Publish an existing jar to the plugin portal

We would like to publish a jar to the plugins portal after it passes our QA pipeline.
I understand that the plugin-publish plugin should pick up artifacts from ‘build/lib’, but I still have some questions.
How can I ensure that no other artifact is generated in ‘build/lib’ before publishPlugins runs? Only way I see would be to make sure all other dependent tasks are disabled, but it’s still risky.
Is there any other information used from the project that needs to be consistent with the artifact being uploaded, like the version, or is it inferred from the artifact?
Is the plugin-publish plugin open source?