mirror of
https://github.com/open-metadata/OpenMetadata
synced 2026-05-24 09:39:11 +00:00
689 commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
IceS2
|
14f880636a
|
ci(airflow-apis-tests): migrate Sonar step to sonarqube-scan-action@v7 with retry + add workflow_dispatch (#28292)
* ci(airflow-apis-tests): retry Sonar PR scan on JRE-provisioning flake Mirror the py-tests pattern: migrate from the deprecated sonarsource/sonarcloud-github-action@master to SonarSource/sonarqube-scan-action@v7, mark the PR scan continue-on-error, and add a sleep+retry step so a transient 'Failed to query JRE metadata' from Sonar's JRE-provisioning endpoint no longer fails the job on first attempt. Hoist the shared sonar args into a workflow-level SONAR_OPTS env. * ci(airflow-apis-tests): allow workflow_dispatch + run Sonar step on it Add workflow_dispatch trigger so the Sonar retry path can be exercised from the Actions UI without opening a PR, and extend the Sonar PR step (plus its wait+retry siblings) to run on the dispatch event. * ci(airflow-apis-tests): scope Sonar steps to pull_request_target only Drop workflow_dispatch from the Sonar PR/retry step conditions so manual runs don't fire the scanner with empty -Dsonar.pullrequest.* flags (would create a branch entry in SonarCloud, per gitar-bot review). Dispatch trigger stays for re-running the build/test surface; Sonar will only fire on a real PR where the pull-request context exists. |
||
|
Mohit Yadav
|
fb954a9141
|
ci: add Java Playwright UIIT workflow (dispatch-only) (#28251)
Lands java-playwright-nightly.yml on main so the workflow becomes dispatchable. workflow_dispatch only registers when the workflow file exists on the default branch; once merged, the suite can be run on demand against any branch ref. Tracks EPIC #3731. Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> |
||
|
Harsh Vador
|
286a26f81f
|
ci(security-scan): post Snyk summary to Slack + fail on high/critical (#28200)
Some checks are pending
Integration Tests - MySQL + Elasticsearch / integration-tests-mysql-elasticsearch (push) Blocked by required conditions
Integration Tests - MySQL + Elasticsearch / Detect Changes (push) Waiting to run
Integration Tests - PostgreSQL + Elasticsearch + Redis / Detect Changes (push) Waiting to run
Integration Tests - PostgreSQL + Elasticsearch + Redis / integration-tests-postgres-elasticsearch-redis (push) Blocked by required conditions
Integration Tests - PostgreSQL + OpenSearch / Detect Changes (push) Waiting to run
Integration Tests - PostgreSQL + OpenSearch / integration-tests-postgres-opensearch (push) Blocked by required conditions
Java Checkstyle / java-checkstyle (push) Waiting to run
Maven Collate Tests / maven-collate-ci (push) Waiting to run
OpenMetadata Service Unit Tests / Detect Changes (push) Waiting to run
OpenMetadata Service Unit Tests / openmetadata-service-unit-tests (push) Blocked by required conditions
OpenMetadata Service Unit Tests / k8s_operator-unit-tests (push) Blocked by required conditions
OpenMetadata Service Unit Tests / openmetadata-service-unit-tests-status (push) Blocked by required conditions
Publish Package to Maven Central Repository / publish-maven-packages (push) Waiting to run
* ci(security-scan): post Snyk summary to Slack + fail on high/critical * fix slack post channel * mention repo name * address gitar |
||
|
Harsh Vador
|
d5bc00d1da
|
ci(security-scan): readable Snyk job summary + consolidated Slack alert (#28170)
* generate snyk summary * address gitar * address gitar * generate summary * remove duplicate notification |
||
|
Harsh Vador
|
bb5c64658e
|
ci: consolidate security scan Slack notifications into single combined alert (#28135)
Some checks are pending
Integration Tests - MySQL + Elasticsearch / Detect Changes (push) Waiting to run
Integration Tests - MySQL + Elasticsearch / integration-tests-mysql-elasticsearch (push) Blocked by required conditions
Integration Tests - PostgreSQL + Elasticsearch + Redis / Detect Changes (push) Waiting to run
Integration Tests - PostgreSQL + Elasticsearch + Redis / integration-tests-postgres-elasticsearch-redis (push) Blocked by required conditions
