Skip to content

Fix distribution build: pin analytics-api dep to 3.7.0-SNAPSHOT#5455

Open
lezzago wants to merge 2 commits into
opensearch-project:mainfrom
lezzago:fix/issue-5434-distribution-build
Open

Fix distribution build: pin analytics-api dep to 3.7.0-SNAPSHOT#5455
lezzago wants to merge 2 commits into
opensearch-project:mainfrom
lezzago:fix/issue-5434-distribution-build

Conversation

@lezzago
Copy link
Copy Markdown
Member

@lezzago lezzago commented May 20, 2026
edited
Loading

Summary

Pin analytics-api to 3.7.0-SNAPSHOT in plugin/build.gradle. The previous ${opensearch_version} resolves to 3.7.0 in release builds, but sandbox artifacts are never published with a release coordinate, so the build fails:

Could not find org.opensearch.sandbox:analytics-api:3.7.0

Same hardcoded snapshot pattern is already used in core/build.gradle:67 for the same artifact.

Resolves #5434

Test plan

  • ./gradlew assemble -DskipTests=true (snapshot mode) — passes
  • bash scripts/build.sh -v 3.7.0 -p linux -a arm64 -s false -o builds reproduced locally — passes (was failing on main)
  • Plugin loads cleanly into a 3.7.0 distribution alongside 10 sibling plugins; cluster reaches GREEN
  • CI distribution build passes

@lezzago
Pin analytics-api dep to 3.7.0-SNAPSHOT for release builds
9ae9983 
The distribution build (./build.sh -s false) sets
-Dopensearch.version=3.7.0, which made the dep declared as
${opensearch_version} resolve to "3.7.0" — a release coordinate that
will never exist for org.opensearch.sandbox:analytics-api. OpenSearch
core's sandbox/build.gradle deliberately disables publish tasks for
sandbox artifacts unless -Dsandbox.enabled=true AND build.snapshot=true,
explicitly to "prevent accidental inclusion of these artifacts in a
release distribution". Build 11942 fails at :opensearch-sql-plugin:compileJava
with `Could not find org.opensearch.sandbox:analytics-api:3.7.0`.

Hardcode the dep version to "3.7.0-SNAPSHOT" — same pattern already used
by core/build.gradle:67 for the same artifact. The bundled jar continues
to ship inside the SQL plugin so QueryPlanExecutor remains resolvable at
runtime even when the analytics-engine plugin is absent (verified by
loading the rebuilt plugin into a 3.7.0 cluster — all 11 plugins load
cleanly, cluster transitions to GREEN).

Resolves opensearch-project#5434

Signed-off-by: Ashish Agrawal <ashisagr@amazon.com>
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 20, 2026
edited
Loading

PR Code Analyzer ❗

AI-powered 'Code-Diff-Analyzer' found issues on commit 8b62fc2.

PathLineSeverityDescription
plugin/build.gradle163highDependency version for 'org.opensearch.sandbox:analytics-api' changed from a pinned release version to a SNAPSHOT build. SNAPSHOT artifacts in Maven/Gradle repositories are mutable — the artifact can be silently replaced at any time without changing the version string, creating an active supply chain attack vector. The version manipulation (tokenize('-')[0] + '-SNAPSHOT') also strips any existing qualifier, potentially resolving to a different artifact than intended. Maintainers must verify both the legitimacy of this change and that the SNAPSHOT artifact in the target registry has not been tampered with.

The table above displays the top 10 most important findings.

Total: 1 | Critical: 0 | High: 1 | Medium: 0 | Low: 0

Pull Requests Author(s): Please update your Pull Request according to the report above.

Repository Maintainer(s): You can bypass diff analyzer by adding label skip-diff-analyzer after reviewing the changes carefully, then re-run failed actions. To re-enable the analyzer, remove the label, then re-run all actions.

⚠️ Note: The Code-Diff-Analyzer helps protect against potentially harmful code patterns. Please ensure you have thoroughly reviewed the changes beforehand.

Thanks.

@lezzago lezzago added the infrastructure Changes to infrastructure, testing, CI/CD, pipelines, etc. label May 20, 2026
@lezzago
Copy link
Copy Markdown
Member Author

lezzago commented May 20, 2026

Re: Code-Diff-Analyzer findings — both flags are about the hardcoded 3.7.0-SNAPSHOT coordinate. Adding context for reviewers:

Why a literal 3.7.0-SNAPSHOT instead of ${opensearch_version}:

opensearch_version resolves to 3.7.0 in the distribution build (./build.sh -s false). For most artifacts that's correct, but org.opensearch.sandbox:analytics-api is a sandbox subproject of OpenSearch core, and OpenSearch's sandbox/build.gradle deliberately disables publish tasks for sandbox artifacts unless -Dsandbox.enabled=true AND build.snapshot=true — explicitly to "prevent accidental inclusion of these artifacts in a release distribution." Result: analytics-api:3.7.0 (release coord) does not exist anywhere; only 3.7.0-SNAPSHOT is published. That mismatch is the cause of #5434.

Why this isn't a new pattern: core/build.gradle:67 already declares 'org.opensearch.sandbox:analytics-api:3.7.0-SNAPSHOT' for the same reason. This PR brings the plugin module in line.

Re: SNAPSHOT supply-chain risk: the SQL plugin already pulls analytics-api:3.7.0-SNAPSHOT transitively via core/build.gradle, so this PR doesn't change the trust surface. The artifact is hosted on the OpenSearch project's own snapshot repo (ci.opensearch.org/ci/dbc/snapshots/maven/), not Maven Central. Pinning to a snapshot here is consistent with how the rest of the project handles sandbox dependencies. This will be removable once OpenSearch core promotes analytics-api out of sandbox/ (or once the plugin can use the AnalyticsFrontEndExtension SPI tracked in opensearch-project/OpenSearch#21449).

@lezzago lezzago marked this pull request as ready for review May 20, 2026 01:03
ps48
ps48 reviewed May 20, 2026
View reviewed changes
Comment thread plugin/build.gradle Outdated
api project(":ppl")
api project(':api')
implementation("org.opensearch.sandbox:analytics-api:${opensearch_version}")
implementation 'org.opensearch.sandbox:analytics-api:3.7.0-SNAPSHOT'
Copy link
Copy Markdown
Member

@ps48 ps48 May 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why is the env var not working? https://github.com/oepnsearch-project/sql/blob/9ae998347aa4cd3d4a074f954a30eba9fa7d721a/build.gradle#L9

Copy link
Copy Markdown
Member Author

@lezzago lezzago May 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch — bare ${opensearch_version} doesn't work because that variable swings between two values:

Mode -Dopensearch.version resolves to
Local dev (default) not passed 3.7.0-SNAPSHOT
CI distribution build 3.7.0 3.7.0 ❌ — sandbox artifact never published as a release coord

OpenSearch core's sandbox/build.gradle explicitly disables release publishing for sandbox artifacts ("prevent accidental inclusion of these artifacts in a release distribution"), so analytics-api:3.7.0 doesn't exist anywhere — only 3.7.0-SNAPSHOT does. That's the actual #5434 failure.

Appending -SNAPSHOT directly (${opensearch_version}-SNAPSHOT) doesn't work either: in local dev that produces 3.7.0-SNAPSHOT-SNAPSHOT.

Pushed 8b62fc2 which uses the same tokenize pattern build.gradle:12 already uses for opensearch_build:

implementation "org.opensearch.sandbox:analytics-api:${opensearch_version.tokenize('-')[0]}-SNAPSHOT"

Strips any existing -SNAPSHOT suffix, then appends one. Resolves to 3.7.0-SNAPSHOT in both modes; auto-tracks version bumps. Verified locally with both -Dopensearch.version=3.7.0 -Dbuild.snapshot=false (CI release) and the default snapshot mode.

@lezzago
Use opensearch_version-derived snapshot coord for analytics-api
8b62fc2 
Address review feedback: instead of hardcoding "3.7.0-SNAPSHOT", derive
the snapshot version from ${opensearch_version} via the same tokenize
pattern build.gradle:12 already uses for opensearch_build. The dep now
auto-tracks version bumps and resolves correctly in both release-mode CI
(${opensearch_version}=3.7.0) and local snapshot builds
(${opensearch_version}=3.7.0-SNAPSHOT) without producing a malformed
"-SNAPSHOT-SNAPSHOT" suffix.

Signed-off-by: Ashish Agrawal <ashisagr@amazon.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ps48 ps48 ps48 left review comments

@RyanL1997 RyanL1997 RyanL1997 approved these changes

@joshuali925 joshuali925 Awaiting requested review from joshuali925 joshuali925 is a code owner

@dai-chen dai-chen Awaiting requested review from dai-chen dai-chen is a code owner

@mengweieric mengweieric Awaiting requested review from mengweieric mengweieric is a code owner

@vamsimanohar vamsimanohar Awaiting requested review from vamsimanohar vamsimanohar is a code owner

@Swiddis Swiddis Awaiting requested review from Swiddis Swiddis is a code owner

@penghuo penghuo Awaiting requested review from penghuo penghuo is a code owner

@anirudha anirudha Awaiting requested review from anirudha anirudha is a code owner

@acarbonetto acarbonetto Awaiting requested review from acarbonetto acarbonetto is a code owner

@ykmr1224 ykmr1224 Awaiting requested review from ykmr1224 ykmr1224 is a code owner

@LantaoJin LantaoJin Awaiting requested review from LantaoJin LantaoJin is a code owner

@noCharger noCharger Awaiting requested review from noCharger noCharger is a code owner

@qianheng-aws qianheng-aws Awaiting requested review from qianheng-aws qianheng-aws is a code owner

@yuancu yuancu Awaiting requested review from yuancu yuancu is a code owner

@ahkcs ahkcs Awaiting requested review from ahkcs ahkcs is a code owner

@songkant-aws songkant-aws Awaiting requested review from songkant-aws songkant-aws is a code owner

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

infrastructure Changes to infrastructure, testing, CI/CD, pipelines, etc.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[AUTOCUT] Distribution Build Failed for sql-3.7.0

3 participants

@lezzago @ps48 @RyanL1997