From c89efc5af89a266c8ab4273e5647f4df0f3acbea Mon Sep 17 00:00:00 2001
From: Craig Perkins <cwperx@amazon.com>
Date: Fri, 20 Mar 2026 13:25:09 -0400
Subject: [PATCH 1/4] Extract some workflow steps to Github and exclude from
 Jenkins runner

Signed-off-by: Craig Perkins <cwperx@amazon.com>
---
 .github/workflows/auxiliary-checks.yml | 46 ++++++++++++++++++++++++++
 1 file changed, 46 insertions(+)
 create mode 100644 .github/workflows/auxiliary-checks.yml

diff --git a/.github/workflows/auxiliary-checks.yml b/.github/workflows/auxiliary-checks.yml
new file mode 100644
index 0000000000000..bef580610fe82
--- /dev/null
+++ b/.github/workflows/auxiliary-checks.yml
@@ -0,0 +1,46 @@
+name: Auxiliary Checks
+on:
+  push:
+  pull_request:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.run_id }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+
+jobs:
+  repository-plugin-check:
+    if: github.repository == 'opensearch-project/OpenSearch'
+    runs-on: ubuntu-latest
+    continue-on-error: true
+    timeout-minutes: 60
+    strategy:
+      matrix:
+        plugin: [repository-azure, repository-gcs]
+    steps:
+      - uses: actions/checkout@v6
+
+      - name: Remove unnecessary files
+        run: |
+          sudo rm -rf /usr/share/dotnet
+          sudo rm -rf "$AGENT_TOOLSDIRECTORY"
+
+      - name: Set up JDK 21
+        uses: actions/setup-java@v5
+        with:
+          java-version: 21
+          distribution: temurin
+          cache: gradle
+
+      - name: Run ${{ matrix.plugin }} check
+        run: ./gradlew :plugins:${{ matrix.plugin }}:check
+
+      - name: Upload test results
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: ${{ matrix.plugin }}-test-results
+          path: plugins/${{ matrix.plugin }}/build/reports/tests/
+          retention-days: 7

From 6df7c9bf2cd766e636533e605cf480f9855f795b Mon Sep 17 00:00:00 2001
From: Craig Perkins <cwperx@amazon.com>
Date: Fri, 20 Mar 2026 13:49:03 -0400
Subject: [PATCH 2/4] Fix azure tests

Signed-off-by: Craig Perkins <cwperx@amazon.com>
---
 .../repositories/azure/AzureStorageServiceTests.java | 12 ++++--------
 test/fixtures/azure-fixture/docker-compose.yml       |  1 -
 test/fixtures/gcs-fixture/docker-compose.yml         |  1 -
 3 files changed, 4 insertions(+), 10 deletions(-)

diff --git a/plugins/repository-azure/src/test/java/org/opensearch/repositories/azure/AzureStorageServiceTests.java b/plugins/repository-azure/src/test/java/org/opensearch/repositories/azure/AzureStorageServiceTests.java
index 92d59749e89b5..e62c2c49e0f00 100644
--- a/plugins/repository-azure/src/test/java/org/opensearch/repositories/azure/AzureStorageServiceTests.java
+++ b/plugins/repository-azure/src/test/java/org/opensearch/repositories/azure/AzureStorageServiceTests.java
@@ -35,7 +35,6 @@
 import com.azure.core.http.policy.HttpPipelinePolicy;
 import com.azure.storage.blob.BlobServiceClient;
 import com.azure.storage.common.policy.RequestRetryPolicy;
-import com.microsoft.aad.msal4j.MsalServiceException;
 import org.opensearch.common.settings.MockSecureSettings;
 import org.opensearch.common.settings.Settings;
 import org.opensearch.common.settings.SettingsException;
@@ -61,7 +60,6 @@
 import reactor.netty.http.HttpResources;
 
 import static org.hamcrest.Matchers.containsInAnyOrder;
-import static org.hamcrest.Matchers.containsString;
 import static org.hamcrest.Matchers.emptyString;
 import static org.hamcrest.Matchers.equalTo;
 import static org.hamcrest.Matchers.is;
@@ -193,7 +191,8 @@ public void testGettingSecondaryStorageBlobEndpoint() throws IOException {
     }
 