Integration Tests - PostgreSQL + OpenSearch / Detect Changes (push) Waiting to run
Integration Tests - PostgreSQL + OpenSearch / integration-tests-postgres-opensearch (push) Blocked by required conditions
Java Checkstyle / java-checkstyle (push) Waiting to run
Maven Collate Tests / maven-collate-ci (push) Waiting to run
OpenMetadata Service Unit Tests / Detect Changes (push) Waiting to run
OpenMetadata Service Unit Tests / openmetadata-service-unit-tests (push) Blocked by required conditions
OpenMetadata Service Unit Tests / k8s_operator-unit-tests (push) Blocked by required conditions
OpenMetadata Service Unit Tests / openmetadata-service-unit-tests-status (push) Blocked by required conditions
Publish Package to Maven Central Repository / publish-maven-packages (push) Waiting to run
* ci: consolidate security scan Slack notifications into single combined alert * address gitar * add env |
||
|
Sriharsha Chintalapani
|
64f49c1747
|
Cache improvements: lineage + search layers, observability, CI gate (#28012)
* cache: lineage cache, per-type metrics, invalidation registry, search-cache Add Redis-backed lineage response cache and search response cache, both gated by the existing CACHE_PROVIDER toggle and falling through to direct computation when the cache is unavailable. The cache remains optional — verified end-to-end by toggling CACHE_PROVIDER=none on a live stack and confirming all paths continue to work (just without the L2 hit). Coverage: - CachedLineage wraps LineageRepository.getLineage with hybrid TTL + direct invalidation (60s default). Direct edits invalidate the affected root cache entries; transitive changes fall through to TTL. - CachedSearchLayer wraps /api/v1/search/query with auth-aware caching (cache key includes principal so users with different ACLs don't share results). 30s default TTL. Observability: - /api/v1/system/cache/stats response now includes a metrics block with hits/misses/hitRatio/evictions/errors/writes plus read/write latency Timers, and a byType breakdown so coverage gaps are visible per entity-type and per cache-layer. Correctness: - New Invalidatable interface + CacheBundle registry + invalidateEntity helper so future cache layers plug in by implementing one method instead of editing multiple mutation paths. - Edge mutations in LineageRepository.addLineage/deleteLineage invalidate both endpoints; entity mutations in EntityRepository.postUpdate / postDelete / restoreEntity invalidate the lineage rooted at the entity. - Pub/sub handler in CacheBundle iterates registered Invalidatables so remote-pod evictions flow to all layers automatically. Tooling: - docker-compose.cache-off.yml overlay flips CACHE_PROVIDER=none for local A/B testing without tearing down DB/ES volumes. - CachedSearchLayerIT exercises hit-on-second-call, distinct-query misses, distinct-page-size misses, and byType shape via the metrics endpoint. Each test gracefully no-ops when the cluster runs cache-off. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * cache: phase 2 ops + correctness — single-flight, slow-read, negative cache, admin endpoints Builds on the phase 1 commit ( |
||
|
Harshit Shah
|
77a85bffde
|
[CI] Add on-demand Playwright search-nightly workflow (#27908)
* test(ci): add on-demand playwright search-nightly workflow Create a manual Playwright search-nightly workflow with the same bootstrap, reporting, Slack notification, and cleanup structure as the SSO nightly job. Add a dedicated search-nightly Playwright project and a basic nightly search smoke spec without using issue-closing keywords for #3792. * address comments * revert changes * minor updates |
||
|
Sriharsha Chintalapani
|
d3bbbefe37
|
fix(rdf): dedupe lineage edges, surface Fuseki failures, port distributed-mode improvements (#27999)
* fix(rdf): dedupe lineage edges and broaden PROV-O coverage
The RDF Knowledge Graph endpoint was emitting two edges per lineage
relationship — once as `om:UPSTREAM` (forward) and once as
`prov:wasDerivedFrom` (reverse) — because the parser preserved each
predicate's native subject/object orientation instead of canonicalizing
both into a single `(upstream, downstream)` edge.
