Extract some workflow steps to Github and exclude from Jenkins runner

[cwperks]

Description

This PR is part of a series of 3:

• Extract some workflow steps to Github and exclude from Jenkins runner #20946
• Add -e (--exclude-tasks) param to gradle-check.sh opensearch-build#6043
• Add excludeTasks param to runGradleCheck opensearch-build-libraries#814

Currently trying to experiment with ways to increase the build's success percentage. See the daily report here.

The new workflow is this PR extracts the gradle check for the repository-gcs and repository-azure plugins to Github rather then Jenkins. The idea is that these are 1) run in parallel to speed up the core gradle check on Jenkins and 2) eventually we can get to the point where these only run when the code or dependencies have changed instead of on every pr.

If this works and has support then I will also open a pr on opensearch-build to exclude these checks from the main gradle check. i.e. -x :plugins:repository-azure:check -x :plugins:repository-gcs:check

Related Issues

Related to #19378

Check List

• Functionality includes testing.
• API changes companion pull request created, if applicable.
• Public documentation issue/PR created, if applicable.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[github-actions]

PR Code Analyzer ❗

AI-powered 'Code-Diff-Analyzer' found issues on commit c89efc5.

Path	Line	Severity	Description
.github/workflows/auxiliary-checks.yml	22	medium	Third-party GitHub Actions (actions/checkout@v6, actions/setup-java@v5, actions/upload-artifact@v4) are referenced by mutable version tags rather than immutable commit SHAs. If a tag is moved or compromised, malicious code could be silently injected into the CI pipeline. This is a known supply chain attack vector in GitHub Actions workflows.
.github/workflows/auxiliary-checks.yml	27	low	The variable $AGENT_TOOLSDIRECTORY is an Azure DevOps/Azure Pipelines environment variable, not a native GitHub Actions variable. In GitHub Actions the equivalent is $RUNNER_TOOL_CACHE. While this likely results in a no-op (unset variable expanding to empty string causing 'rm -rf' with no path), it is anomalous and worth confirming it was not copied from a different CI system with unintended side effects or that it cannot be externally influenced.

The table above displays the top 10 most important findings.

Total: 2 | Critical: 0 | High: 0 | Medium: 1 | Low: 1

---

Pull Requests Author(s): Please update your Pull Request according to the report above.

Repository Maintainer(s): You can bypass diff analyzer by adding label skip-diff-analyzer after reviewing the changes carefully, then re-run failed actions. To re-enable the analyzer, remove the label, then re-run all actions.

---

⚠️ Note: The Code-Diff-Analyzer helps protect against potentially harmful code patterns. Please ensure you have thoroughly reviewed the changes beforehand.

Thanks.

[github-actions]

PR Reviewer Guide 🔍

(Review updated until commit 98a0fe0)

Here are some key observations to aid the review process:

🧪 PR contains tests

🔒 No security concerns identified

✅ No TODO sections

🔀 Multiple PR themes Sub-PR theme: Extract repository plugin checks to GitHub Actions workflow Relevant files: .github/workflows/auxiliary-checks.yml plugins/repository-azure/src/test/java/org/opensearch/repositories/azure/AzureStorageServiceTests.java test/fixtures/azure-fixture/docker-compose.yml test/fixtures/gcs-fixture/docker-compose.yml Sub-PR theme: Exclude repository plugin checks from Jenkins gradle-check runner Relevant files: .github/workflows/gradle-check.yml

⚡ Recommended focus areas for review Weakened Test The testClientUsingManagedIdentity test previously verified that managed identity authentication actually attempts to use the credential (by expecting a MsalServiceException when the environment is not set up). The new version only checks the account URL, which can pass even if the credential type is completely ignored. This reduces test coverage for the managed identity code path. public void testClientUsingManagedIdentity() throws IOException { // Verify that when MANAGED_IDENTITY is configured alongside a key, the client uses // the managed identity credential path (HTTPS endpoint) rather than the key-based connection string. final Settings settings = Settings.builder() .setSecureSettings(buildSecureSettings()) .put("azure.client.azure1.token_credential_type", TokenCredentialType.MANAGED_IDENTITY.name()) .build(); try (AzureRepositoryPlugin plugin = pluginWithSettingsValidation(settings)) { try (final AzureStorageService azureStorageService = plugin.azureStoreService) { final BlobServiceClient client1 = azureStorageService.client("azure1").v1(); // Managed identity path builds an HTTPS endpoint URL, not a connection string with embedded key assertThat(client1.getAccountUrl(), equalTo("https://myaccount1.blob.core.windows.net")); } } } Invalid Action Version actions/checkout@v6 is used, but as of today the latest stable release is v4. Version 6 does not exist and will cause the workflow to fail at runtime. - uses: actions/checkout@v6

[github-actions]

PR Code Suggestions ✨

Latest suggestions up to 98a0fe0

Explore these optional code suggestions:

