  3 +--
 build.gradle                        |  3 +--
 client/build.gradle                 |  9 +++++----
 common/build.gradle                 |  9 +++++----
 plugin/build.gradle                 |  9 +++++----
 spi/build.gradle                    | 12 ++++++------
 7 files changed, 31 insertions(+), 24 deletions(-)

diff --git a/.github/workflows/maven-publish.yml b/.github/workflows/maven-publish.yml
index bc76a28a7d..865e8acd89 100644
--- a/.github/workflows/maven-publish.yml
+++ b/.github/workflows/maven-publish.yml
@@ -33,8 +33,14 @@ jobs:
           export-env: true
         env:
           OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
-          SONATYPE_USERNAME: op://opensearch-infra-secrets/maven-central-portal-credentials/username
-          SONATYPE_PASSWORD: op://opensearch-infra-secrets/maven-central-portal-credentials/password
+          MAVEN_SNAPSHOTS_S3_REPO: op://opensearch-infra-secrets/maven-snapshots-s3/repo
+          MAVEN_SNAPSHOTS_S3_ROLE: op://opensearch-infra-secrets/maven-snapshots-s3/role
+
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v5
+        with:
+          role-to-assume: ${{ env.MAVEN_SNAPSHOTS_S3_ROLE }}
+          aws-region: us-east-1
 
       - name: publish snapshots to maven
         run: |
diff --git a/build-tools/repositories.gradle b/build-tools/repositories.gradle
index 4f58bef50a..b0152e2489 100644
--- a/build-tools/repositories.gradle
+++ b/build-tools/repositories.gradle
@@ -5,8 +5,7 @@
 
 repositories {
     mavenLocal()
-    maven { url "https://central.sonatype.com/repository/maven-snapshots/" }
-    maven { url "https://aws.oss.sonatype.org/content/repositories/snapshots" }
+    maven { url "https://ci.opensearch.org/ci/dbc/snapshots/maven/" }
     mavenCentral()
     maven {url 'https://oss.sonatype.org/content/repositories/snapshots/'}
     maven { url "https://ci.opensearch.org/ci/dbc/snapshots/lucene/" }
diff --git a/build.gradle b/build.gradle
index d398793be8..a790c8c12a 100644
--- a/build.gradle
+++ b/build.gradle
@@ -31,8 +31,7 @@ buildscript {
 
