Fix ML build with 1) adapt to gradle shadow plugin v9 upgrade and 2) make ml-common fips build param aware

[cwperks]

Description

Fix ML build with:

1. adapt to gradle shadow plugin v9 upgrade - Bump shadow-gradle-plugin from 8.3.9 to 9.3.1 OpenSearch#20569
2. make ml-common fips build param aware - [3.6.0] Build min and default distribution with -Pcrypto.standard=FIPS-140-3 for 3.6.0 release opensearch-build#5979

Related Issues

Build fix

Check List

• New functionality includes testing.
• New functionality has been documented.
• API changes companion pull request created.
• Commits are signed per the DCO using --signoff.
• Public documentation issue/PR created.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[coderabbitai]

Important

Review skipped

Auto incremental reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

📝 Walkthrough

Walkthrough

The pull request adds FIPS-140-3 crypto standard enforcement to CI/CD workflows via Gradle build flags, updates shadow MavenPublication configuration across multiple modules from project.shadow.component(publication) to from components.shadow, and introduces conditional FIPS mode dependency handling in ml-algorithms.

Changes

Cohort / File(s)	Summary
CI/CD Workflow Updates .github/workflows/CI-workflow.yml, .github/workflows/maven-publish.yml	Adds -Pcrypto.standard=FIPS-140-3 Gradle property flag to integTest and publish invocations, enforcing FIPS-140-3 crypto standard across test and publishing steps in both security plugin available and unavailable branches.
Shadow Publication Configuration client/build.gradle, common/build.gradle, spi/build.gradle	Updates shadow MavenPublication wiring from project.shadow.component(publication) to from components.shadow DSL for consistent artifact source definition across modules.
FIPS Mode Build Handling ml-algorithms/build.gradle	Introduces conditional bc-fips dependency configuration based on FIPS build mode: compileOnly under FIPS-140-3, otherwise implementation scope.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested labels

infra

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly identifies the two main changes: adapting to Gradle Shadow plugin v9 upgrade and making ml-common FIPS build parameter aware, matching the file modifications.
Description check	✅ Passed	The description covers both key objectives with referenced issues, uses the required template, and includes the DCO confirmation, though checklist items remain unchecked as expected for a build fix.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cwperks]

These ones may not be needed if this truly uses a remote cluster.

Note: integTest task should be reserved for when tests are run against testclusters. Use integTestRemote task when running against a target cluster that is running outside the JVM.

[cwperks]

These ones may not be needed if this truly uses a remote cluster.

Note: integTest task should be reserved for when tests are run against testclusters. Use integTestRemote task when running against a target cluster that is running outside the JVM.

[coderabbitai]

🧹 Nitpick comments (1)

.github/workflows/CI-workflow.yml (1)

242-249: Consider adding the FIPS flag to the commented Windows integTest for consistency.

The commented-out Windows integTest section lacks the -Pcrypto.standard=FIPS-140-3 flag that's now applied to Linux and Docker paths. If this section is re-enabled later, it would run without FIPS mode, creating inconsistency.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/CI-workflow.yml around lines 242 - 249, The commented
Windows "Multi Nodes Integration Testing" block runs ./gradlew integTest
-PnumNodes=3 without the FIPS flag; update that command to include the same FIPS
mode used elsewhere (add -Pcrypto.standard=FIPS-140-3 to the ./gradlew
invocation in the commented block) so if the section is re-enabled it will run
with FIPS mode consistent with the Linux/Docker paths.

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between f78efd5 and d14ab2e.

📒 Files selected for processing (6)

• .github/workflows/CI-workflow.yml
• .github/workflows/maven-publish.yml
• client/build.gradle
• common/build.gradle
• ml-algorithms/build.gradle
• spi/build.gradle

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: Build and Test MLCommons Plugin on Windows (25)
• GitHub Check: Build and Test MLCommons Plugin on linux (25)
• GitHub Check: Build and Test MLCommons Plugin on linux (21)
• GitHub Check: Build and Test MLCommons Plugin on Windows (21)

🔇 Additional comments (6)

ml-algorithms/build.gradle (1)

7-7: FIPS mode handling looks correct.

The conditional logic appropriately switches bc-fips to compileOnly in FIPS mode (since OpenSearch provides it at runtime) and keeps it as implementation otherwise. This aligns with the PR objective of making ml-common FIPS build parameter aware.

Also applies to: 82-87

.github/workflows/maven-publish.yml (1)

47-47: LGTM!

Adding the FIPS crypto standard flag to the publish command ensures consistent artifact builds with FIPS-140-3 compliance.

spi/build.gradle (1)

109-109: LGTM!

The change to from components.shadow is the correct migration for the newer shadow plugin versions, which uses Gradle's software component model for publications.

common/build.gradle (1)

126-126: LGTM!

Consistent shadow publication wiring change matching the pattern applied to other modules.

client/build.gradle (1)

85-85: LGTM!

Consistent shadow publication wiring change matching the pattern applied to spi and common modules.

.github/workflows/CI-workflow.yml (1)

88-88: LGTM!

The FIPS-140-3 crypto standard flag is consistently applied to all active integTest invocations across Linux and Docker test paths, ensuring tests run under the same crypto policy as the published artifacts.

Also applies to: 192-192, 195-195

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In @.github/workflows/CI-workflow.yml:
- Around line 242-249: The commented Windows "Multi Nodes Integration Testing"
block runs ./gradlew integTest -PnumNodes=3 without the FIPS flag; update that
command to include the same FIPS mode used elsewhere (add
-Pcrypto.standard=FIPS-140-3 to the ./gradlew invocation in the commented block)
so if the section is re-enabled it will run with FIPS mode consistent with the
Linux/Docker paths.

[dhrubo-os]

The workflow changes in this PR won't take effect until after this PR is merged, so the current build failures won't be fixed by these changes.

Would it make sense to split this into two PRs?

1. First PR: Just the workflow changes
2. Second PR: The code changes (which would then run against the updated workflow)

[martin-gaievski]

what's the reason behind having second PR, code owners should be able to restart workflows on demand, aren't they?

[cwperks]

Why isn't it picking up the workflow changes? Happy to do either way.