Category	Suggestion	Impact
Possible issue	Fix invalid action version reference The actions/checkout action version v6 does not exist; the latest major version is v4. Using a non-existent version will cause the workflow to fail. Update to actions/checkout@v4. .github/workflows/auxiliary-checks.yml [23] -- uses: actions/checkout@v6 +- uses: actions/checkout@v4 Suggestion importance[1-10]: 9 __ Why: actions/checkout@v6 does not exist (latest is v4), so this would cause the workflow to fail entirely. This is a critical correctness issue.	High
General	Avoid silently ignoring job failures Setting continue-on-error: true at the job level means failures in the repository plugin checks will be silently ignored, potentially masking real test failures. Consider removing this or limiting it to specific steps where failure is expected and acceptable. .github/workflows/auxiliary-checks.yml [17] -continue-on-error: true +# Remove continue-on-error or set it only on specific steps that are expected to fail Suggestion importance[1-10]: 5 __ Why: continue-on-error: true at the job level will mask real test failures, reducing the value of the CI check. However, the improved_code only adds a comment rather than showing a concrete fix, limiting its actionability.	Low

---

Previous suggestions

Suggestions up to commit e8d1eb1

Category	Suggestion	Impact
Possible issue	Fix invalid action version reference The actions/checkout action version v6 does not exist; the latest major version is v4. Using a non-existent version will cause the workflow to fail. Update to actions/checkout@v4. .github/workflows/auxiliary-checks.yml [23] -- uses: actions/checkout@v6 +- uses: actions/checkout@v4 Suggestion importance[1-10]: 9 __ Why: actions/checkout@v6 does not exist (latest is v4), so this would cause the workflow to fail entirely. This is a critical correctness issue.	High
General	Ensure check failures are not silently ignored Setting continue-on-error: true at the job level means failures in the plugin checks will be silently ignored, and the overall workflow will report success even when tests fail. This defeats the purpose of running these checks as a quality gate. Remove this setting or set it to false to ensure failures are surfaced. .github/workflows/auxiliary-checks.yml [17] -continue-on-error: true +continue-on-error: false Suggestion importance[1-10]: 6 __ Why: continue-on-error: true means test failures won't block the workflow, which may be intentional for auxiliary checks but could hide real issues. This is a valid concern about the quality gate effectiveness.	Low

Suggestions up to commit 6df7c9b

Category	Suggestion	Impact
Possible issue	Fix invalid action version reference The actions/checkout action does not have a v6 release; the latest major version is v4. Using a non-existent version tag will cause the workflow to fail at runtime. .github/workflows/auxiliary-checks.yml [23] -- uses: actions/checkout@v6 +- uses: actions/checkout@v4 Suggestion importance[1-10]: 8 __ Why: actions/checkout@v6 does not exist (latest is v4), so this would cause the workflow to fail at runtime. This is a real bug that needs to be fixed.	Medium
General	Avoid silently ignoring job failures Setting continue-on-error: true at the job level means failures in the plugin checks will be silently swallowed and the overall workflow will still report success. This can mask real test failures. Consider removing this or limiting it to specific known-flaky steps. .github/workflows/auxiliary-checks.yml [17] -continue-on-error: true +# Remove continue-on-error or set it only on specific steps that are known to be flaky Suggestion importance[1-10]: 4 __ Why: continue-on-error: true at the job level will mask test failures, but the improved_code only adds a comment rather than showing a concrete fix. This is a valid concern but the suggestion's improved code doesn't demonstrate a proper resolution.	Low

[cwperks]

Fixes the error seen here: https://github.com/opensearch-project/OpenSearch/actions/runs/23354788293/job/67942749650

Suite: Test class org.opensearch.repositories.azure.AzureStorageServiceTests
  2> REPRODUCE WITH: ./gradlew ':plugins:repository-azure:test' --tests 'org.opensearch.repositories.azure.AzureStorageServiceTests.testClientUsingManagedIdentity' -Dtests.seed=F2A1209AD7C630AC -Dtests.security.manager=true -Dtests.jvm.argline="-XX:TieredStopAtLevel=1 -XX:ReservedCodeCacheSize=64m" -Dtests.locale=cgg-UG -Dtests.timezone=America/Fortaleza -Druntime.java=25
  2> java.lang.AssertionError: 
    Expected: a string containing "[Managed Identity] MSI returned 401"
         but: was "[Managed Identity] Authentication unavailable. The requested identity has not been assigned to this resource.Status: 400Content:{"error":"invalid_request","error_description":"Identity not found"}Headers:Server[IMDS/150.870.65.1854]Content-Length[68]x-ms-request-id[23532fc5-479b-4cb6-9835-9485a51600a3]Date[Fri, 20 Mar 2026 17:35:08 GMT]Content-Type[application/json; charset=utf-8] [Managed Identity] Error Code: invalid_request Error Message: Identity not found"

[github-actions]

Persistent review updated to latest commit e8d1eb1

[github-actions]

❌ Gradle check result for e8d1eb1: null

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

[github-actions]

Persistent review updated to latest commit 98a0fe0

[github-actions]

❌ Gradle check result for 98a0fe0: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?