Also extend PROV-O coverage so external SPARQL clients can use the W3C
Provenance vocabulary directly:
- `prov:Entity` / `prov:Activity` / `prov:Agent` class typing on
datasets / pipelines / users
- `prov:wasAttributedTo` mirror of `om:owners`
- `prov:generated` (inverse of existing `wasGeneratedBy`) and `prov:used`
on lineageDetails so the Entity → Activity → Entity chain is complete
- `prov:hadPlan` + `prov:Plan` for SQL transformation recipes
- `prov:startedAtTime` / `prov:endedAtTime` on Activity instances
- `prov:wasAssociatedWith` Activity → Agent linking
- `prov:invalidatedAtTime` on soft-deleted entities
Other RDF cleanups in the same area:
- LineageDetails URIs are now deterministic (driven by from/to ids
instead of a timestamp), so re-indexing collapses duplicate Activity
resources via the existing DELETE+INSERT idempotency
- Skip emitting the redundant `om:owners` JSON-string literal — the
mapped path already produces clean `om:hasOwner <agent>` triples
- Skip empty `[]` array literals in the unmapped path
- Propagate failures from `RdfRepository.{addRelationship,
addLineageWithDetails, bulkAddRelationships,
bulkAddGlossaryTermRelations}` instead of silently swallowing them,
so downstream callers can surface the failure
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
* fix(rdf-index-app): surface Fuseki failures in app run record
Per-entity and per-batch failures from the RDF index app used to be
logged via SLF4J only — they never made it into the AppRunRecord, so
the UI/run history showed "completed" even when every entity had
silently failed to write to Fuseki.
- `RdfBatchProcessor.processEntities` now captures the last error per
entity, returns it in `BatchProcessingResult.lastError`, and
accumulates relationship-processing failures into the same result.
- Relationship and lineage processing methods (`processBatchRelationships`,
`processLineageRelationship`, `processGlossaryTermRelations`) return
structured results with failure counts and last-error messages instead
of `void`, so failures are visible to the partition worker.
- `RdfIndexApp` records the failure on `jobData` for both the
distributed and non-distributed code paths, so users see a real
error message in the run history (e.g.
"Failed to write entity X to Fuseki: ConnectException").
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
* perf(rdf-index-app): port distributed-mode improvements from SearchIndex
The RDF distributed-indexing fork was lagging behind several SearchIndex
improvements that addressed concrete reliability and throughput issues.
Port them across:
Core perf / reliability
- Precomputed partition start cursors: coordinator walks each entity
once via keyset pagination at job init and caches the boundary cursor
per (jobId, entityType, rangeStart). Workers consult the cache before
falling back to the OFFSET-based path. Eliminates the previous O(N²)
per-partition cursor lookup.
- `cancelInFlightPartitions` + `requestStop` + `checkAndUpdateJobCompletion`
on the coordinator. Stop now cancels both PENDING and PROCESSING
partitions in a single SQL update and immediately drives the job
status from STOPPING → STOPPED, so the UI status no longer hangs
while workers drain.
- Selective field hydration: `RdfPartitionWorker.readEntitiesKeyset`
uses `ReindexingUtil.getSearchIndexFields(entityType)` instead of
`List.of("*")`, avoiding expensive fetchers (e.g. fetchAndSetOwns)
per batch.
