Merge origin/main into streaming-scoring-clean

Author: Atri Sharma

.ci/bwcVersions

@@ -55,3 +55,4 @@ BWC_VERSION:
   - "3.3.1"
   - "3.3.2"
   - "3.4.0"
+  - "3.5.0"

.github/benchmark-configs.json

@@ -240,5 +240,41 @@
       "data_instance_config": "4vCPU, 32G Mem, 16G Heap"
     },
     "baseline_cluster_config": "x64-r5.xlarge-1-shard-0-replica-snapshot-baseline"
+  },
+  "id_15": {
+    "description": "Intra-segment search test-procedure for big5 with concurrent segment search mode as auto and force partition strategy",
+    "supported_major_versions": ["3"],
+    "cluster-benchmark-configs": {
+      "SINGLE_NODE_CLUSTER": "true",
+      "MIN_DISTRIBUTION": "true",
+      "TEST_WORKLOAD": "big5",
+      "ADDITIONAL_CONFIG": "search.concurrent_segment_search.partition_strategy:force",
+      "WORKLOAD_PARAMS": "{\"snapshot_repo_name\":\"benchmark-workloads-repo-3x\",\"snapshot_bucket_name\":\"benchmark-workload-snapshots\",\"snapshot_region\":\"us-east-1\",\"snapshot_base_path\":\"10.3.2\",\"snapshot_name\":\"big5_1_shard_text_field\"}",
+      "CAPTURE_NODE_STAT": "true",
+      "TEST_PROCEDURE": "intra-segment"
+    },
+    "cluster_configuration": {
+      "size": "Single-Node",
+      "data_instance_config": "4vCPU, 32G Mem, 16G Heap"
+    },
+    "baseline_cluster_config": "x64-r5.xlarge-1-shard-0-replica-snapshot-baseline"
+  },
+  "id_16": {
+    "description": "clickbench workload DSL queries test",
+    "supported_major_versions": ["3"],
+    "cluster-benchmark-configs": {
+      "SINGLE_NODE_CLUSTER": "true",
+      "MIN_DISTRIBUTION": "true",
+      "DATA_INSTANCE_TYPE": "c5.2xlarge",
+      "TEST_WORKLOAD": "clickbench",
+      "WORKLOAD_PARAMS": "{\"snapshot_repo_name\":\"benchmark-workloads-repo-3x\",\"snapshot_bucket_name\":\"benchmark-workload-snapshots\",\"snapshot_region\":\"us-east-1\",\"snapshot_base_path\":\"10.3.2\",\"snapshot_name\":\"clickbench_3_shards\",\"warmup_iterations\":10,\"test_iterations\":20}",
+      "CAPTURE_NODE_STAT": "true",
+      "TEST_PROCEDURE": "dsl-clickbench-snapshot"
+    },
+    "cluster_configuration": {
+      "size": "Single-Node",
+      "data_instance_config": "8vCPU, 32G Mem, 16G Heap"
+    },
+    "baseline_cluster_config": "x64-c5.2xlarge-3-shard-0-replica-snapshot-baseline"
   }
 }

.github/workflows/benchmark-pull-request.yml

@@ -149,7 +149,7 @@ jobs:
         run: |
           ./gradlew :distribution:archives:linux-tar:assemble -Dbuild.snapshot=false
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v5
+        uses: aws-actions/configure-aws-credentials@v6
         with:
           role-to-assume: ${{ secrets.UPLOAD_ARCHIVE_ARTIFACT_ROLE }}
           role-session-name: publish-to-s3

.github/workflows/detect-breaking-change.yml

@@ -20,7 +20,7 @@ jobs:
     - if: failure()
       run: cat server/build/reports/java-compatibility/report.txt
     - if: failure()
-      uses: actions/upload-artifact@v6
+      uses: actions/upload-artifact@v7
       with:
         name: java-compatibility-report.html
         path: ${{ github.workspace }}/server/build/reports/java-compatibility/report.html

.github/workflows/gradle-check.yml

@@ -24,15 +24,40 @@ jobs:
     - uses: actions/checkout@v6
     - name: Get changed files
       id: changed-files-specific
-      uses: tj-actions/changed-files@v47.0.1
+      uses: tj-actions/changed-files@v47.0.5
       with:
         files_ignore: |
           release-notes/*.md
           .github/**
           *.md
 
+  Code-Diff-Analyzer:
+    uses: opensearch-project/opensearch-build/.github/workflows/code-diff-analyzer.yml@main
+    if: github.repository == 'opensearch-project/OpenSearch'
+    permissions:
+      id-token: write  # github oidc to assume aws roles
+      pull-requests: write  # to create or update comment (peter-evans/create-or-update-comment)
+    secrets:
+      BEDROCK_ACCESS_ROLE: ${{ secrets.BEDROCK_ACCESS_ROLE }}
+    with:
+      skip_diff_analyzer_with_label_name: 'skip-diff-analyzer'
+      update_pr_comment_with_analyzer_report: true
+      hard_fail_level: 2 # issues with medium severity or above will hard fail the check
+
+  Code-Diff-Reviewer:
+    uses: opensearch-project/opensearch-build/.github/workflows/code-diff-reviewer.yml@main
+    needs: Code-Diff-Analyzer
+    if: github.repository == 'opensearch-project/OpenSearch'
+    permissions:
+      id-token: write  # github oidc to assume aws roles
+      pull-requests: write  # to create or update comment (peter-evans/create-or-update-comment)
+    secrets:
+      BEDROCK_ACCESS_ROLE: ${{ secrets.BEDROCK_ACCESS_ROLE }}
+    with:
+      skip_diff_reviewer_with_label_name: 'skip-diff-reviewer'
+  
   gradle-check:
-    needs: check-files
+    needs: [check-files, Code-Diff-Analyzer]
     if: github.repository == 'opensearch-project/OpenSearch' && needs.check-files.outputs.RUN_GRADLE_CHECK == 'true'
     permissions:
       contents: read # to fetch code (actions/checkout)
@@ -164,10 +189,12 @@ jobs:
             Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure [a flaky test](https://github.com/opensearch-project/OpenSearch/blob/main/DEVELOPER_GUIDE.md#flaky-tests) unrelated to your change?
 
   check-result:
-    needs: [check-files, gradle-check]
+    needs: [check-files, gradle-check, Code-Diff-Analyzer]
     if: always()
     runs-on: ubuntu-latest
     steps:
       - name: Fail if gradle-check fails
-        if: ${{ needs.check-files.outputs.RUN_GRADLE_CHECK && needs.gradle-check.result == 'failure' }}
+        if: |
+          needs.check-files.outputs.RUN_GRADLE_CHECK == 'true' &&
+          (needs.gradle-check.result == 'failure' || needs.Code-Diff-Analyzer.result == 'failure' || needs.Code-Diff-Analyzer.result == 'cancelled')
         run: exit 1

.github/workflows/links.yml

@@ -13,7 +13,7 @@ jobs:
       - uses: actions/checkout@v6
       - name: lychee Link Checker
         id: lychee
-        uses: lycheeverse/lychee-action@v2.7.0
+        uses: lycheeverse/lychee-action@v2.8.0
         with:
           args: --accept=200,403,429 --exclude-mail **/*.html **/*.md **/*.txt **/*.json --exclude-file .lychee.excludes
           fail: true

.github/workflows/lucene-snapshots.yml

@@ -47,7 +47,7 @@ jobs:
         run: ./gradlew publishJarsPublicationToMavenLocal -Pversion.suffix=snapshot-${{ env.REVISION }} -x javadoc
 
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v5
+        uses: aws-actions/configure-aws-credentials@v6
         with:
           role-to-assume: ${{ secrets.LUCENE_SNAPSHOTS_SECRET_ROLE }}
           aws-region: us-east-1
@@ -60,7 +60,7 @@ jobs:
           echo "LUCENE_SNAPSHOTS_BUCKET=$lucene_snapshots_bucket" >> $GITHUB_OUTPUT
 
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v5
+        uses: aws-actions/configure-aws-credentials@v6
         with:
           role-to-assume: ${{ secrets.LUCENE_SNAPSHOTS_S3_ROLE }}
           aws-region: us-east-1
@@ -70,7 +70,7 @@ jobs:
           aws s3 cp ~/.m2/repository/org/apache/lucene/ s3://${{ steps.get_s3_bucket.outputs.LUCENE_SNAPSHOTS_BUCKET }}/snapshots/lucene/org/apache/lucene/  --recursive --no-progress
 
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v5
+        uses: aws-actions/configure-aws-credentials@v6
         with:
           role-to-assume: ${{ secrets.LUCENE_SNAPSHOTS_ROLE }}
           aws-region: us-west-2

.github/workflows/publish-maven-snapshots.yml

@@ -36,11 +36,11 @@ jobs:
           MAVEN_SNAPSHOTS_S3_ROLE: op://opensearch-infra-secrets/maven-snapshots-s3/role
 
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v5
+        uses: aws-actions/configure-aws-credentials@v6
         with:
           role-to-assume: ${{ env.MAVEN_SNAPSHOTS_S3_ROLE }}
           aws-region: us-east-1
 
       - name: Publish snapshots to maven
         run: |
-          ./gradlew publishNebulaPublicationToSnapshotsRepository
+          ./gradlew publishNebulaPublicationToSnapshotsRepository -Pcrypto.standard=FIPS-140-3

AGENTS.md

@@ -0,0 +1,108 @@
+# AGENTS.md
+
+## Repository Structure
+
+Key components:
+
+- `server` - Core of the OpenSearch server. Includes the distributed system framework as well as most of the search and indexing functionality.
+- `plugins/*` - Optional plugins that extend interfaces defined in `server`. Plugins run in their own classloader that is a child of the `server` classloader.
+- `modules/*` - Architecturally the same as plugins, but are included by default and are not uninstallable.
+- `libs/*` - Libraries that can be used by `server` or any plugin or module.
+- `buildSrc` - The build framework, used by this repository and all external plugin repositories. This is published as the `build-tools` artifact.
+- `sandbox` - Contains `libs`, `modules`, and `plugins` that are under development. These are not included in non-snapshot builds.
+- `distribution` - Builds tar, zip, rpm, and deb packages.
+- `qa` - Integration tests requiring multiple modules/plugins, multi-version cluster tests, and tests in unusual configurations.
+- `test` - Test framework and test fixtures used across the project. Published for external plugin testing.
+
+## Build
+
+JDK 21 is the minimum supported. `JAVA_HOME` must be set.
+
+```
+./gradlew assemble          # build all distributions
+./gradlew localDistro       # build for local platform only
+./gradlew run               # run OpenSearch from source
+./gradlew generateProto     # regenerate protobuf code (if compilation errors)
+```
+
+## Testing
+
+### Unit Testing
+- Defined in `<component>/src/test` directory
+- Test class names must end with "Tests"
+- Base class: `OpenSearchTestCase`
+
+### Internal Cluster Tests
+- Defined in `<component>/src/internalClusterTest` directory
+- Test class names must end with "IT"
+- Base classes: `OpenSearchSingleNodeTestCase` (single node), `OpenSearchIntegTestCase` (multi-node)
+- These tests are extremely prone to race conditions. Ensure that you are using appropriate concurrency primitives or polling when asserting on a condition that completes asynchronously.
+
+### REST Tests
+- YAML-based REST tests: `./gradlew :rest-api-spec:yamlRestTest`
+- Java REST tests: `./gradlew :<module>:javaRestTest` (base class: `OpenSearchRestTestCase`)
+
+### Running Tests
+
+```
+./gradlew check                    # all verification tasks (unit, integration, static checks)
+./gradlew precommit                # precommit checks only
+./gradlew internalClusterTest      # in-memory cluster integration tests only
+./gradlew test                     # unit tests only
+
+# run a specific test
+./gradlew server:test --tests "*.ReplicaShardBatchAllocatorTests.testNoAsyncFetchData"
+./gradlew :server:internalClusterTest --tests "org.opensearch.action.admin.ClientTimeoutIT.testNodesInfoTimeout"
+
+# run with a specific seed for reproducibility
+./gradlew test -Dtests.seed=DEADBEEF
+
+# repeat a test N times
+./gradlew server:test --tests "*.ReplicaShardBatchAllocatorTests.testNoAsyncFetchData" -Dtests.iters=N
+```
+
+### Writing Good Tests
+
+- Prefer unit tests over multi-threaded integration tests when unit tests can provide the same test coverage.
+- Use randomization for parameters not expected to affect behavior (e.g., shard count for aggregation tests), not for coverage. If different code paths exist (e.g., 1 shard vs 2+ shards), write separate tests for each.
+- Never use `Thread.sleep` directly. Use `assertBusy` or `waitUntil` for polling, or instrument code with concurrency primitives like `CountDownLatch` for deterministic waiting.
+- Do not depend on specific segment topology. If needed, disable background refreshes and force merge after indexing.
+- Clean up all resources at the end of each test. The base test class checks for open file handles and running threads after tear down.
+- Do not abuse randomization in multi-threaded tests because it can make failures non-reproducible.
+- When testing functionality behind a feature flag, use `FeatureFlags.TestUtils` and the `@LockFeatureFlag` annotation.
+- Use the `-Dtests.iters=N` parameter to repeat new and modified tests with many different random seeds to ensure stability.
+
+## Java Formatting
+
+- Formatted with Eclipse JDT formatter via Spotless Gradle plugin.
+- Run `./gradlew spotlessJavaCheck` to check, `./gradlew spotlessApply` to fix.
+- 4-space indent, 140-character line width.
+- Wildcard imports are forbidden.
+- Prefer `foo == false` over `!foo` for readability.
+
+## Adding Dependencies
+
+When adding or removing a dependency in any `build.gradle` (non-test scope):
+1. Copy the library's `LICENSE.txt` and `NOTICE.txt` to `<component>/licenses/<artifact>-LICENSE.txt` and `<artifact>-NOTICE.txt`.
+2. Run `./gradlew :<component>:updateSHAs` to generate the SHA file.
+3. Verify with `./gradlew :<component>:check`.
+
+## Backwards Compatibility
+
+- Use `Version.onOrAfter` / `Version.before` checks when changing on-disk formats or encodings.
+- Mark public API classes with `@PublicApi` (backwards compatibility guaranteed), `@InternalApi` (no guarantees), `@ExperimentalApi` (may change any time), or `@DeprecatedApi`.
+- User-facing API changes require the `>breaking` PR label, a CHANGELOG entry, and deprecation log messages via `DeprecationLogger`.
+- Run `./gradlew japicmp` to check API compatibility against the latest release.
+
+## Commits
+
+Ensure `./gradlew precommit` passes before creating a commit. Write commit message titles focused on user impact and not implementation details.
+
+- Good: `Allow slash in snapshot file name validation`
+- Bad: `Add Strings#validFileNameExcludingSlash method`
+
+Commit message titles should be limited to 50 characters, followed by a blank line, and the body should be wrapped at 72 characters. Include all relevant context in commit messages but avoid excess verbosity. Users must understand and accept the Developer Certificate of Origin (DCO) and all commits must be signed off accordingly.
+
+## Pull Requests
+
+Always push to the user's fork. Never push to the upstream `opensearch-project/OpenSearch` repo. Never push directly to `main`. If a user fork does not exist, ask the contributor to create one.