     repositories {
         mavenLocal()
-        maven { url "https://central.sonatype.com/repository/maven-snapshots/" }
-        maven { url "https://aws.oss.sonatype.org/content/repositories/snapshots" }
+        maven { url "https://ci.opensearch.org/ci/dbc/snapshots/maven/" }
         mavenCentral()
         maven { url "https://plugins.gradle.org/m2/" }
         maven { url "https://ci.opensearch.org/ci/dbc/snapshots/lucene/" }
diff --git a/client/build.gradle b/client/build.gradle
index 2df24f77fe..205206a47e 100644
--- a/client/build.gradle
+++ b/client/build.gradle
@@ -82,10 +82,11 @@ publishing {
         }
         maven {
             name = "Snapshots"
-            url = "https://central.sonatype.com/repository/maven-snapshots/"
-            credentials {
-                username "$System.env.SONATYPE_USERNAME"
-                password "$System.env.SONATYPE_PASSWORD"
+            url = System.getenv("MAVEN_SNAPSHOTS_S3_REPO")
+            credentials(AwsCredentials) {
+                accessKey = System.getenv("AWS_ACCESS_KEY_ID")
+                secretKey = System.getenv("AWS_SECRET_ACCESS_KEY")
+                sessionToken = System.getenv("AWS_SESSION_TOKEN")
             }
         }
     }
diff --git a/common/build.gradle b/common/build.gradle
index 24cc63046f..90ca0e8099 100644
--- a/common/build.gradle
+++ b/common/build.gradle
@@ -117,10 +117,11 @@ publishing {
         }
         maven {
             name = "Snapshots" //  optional target repository name
-            url = "https://central.sonatype.com/repository/maven-snapshots/"
-            credentials {
-                username "$System.env.SONATYPE_USERNAME"
-                password "$System.env.SONATYPE_PASSWORD"
+            url = System.getenv("MAVEN_SNAPSHOTS_S3_REPO")
+            credentials(AwsCredentials) {
+                accessKey = System.getenv("AWS_ACCESS_KEY_ID")
+                secretKey = System.getenv("AWS_SECRET_ACCESS_KEY")
+                sessionToken = System.getenv("AWS_SESSION_TOKEN")
             }
         }
     }
diff --git a/plugin/build.gradle b/plugin/build.gradle
index 0a7c61cbcd..c6e5dc3a3d 100644
--- a/plugin/build.gradle
+++ b/plugin/build.gradle
@@ -128,10 +128,11 @@ publishing {
             mavenCentral()
             maven { url "https://ci.opensearch.org/ci/dbc/snapshots/lucene/" }
             name = "Snapshots"
-            url = "https://central.sonatype.com/repository/maven-snapshots/"
-            credentials {
-                username "$System.env.SONATYPE_USERNAME"
-                password "$System.env.SONATYPE_PASSWORD"
+            url = System.getenv("MAVEN_SNAPSHOTS_S3_REPO")
+            credentials(AwsCredentials) {
+                accessKey = System.getenv("AWS_ACCESS_KEY_ID")
+                secretKey = System.getenv("AWS_SECRET_ACCESS_KEY")
+                sessionToken = System.getenv("AWS_SESSION_TOKEN")
             }
         }
     }
diff --git a/spi/build.gradle b/spi/build.gradle
index c617131c2a..229aaeaec5 100644
--- a/spi/build.gradle
+++ b/spi/build.gradle
@@ -18,8 +18,7 @@ apply plugin: 'opensearch.java'
 repositories {
     mavenLocal()
     mavenCentral()
-    maven { url "https://central.sonatype.com/repository/maven-snapshots/" }
-    maven { url "https://aws.oss.sonatype.org/content/repositories/snapshots" }
+    maven { url "https://ci.opensearch.org/ci/dbc/snapshots/maven/" }
 }
 
 ext {
@@ -97,10 +96,11 @@ publishing {
         }
         maven {
             name = "Snapshots" //  optional target repository name
-            url = "https://central.sonatype.com/repository/maven-snapshots/"
-            credentials {
-                username "$System.env.SONATYPE_USERNAME"
-                password "$System.env.SONATYPE_PASSWORD"
+            url = System.getenv("MAVEN_SNAPSHOTS_S3_REPO")
+            credentials(AwsCredentials) {
+                accessKey = System.getenv("AWS_ACCESS_KEY_ID")
+                secretKey = System.getenv("AWS_SECRET_ACCESS_KEY")
+                sessionToken = System.getenv("AWS_SESSION_TOKEN")
             }
         }
     }

From 3b8777190ffd163e0e5456ce50003c2606b55aa1 Mon Sep 17 00:00:00 2001
From: Peter Zhu <zhujiaxi@amazon.com>
Date: Fri, 17 Oct 2025 22:07:10 -0400
Subject: [PATCH 2/2] Update branch patterns for Maven publish workflow

Signed-off-by: Peter Zhu <zhujiaxi@amazon.com>
---
 .github/workflows/maven-publish.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/maven-publish.yml b/.github/workflows/maven-publish.yml
index 865e8acd89..8f5af81e7e 100644
--- a/.github/workflows/maven-publish.yml
+++ b/.github/workflows/maven-publish.yml
@@ -5,8 +5,8 @@ on:
   push:
     branches:
       - main
-      - 1.*
-      - 2.*
+      - '[0-9]+.[0-9]+'
+      - '[0-9]+.x'
 
 jobs:
   build-and-publish-snapshots: