NH-82783: add jar signing using signpath.io for for GitHub release.

[cleverchuk]

We're integrating signpath.io jar signing feature into the build pipeline. This PR adds a job that sends a signing request to signpath.io then waits for the processing to complete by polling the signing request data endpoint every 5 seconds. Once the endpoint responds with final status of the signing request, we proceed to downloading the signed jar. We either failing to download the signed jar which will fail the job or we succeed which will cause the job to continue to the next step of uploading the signed jar to GitHub release. This job has an implicit dependency on the github_release job and should be run after the github_release has completed. This implicit dependency will be turned into an explicit one in a follow-on PR.

[cheempz]

Thanks @cleverchuk! had a question and a comment :)

[cheempz]

I wonder if we should have a max retry in the above loop, so that any signing service issues/outages do not hold up release process, we just won't have the signed version of the jar.

And to be safe, how about we only download the jar when status is "Completed"?

[cleverchuk]

I wonder if we should have a max retry in the above loop, so that any signing service issues/outages do not hold up release process, we just won't have the signed version of the jar.

Turned it into a separate job. Added the -f flag which fails the job on server issue

And to be safe, how about we only download the jar when status is "Completed"?

It looks like it's not necessary because it's a separate job now?

[cheempz]

Were these set based on info in Keeper? Wondering if the Keeper entry is updated, or even still needed.

[cleverchuk]

Yes, they were excluding SIGN_PATH_ARTIFACT_SLUG which doesn't exist there(or I missed it 🤷‍♂️ ).

[cheempz]

LGTM, thanks for the revisit @cleverchuk!