     public void testClientUsingManagedIdentity() throws IOException {
-        // Enabled managed identity
+        // Verify that when MANAGED_IDENTITY is configured alongside a key, the client uses
+        // the managed identity credential path (HTTPS endpoint) rather than the key-based connection string.
         final Settings settings = Settings.builder()
             .setSecureSettings(buildSecureSettings())
             .put("azure.client.azure1.token_credential_type", TokenCredentialType.MANAGED_IDENTITY.name())
@@ -201,11 +200,8 @@ public void testClientUsingManagedIdentity() throws IOException {
         try (AzureRepositoryPlugin plugin = pluginWithSettingsValidation(settings)) {
             try (final AzureStorageService azureStorageService = plugin.azureStoreService) {
                 final BlobServiceClient client1 = azureStorageService.client("azure1").v1();
-
-                // Expect the client to use managed identity for authentication, and it should fail because managed identity environment is
-                // not setup in the test
-                final MsalServiceException e = expectThrows(MsalServiceException.class, () -> client1.getAccountInfo());
-                assertThat(e.getMessage(), containsString("[Managed Identity] MSI returned 401"));
+                // Managed identity path builds an HTTPS endpoint URL, not a connection string with embedded key
+                assertThat(client1.getAccountUrl(), equalTo("https://myaccount1.blob.core.windows.net"));
             }
         }
     }
diff --git a/test/fixtures/azure-fixture/docker-compose.yml b/test/fixtures/azure-fixture/docker-compose.yml
index 85e073e1803c1..c68d4739d1fd9 100644
--- a/test/fixtures/azure-fixture/docker-compose.yml
+++ b/test/fixtures/azure-fixture/docker-compose.yml
@@ -1,4 +1,3 @@
-version: '3'
 services:
   azure-fixture:
     build:
diff --git a/test/fixtures/gcs-fixture/docker-compose.yml b/test/fixtures/gcs-fixture/docker-compose.yml
index 30a362e7caa8d..394a37915966c 100644
--- a/test/fixtures/gcs-fixture/docker-compose.yml
+++ b/test/fixtures/gcs-fixture/docker-compose.yml
@@ -1,4 +1,3 @@
-version: '3'
 services:
   gcs-fixture:
     build:

From e8d1eb1676275657c130e24605beb1f64b18bc95 Mon Sep 17 00:00:00 2001
From: Craig Perkins <cwperx@amazon.com>
Date: Fri, 20 Mar 2026 14:18:38 -0400
Subject: [PATCH 3/4] Add file with tasks to exclude

Signed-off-by: Craig Perkins <cwperx@amazon.com>
---
 gradle-check-excludes.txt | 2 ++
 1 file changed, 2 insertions(+)
 create mode 100644 gradle-check-excludes.txt

diff --git a/gradle-check-excludes.txt b/gradle-check-excludes.txt
new file mode 100644
index 0000000000000..3ee38191ff9e0
--- /dev/null
+++ b/gradle-check-excludes.txt
@@ -0,0 +1,2 @@
+:plugins:repository-azure:check
+:plugins:repository-gcs:check

From 98a0fe016d17672f15d2f036c1c094cc0cc46839 Mon Sep 17 00:00:00 2001
From: Craig Perkins <cwperx@amazon.com>
Date: Mon, 23 Mar 2026 10:18:02 -0400
Subject: [PATCH 4/4] Pass via -e param

Signed-off-by: Craig Perkins <cwperx@amazon.com>
---
 .github/workflows/gradle-check.yml | 2 +-
 gradle-check-excludes.txt          | 2 --
 2 files changed, 1 insertion(+), 3 deletions(-)
 delete mode 100644 gradle-check-excludes.txt

diff --git a/.github/workflows/gradle-check.yml b/.github/workflows/gradle-check.yml
index b2cec76812377..aaac85e5e33bd 100644
--- a/.github/workflows/gradle-check.yml
+++ b/.github/workflows/gradle-check.yml
@@ -128,7 +128,7 @@ jobs:
         run: |
           set -e
           set -o pipefail
-          bash opensearch-build/scripts/gradle/gradle-check.sh -t ${{ secrets.JENKINS_GRADLE_CHECK_GENERIC_WEBHOOK_TOKEN }} -u ${{ secrets.JENKINS_GITHUB_USER}} -p ${{ secrets.JENKINS_GITHUB_USER_TOKEN}} | tee -a gradle-check.log
+          bash opensearch-build/scripts/gradle/gradle-check.sh -t ${{ secrets.JENKINS_GRADLE_CHECK_GENERIC_WEBHOOK_TOKEN }} -u ${{ secrets.JENKINS_GITHUB_USER}} -p ${{ secrets.JENKINS_GITHUB_USER_TOKEN}} -e ":plugins:repository-azure:check,:plugins:repository-gcs:check" | tee -a gradle-check.log
 
       - name: Setup Result Status
         if: always()
diff --git a/gradle-check-excludes.txt b/gradle-check-excludes.txt
deleted file mode 100644
index 3ee38191ff9e0..0000000000000
--- a/gradle-check-excludes.txt
+++ /dev/null
@@ -1,2 +0,0 @@
-:plugins:repository-azure:check
-:plugins:repository-gcs:check