- Partition heartbeat thread: virtual thread refreshes
`lastUpdateAt` every 30s for partitions actively being processed by
this server, so the stale reclaimer no longer interrupts active work.
- `MAX_IN_FLIGHT_PARTITIONS_PER_SERVER = 5` backpressure: claim path
rejects when the server already holds 5 PROCESSING partitions, giving
fair distribution across pods. Verified the existing claim DAO uses
`FOR UPDATE SKIP LOCKED` for both MySQL and Postgres.
- Gate WebSocket stat broadcasts during the STOPPING phase so the
Quartz-scheduler-driven STOPPED status push isn't overwritten.
Multi-server scaffolding (single-pod is unaffected)
- `RdfPollingJobNotifier`: DB-polling discovery for other server pods
to find an in-flight RDF reindex they can join.
- `RdfEntityCompletionTracker`: per-entity-type partition tracking with
callback firing once all partitions for an entity complete, foundation
for early per-entity index promotion.
Tests: precomputed-cursor cache lookup, in-flight backpressure,
cancelInFlight delegation, completion tracker callback semantics,
notifier start/stop.
DAO additions on `rdf_index_partition`:
- `cancelInFlightPartitions(jobId, now)` — covers both PENDING and
PROCESSING in one statement
- `countInFlightPartitionsForServer(jobId, serverId)` — backpressure
- `countPartitionsByStatus(jobId, status)` — used by completion check
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
* fix(ui-apps): hide misleading data on synthetic 'CurrentConfig' row
When an app has no run history, AppRunsHistory fabricated a synthetic
placeholder row that looked like a real run — `runType: "CurrentConfig"`,
a fake `Run At` timestamp pulled from `appData.updatedAt`, an
ever-growing `Duration` (`now − updatedAt`), and an active `Stop` button
that targeted nothing.
Render `--` for `Run At`, `Run Type`, and `Duration` on synthetic rows,
and hide the `Stop` button so users no longer see "Run now → 19-minute
Running with Stop button" when the actual job never registered. Real
app runs are unaffected — they still display `runType` from the
backend (OnDemandJob, Hourly, Daily, Custom, etc.).
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
* fix(rdf): address PR review findings
Four issues raised in PR #27999 review:
- **Cursor format consistency in walkAndRecord** (bug):
The defensive branch produced cursors via a custom `{name, id}` map
while the regular path used `repo.getCursorValue()`. For entities
with quoted names these encodings diverge — a quoted-name entity
could land in the cache with a cursor incompatible with what the
worker fetches via keyset pagination. Track the last seen entity
reference and run it through `repo.getCursorValue()` in both paths.
`encodeBoundaryCursor` is removed.
- **Adaptive scheduling in RdfPollingJobNotifier** (perf):
The previous implementation woke the scheduler thread every 1s and
short-circuited inside the poll method when idle. Reschedule the
task at the appropriate interval (1s active / 30s idle) when
`setParticipating` flips, so the thread genuinely sleeps when idle.
- **Cursor cache cleanup on startup recovery** (edge case):
`partitionStartCursors` was only evicted by `refreshAggregatedJob`
/ `checkAndUpdateJobCompletion`. If a coordinator crashed mid-job
and never reached either, the cache entry leaked until process
restart. Add `evictStaleCursorCacheEntries()` invoked by
`performStartupRecovery` that drops entries for jobs that no longer
exist in the DB or are already terminal.
- **Consolidate describeError helpers** (quality):
`describeError`, `describeBulkError`, and `describeLineageError` in
`RdfBatchProcessor` all walked the cause chain and formatted a
prefixed message with the same logic. Reduced to a single
`describeError(prefix, error)` plus a thin `describeEntityError`
adapter for the per-entity call site.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
* fix(rdf-index-app): avoid double workerExecutor.shutdownNow() in stop()
stop() called workerExecutor.shutdownNow() inline AND through
cleanupLocalExecution -> shutdownWorkerExecutor, which broke the
DistributedRdfIndexExecutorTest.stopAndCoordinatorCleanupOnlyTearDownLocalExecutionOnce
verify(workerExecutor, times(1)).shutdownNow() expectation. Drop the
inline call — cleanupLocalExecution is the single owner of the
shutdown path.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
* ci: drop redundant DB matrix from openmetadata-service unit tests
The {mysql, postgresql} strategy matrix on openmetadata-service unit
tests doubled CI cost without adding signal: both jobs ran the same
surefire suite. The `-Pmysql` / `-Ppostgresql` profiles are defined
only in `openmetadata-sdk/pom.xml` (lines 190-206), set a single
`test.database` property, and that property is consumed exclusively by
the failsafe plugin (integration tests `*IT.java` / `*IntegrationTest.java`),
which only runs under `-Pintegration-tests` — not enabled here.
`openmetadata-service` itself has zero tests that read `test.database`
or use `MySQLContainer`/`PostgreSQLContainer` (verified by grep). The
only testcontainer-based DB code in the repo lives in
`openmetadata-integration-tests`, a different module that this workflow
doesn't build.
Run the unit suite once. The `openmetadata-service-unit-tests-status`
required-check aggregator is unaffected (it depends on the renamed job
which still has the same name).
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
* fix(rdf): address Copilot PR review findings
Six correctness issues raised on PR #27999:
- **Lineage-details DELETE was too broad** (RdfRepository): the cleanup
step deleted *all* `<fromUri> om:hasLineageDetails ?d` triples,
so reindexing one (fromId, toId) edge wiped lineage-details links
for every other downstream of the same source entity. Pin the
delete to the specific `<fromUri> om:hasLineageDetails <detailsUri>`
triple. Same with prov:generated cleanup — anchor it to the
specific detailsUri instead of any details resource.
- **Predicate not flipped during canonicalization** (RdfRepository):
`parseEntityGraphEdgesFromResults` swapped subject/object for
reverse-direction predicates (`prov:wasDerivedFrom`,
`prov:wasInfluencedBy`) but kept the original predicate URI on the
resulting EdgeInfo. Exported graphs could carry semantically
invalid triples like `<upstream> prov:wasDerivedFrom <downstream>`.
Add `forwardEquivalentPredicate` to substitute the OM-native
forward predicate when the direction flips.
- **`dct:modified` was an invalid xsd:dateTime** (RdfPropertyMapper):
`entity.getUpdatedAt().toString()` returns the epoch-millis Long as
a string, but the literal was tagged `xsd:dateTime`. Convert via
`Instant.ofEpochMilli(...).toString()` so the lexical form matches
the type — same fix already in place for prov:invalidatedAtTime.
- **Unmapped EntityReference arrays were dropped entirely**
(RdfPropertyMapper): the previous fix to skip noisy JSON-string
literals also dropped fields like `domains`, `reviewers`, `voters`
for entity contexts that don't have a JSON-LD mapping for them —
the unmapped path was the only path emitting them, so nothing
landed in RDF. Expand each array element through
`addEntityReference` so the data still produces proper
`om:<fieldName> <ref>` triples; mapped-path duplicates are
collapsed by Jena's Model dedupe.
- **Partition failure detection missed reader errors**
(DistributedRdfIndexExecutor): the EntityCompletionTracker was fed
`result.errorMessage() != null`, but `RdfPartitionWorker` can
increment `failedCount` from `readerErrors` without ever setting
`lastError`. Use `result.failedCount() > 0` so partitions whose
failures came from `ResultList.getErrors()` are also marked as
failed when promoting an entity.
- **`COMPLETED_WITH_ERRORS` was hidden when failedRecords == 0**
(RdfIndexApp): the coordinator marks a job COMPLETED_WITH_ERRORS
whenever any partition is FAILED or CANCELLED, including for
user-initiated stops where no record-level failures accrued. The
monitor's `completedWithErrors` gate required `failedRecords > 0`,
so those terminal states never hit `jobData.setFailure(...)` and
the run record showed success. Drop the failedRecords precondition
and tailor the fallback message based on whether there are
record-level failures or partition-level only.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
* fix(rdf): separate relationship failures + type lineage as prov:Activity
Two more PR review findings on #27999:
- **Relationship failures inflated failedRecords stat**: `processEntities`
was folding relationship/lineage edge failures into `failedCount`,
which becomes `failedRecords` in the index stats. Records there mean
entities, computed from entity counts in `totalRecords`. Counting
per-edge relationship failures could push `failedRecords` above
`processedRecords`/`totalRecords` and produce nonsensical
per-entity stats.
Track them separately: add `relationshipFailureCount` to
`BatchProcessingResult` and `PartitionResult`. `failedCount` now stays
entity-level. The completion tracker is fed the broader
`result.hasAnyFailure()` so partitions where relationship triples
failed don't get prematurely promoted as success even though their
entity writes succeeded.
- **`detailsResource` wasn't typed as prov:Activity**: the resource
carries Activity-shaped predicates (prov:startedAtTime,
prov:endedAtTime, prov:used, prov:hadPlan, prov:wasGeneratedBy,
prov:wasAssociatedWith) but only the OM-specific
`om:LineageDetails` rdf:type. Add an explicit
`rdf:type prov:Activity` so PROV-O reasoners and federated SPARQL
clients recognize it as an Activity without having to learn the
OM type.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
* fix(rdf): label lineage edges relative to focal node
The Knowledge Graph view was labeling every edge with relation
type "upstream" as "Upstream" regardless of direction relative to the
focal node. For a focal node F, the raw stored relation `(F, X, upstream)`
means "F is upstream of X" — i.e. X is *downstream* of F. The previous
output labeled both `F → X` and `X → F` edges as "Upstream", which made
bidirectional lineage look like a duplicated relation.
Re-orient the label in `convertEdgesToGraphData` based on whether the
focal is the edge's source or target:
- focal → X → "Downstream"
- X → focal → "Upstream"
- non-focal-touching edges keep the raw relation label.
Reported on a sample-data table with a circular lineage cycle
(`dim_customer ↔ fact_orders`) where both directions showed "Upstream".
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
* fix(rdf): close remaining Copilot review gaps
Three findings from PR #27999's third review pass — all about failure
signals being silently dropped between layers:
- **`RdfIndexApp.processTask` ignored relationship failures**: only
`result.failedCount() > 0` was treated as a failure, so partitions
whose Fuseki relationship/lineage writes failed (incrementing
`relationshipFailureCount` but not `failedCount`) never wrote
`jobData.failure`. Switch to `result.hasAnyFailure()` and report the
combined count.
- **`checkAndUpdateJobCompletion` ignored partition `lastError`**: a
partition can finish COMPLETED with `lastError` set when a relationship
bulk write was caught and recorded but didn't bump `failedRecords` or
flip the partition to FAILED. The job would then go to COMPLETED even
though there were real failures. Treat the presence of any
`rdf_index_partition.lastError` as an error signal — promote to
COMPLETED_WITH_ERRORS and aggregate sample errors into the job's
errorMessage if it was blank.
- **`forwardEquivalentPredicate` mapped to a non-existent
`om:DOWNSTREAM` URI**: OpenMetadata only stores lineage with
`om:UPSTREAM` (forward) and `prov:wasDerivedFrom` (reverse PROV-O
pair); there is no `om:DOWNSTREAM` predicate written anywhere — the
downstream view is derived by reading the same UPSTREAM edge from the
other side. Map both `prov:wasDerivedFrom` and `prov:wasInfluencedBy`
to `om:UPSTREAM` (both are reverse-direction causation predicates: in
`B wasDerivedFrom A` / `B wasInfluencedBy A` the source is A and
effect is B, so the canonical forward predicate is the same).
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
* Fix RDF tag mapper
* Fix all the comments
Cherry-picked from #27562 (without bin/ autogenerated noise).
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
* Align RdfPropertyMapper tests with refactor and isolate ontology export IT
RdfPropertyMapperTest still referenced the removed addVotes helper and
expected addStructuredProperty to dispatch votes — both gone after votes
was added to IGNORED_PROPERTIES. Update the assertions accordingly.
GlossaryOntologyExportIT timed out on the full suite because it flips a
global RDF singleton in @BeforeAll and each test blocks a server thread on
synchronous Fuseki writes. SAME_THREAD only serialized methods within the
class — concurrent classes still raced for server threads. Adding @Isolated
matches the pattern already used by RdfResourceIT for the same reason.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* fix(rdf): align addCertification typing + relationType after predicate flip
Two findings on PR #27999 from the post-cherry-pick review pass:
- **`addCertification` mis-typed glossary-source certifications and
skipped skos:Concept**: it always emitted `om:Tag` regardless of
source, even though `resolveTagResource` returns a glossaryTerm URI
when the certification points at a glossary term. It also didn't add
`skos:Concept` (or the `createTypeResource("tag")` `skos:Concept` for
classification tags), so SPARQL queries filtering certification
targets by `a skos:Concept` missed them while `addTagLabel`-emitted
tags were findable. Mirror `addTagLabel`: branch on source
(`Glossary` vs `Classification`), emit the right primary type plus
`skos:Concept` (glossary) or `om:Tag` (classification), and include
`om:tagSource`.
- **`relationType` left stale after predicate flip**: when
`parseEntityGraphEdgesFromResults` flipped subject/object for a
reverse-direction predicate and rewrote `canonicalPredicate` to
`om:UPSTREAM`, it kept the original `relationType` derived from the
reverse predicate. So `prov:wasInfluencedBy` produced an EdgeInfo
with `relationType=downstream` + `predicate=om:UPSTREAM` —
internally inconsistent, and the mismatched `edgeKey` prevented
dedup against an existing UPSTREAM edge with the same endpoints.
Re-derive `relationType` from the canonical predicate after the
flip.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
* fix(rdf): close 2 review findings + add parser-helper unit tests
Two outstanding Copilot findings on PR #27999 plus targeted unit
coverage for the helpers that drive lineage canonicalization.
Findings:
- **`colLineageUri` collision risk** (RdfRepository): the deterministic
key replaced non-alphanumerics in `toColumn` with `_`, so distinct
column names (e.g. `a-b` vs `a_b`) collapsed onto the same URI, which
would lose / overwrite column-lineage resources during reindex.
Append the loop index as a tiebreaker so distinct columns keep
distinct URIs.
- **`createTypeResource` missing dprod prefix** (RdfPropertyMapper):
the `getNamespace` switch didn't recognize `dprod`, so
`RdfUtils.getRdfType("dataProduct")` (returns `dprod:DataProduct`)
produced an invalid `dprod:DataProduct` URI on the wire. Added the
`DPROD_NS = https://ekgf.github.io/dprod/` constant and a `dprod`
case in the switch.
Coverage:
- New `RdfParserHelpersTest` exercises the canonicalization helpers
via reflection: `isReverseDirectionPredicate` (recognizes
PROV-O causation predicates, ignores forward predicates),
`forwardEquivalentPredicate` (both `wasDerivedFrom` and
`wasInfluencedBy` collapse to `om:UPSTREAM` so dedup works),
`relativeRelationLabel` (focal-relative Upstream/Downstream
flipping with all the boundary cases — non-focal edges,
non-lineage relations, null focal).
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
* fix(rdf): merge array contexts before per-field resolution
The third (low-confidence "suppressed") finding on review 4256830399
turned out to be a real duplication: when a field is mapped in one
context map of an array context but absent from another, the previous
processArrayContext ran processContextMappings once per map. The pass
where the field IS mapped emits the proper `om:hasOwner <ref>` triples
(plus `prov:wasAttributedTo`); the pass where the field is absent
falls through to processUnmappedField and emits an additional
`om:owners <ref>` triple. Net: two predicates for the same logical
relationship.
