[Backport 2.19] Add CI mirror to avoid Maven Central throttling

[Divyaasm]

Description

Adds https://ci.opensearch.org/maven2/ as a priority repository for plugin and dependency resolution to avoid Maven Central HTTP 429 throttling during builds on Jenkins.

Changes

• build.gradle — Add CI mirror before mavenCentral in repositories blocks
• settings.gradle — Add pluginManagement block with CI mirror

Testing

Build verification

[github-actions]

PR Code Analyzer ❗

AI-powered 'Code-Diff-Analyzer' found issues on commit a23a9df.

Path	Line	Severity	Description
settings.gradle	7	critical	New Maven repository 'https://ci.opensearch.org/maven2/' added to pluginManagement. Build plugins execute arbitrary code during the build with full trust. An attacker controlling or compromising this endpoint could inject malicious build plugins that run code on developer machines and CI systems.
build.gradle	58	critical	New Maven repository 'https://ci.opensearch.org/maven2/' added to the buildscript block, which resolves build plugins and classpath dependencies. This repository is placed before mavenCentral(), giving it priority and enabling dependency shadowing of any artifact served by Maven Central.
build.gradle	83	high	New unverified Maven repository 'https://ci.opensearch.org/maven2/' added to root project repositories, placed before mavenCentral(). Priority ordering enables shadowing of legitimate Maven Central artifacts with attacker-controlled versions.
build.gradle	135	high	New unverified Maven repository 'https://ci.opensearch.org/maven2/' added to all subprojects, placed before mavenCentral(). Broad scope affects all subproject dependency resolution with the same shadowing risk.
buildSrc/build.gradle	6	high	New Maven repository added to buildSrc, which compiles custom build logic and Gradle plugins used across the entire project. A compromised repository here could inject malicious code into the build toolchain itself.
plugin/build.gradle	45	high	New unverified Maven repository 'https://ci.opensearch.org/maven2/' added as a dependency source for the main plugin module. Per mandatory flagging rule, package registry changes must always be flagged regardless of apparent legitimacy.
integ-test/build.gradle	51	high	New unverified Maven repository added to integration test build. Dependencies fetched here execute in test environments that may have access to credentials, cluster configurations, or other sensitive test infrastructure.
core/build.gradle	34	high	New unverified Maven repository 'https://ci.opensearch.org/maven2/' added to core module. Per mandatory flagging rule, any new package source must be flagged and verified by maintainers.
async-query-core/build.gradle	16	high	New unverified Maven repository 'https://ci.opensearch.org/maven2/' added. Per mandatory flagging rule, maintainers must verify this endpoint serves expected artifacts and is protected against tampering or namespace hijacking.
datasources/build.gradle	13	high	New unverified Maven repository 'https://ci.opensearch.org/maven2/' added to datasources module. Per mandatory flagging rule, any addition of a package registry source must be flagged regardless of domain familiarity.

The table above displays the top 10 most important findings.

Total: 12 | Critical: 2 | High: 10 | Medium: 0 | Low: 0

---

Pull Requests Author(s): Please update your Pull Request according to the report above.

Repository Maintainer(s): You can bypass diff analyzer by adding label skip-diff-analyzer after reviewing the changes carefully, then re-run failed actions. To re-enable the analyzer, remove the label, then re-run all actions.

---

⚠️ Note: The Code-Diff-Analyzer helps protect against potentially harmful code patterns. Please ensure you have thoroughly reviewed the changes beforehand.

Thanks.

[peterzhuamazon]

Thanks