Skip to content

Add ci.opensearch.org maven2 mirror to avoid throttling (sql)#5478

Merged
peterzhuamazon merged 1 commit into
opensearch-project:mainfrom
peterzhuamazon:maven2-mirror-update
May 28, 2026
Merged

Add ci.opensearch.org maven2 mirror to avoid throttling (sql)#5478
peterzhuamazon merged 1 commit into
opensearch-project:mainfrom
peterzhuamazon:maven2-mirror-update

Conversation

@peterzhuamazon

@peterzhuamazon peterzhuamazon commented May 27, 2026

Copy link
Copy Markdown
Member

Description

Add ci.opensearch.org maven2 mirror to avoid throttling (sql)

Related Issues

opensearch-project/opensearch-build#6062

Check List

  • New functionality includes testing.
  • New functionality has been documented.
  • New functionality has javadoc added.
  • New functionality has a user manual doc added.
  • New PPL command checklist all confirmed.
  • API changes companion pull request created.
  • Commits are signed per the DCO using --signoff or -s.
  • Public documentation issue/PR created.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

@peterzhuamazon
Add ci.opensearch.org maven2 mirror to avoid throttling (sql)
5a6e974 
Signed-off-by: Peter Zhu <zhujiaxi@amazon.com>
@peterzhuamazon peterzhuamazon self-assigned this May 27, 2026
@peterzhuamazon peterzhuamazon added enhancement New feature or request release v3.7.0 Issues targeting release v3.7.0 labels May 27, 2026
@peterzhuamazon peterzhuamazon moved this from Backlog to In review in OpenSearch Engineering Effectiveness May 27, 2026
@peterzhuamazon peterzhuamazon mentioned this pull request May 27, 2026
Closed
65 tasks
@github-actions

github-actions Bot commented May 27, 2026

Copy link
Copy Markdown
Contributor

PR Code Analyzer ❗

AI-powered 'Code-Diff-Analyzer' found issues on commit 5a6e974.

PathLineSeverityDescription
settings.gradle8highNew Maven repository 'https://ci.opensearch.org/maven2/' added to pluginManagement block. This is the highest-risk location: Gradle plugins sourced from this repository execute arbitrary code during the build. Per mandatory rule, all package registry changes must be verified by maintainers regardless of apparent legitimacy.
build.gradle69highNew Maven repository 'https://ci.opensearch.org/maven2/' added to buildscript repositories block. Artifacts resolved here are used during the build itself (not just runtime), increasing the blast radius of any compromised artifact. This is a distinct URL from the already-present 'https://ci.opensearch.org/ci/dbc/snapshots/maven/' and must be independently verified.
build.gradle95highNew Maven repository added to root-level repositories block, affecting all dependency resolution for the root project. Supply chain mandatory flag: repository source changes require maintainer verification.
build.gradle174highNew Maven repository added to allprojects/subprojects repositories block, propagating this artifact source to every subproject in the build. Broad scope amplifies the attack surface if the repository is compromised.
buildSrc/build.gradle6highNew Maven repository added to buildSrc, which compiles custom Gradle build logic. Artifacts from this repository could influence or replace build tooling code, making this a sensitive injection point.
plugin/build.gradle47highNew Maven repository added to the main plugin subproject. Per mandatory rule, any package registry change must be flagged regardless of the domain name's apparent association with the project.
core/build.gradle37highNew Maven repository added to core subproject. Supply chain mandatory flag applies: artifact authenticity cannot be verified without maintainer review.
integ-test/build.gradle61highNew Maven repository added to integration-test subproject. Test infrastructure dependencies sourced from an unverified repository could introduce compromised test helpers or agent JARs.
common/build.gradle32highNew Maven repository added to common subproject. Per mandatory rule, all repository source changes must be flagged as high severity for maintainer verification.
async-query-core/build.gradle16highNew Maven repository added to async-query-core subproject. Supply chain mandatory flag: repository addition requires maintainer verification regardless of domain name familiarity.

The table above displays the top 10 most important findings.

Total: 14 | Critical: 0 | High: 14 | Medium: 0 | Low: 0

Pull Requests Author(s): Please update your Pull Request according to the report above.

Repository Maintainer(s): You can bypass diff analyzer by adding label skip-diff-analyzer after reviewing the changes carefully, then re-run failed actions. To re-enable the analyzer, remove the label, then re-run all actions.

⚠️ Note: The Code-Diff-Analyzer helps protect against potentially harmful code patterns. Please ensure you have thoroughly reviewed the changes beforehand.

Thanks.

@peterzhuamazon peterzhuamazon added skip-changelog skip-diff-analyzer Maintainer to skip code-diff-analyzer check, after reviewing issues in AI analysis. labels May 27, 2026
@peterzhuamazon

peterzhuamazon commented May 27, 2026

Copy link
Copy Markdown
Member Author

expected mirror update.

@peterzhuamazon peterzhuamazon merged commit 7b4ebcf into opensearch-project:main May 28, 2026
51 of 52 checks passed
@peterzhuamazon peterzhuamazon deleted the maven2-mirror-update branch May 28, 2026 00:15
@github-project-automation github-project-automation Bot moved this from 👀 In Review to ✅ Done in Engineering Effectiveness Board May 28, 2026
This was referenced May 28, 2026
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gaiksaya gaiksaya gaiksaya approved these changes

@ps48 ps48 Awaiting requested review from ps48 ps48 is a code owner

@joshuali925 joshuali925 Awaiting requested review from joshuali925 joshuali925 is a code owner

@dai-chen dai-chen Awaiting requested review from dai-chen dai-chen is a code owner

@mengweieric mengweieric Awaiting requested review from mengweieric mengweieric is a code owner

@vamsimanohar vamsimanohar Awaiting requested review from vamsimanohar vamsimanohar is a code owner

@Swiddis Swiddis Awaiting requested review from Swiddis Swiddis is a code owner

@penghuo penghuo Awaiting requested review from penghuo penghuo is a code owner

@anirudha anirudha Awaiting requested review from anirudha anirudha is a code owner

@acarbonetto acarbonetto Awaiting requested review from acarbonetto acarbonetto is a code owner

@ykmr1224 ykmr1224 Awaiting requested review from ykmr1224 ykmr1224 is a code owner

@LantaoJin LantaoJin Awaiting requested review from LantaoJin LantaoJin is a code owner

@noCharger noCharger Awaiting requested review from noCharger noCharger is a code owner

@qianheng-aws qianheng-aws Awaiting requested review from qianheng-aws qianheng-aws is a code owner

@yuancu yuancu Awaiting requested review from yuancu yuancu is a code owner

@RyanL1997 RyanL1997 Awaiting requested review from RyanL1997 RyanL1997 is a code owner

@ahkcs ahkcs Awaiting requested review from ahkcs ahkcs is a code owner

@songkant-aws songkant-aws Awaiting requested review from songkant-aws songkant-aws is a code owner

Assignees

@peterzhuamazon peterzhuamazon

Labels

enhancement New feature or request release skip-changelog skip-diff-analyzer Maintainer to skip code-diff-analyzer check, after reviewing issues in AI analysis. v3.7.0 Issues targeting release v3.7.0

Projects

Engineering Effectiveness Board
Status: ✅ Done
OpenSearch Engineering Effectiveness
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@peterzhuamazon @gaiksaya