Verified on the live Fuseki: 113 `om:hasOwner` triples vs 112
`om:owners` triples — one set per pass.
Fix: flatten all context maps in the array into a single merged map
once, then iterate entity fields exactly once against that combined
view (later contexts win on key conflicts, matching JSON-LD context
merge semantics). Each field is resolved against the union of
mappings, so the unmapped fallback only fires for fields truly absent
from every context. Net effect: `prov:wasAttributedTo` count is
unchanged, `om:hasOwner` is unchanged, and the redundant `om:owners`
triples disappear.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
* fix(rdf): close 2 review findings on coordinator finalization race
Two findings from PR #27999 review 4259628860:
- **`checkAndUpdateJobCompletion` early-returned before lastError check
could promote**: `refreshAggregatedJob` already marks the job COMPLETED
when partitions all finish without `failedRecords`/`failedPartitions`,
so `checkAndUpdateJobCompletion`'s subsequent `if (job.isTerminal())`
short-circuit silently dropped the lastError signal. Move the
partition-lastError check INTO `refreshAggregatedJob` so both code
paths produce consistent terminal status — a partition that finished
COMPLETED but carries a non-null lastError now correctly promotes the
job to COMPLETED_WITH_ERRORS regardless of which finalizer wins the
race.
- **`completePartition` / `failPartition` overwrote CANCELLED state**:
the unconditional partition row update lost a concurrent Stop's
CANCELLED status if a worker finished its batch after the Stop
request landed but before noticing it. Add a status-guarded
`updateIfProcessing` DAO method (UPDATE ... WHERE id = :id AND
status = 'PROCESSING') and have both completion paths use it; if 0
rows update, log and skip the side effects (no server-stat increment,
no refreshAggregatedJob call) so the authoritative CANCELLED status
stays. Mirrors the pattern SearchIndex's coordinator uses for the
same race.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
Co-authored-by: Pere Miquel Brull <peremiquelbrull@gmail.com>
|
||
|
Harsh Vador
|
86e1d88386
|
security: Include branch name in security scan Slack alerts and fail only on high vulnerabilities (#27977)
* Add branch context to security scan Slack alerts and upload CSV findings summary * change failing severity from medium to high & address gitar * fix csv formatting * revert flattening changes |
||
|
Ariel Schulz
|
297c01cea7
|
Fix (#27660): Re-enable Exasol cli-e2e-tests after fixing issues (#27661)
* Re-enable Exasol cli-e2e-tests after fixing issues * Revert accidental changes from branch switch * Adapt exasol.yml for tests * Add get_table_comment setup and re-enable test_vanilla_ingestion * Add type hints to maintain signature * SQLA-E does not include get_all_table_comments and will come later, so ignore for now * Add return type too |
||
|
Sid
|
ca2d0122db
|
test(playwright): add nightly SAML session renewal coverage (#27619)
* test(playwright): add nightly SAML session renewal spec Covers OM's JWT refresh behavior for SAML sessions end-to-end against the local Keycloak fixture: silent refresh after expiry, concurrent 401s queuing behind a single refresh call, and forced re-login when the server-side SAML HttpSession is gone. Reuses the snapshot/restore mechanism and keycloak-azure-saml provider helper introduced in #27164; shortens samlConfiguration.security.token Validity to 10s so the suite observes multiple expiry cycles in <60s. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * Update openmetadata-ui/src/main/resources/ui/playwright/utils/sessionRenewal.ts Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * test(playwright): drop expiry wait from refresh-on-reload SSO specs The reactive 401 refresh path races with the AuthProvider useEffect that wires tokenService.renewToken from authenticatorRef — if the 401 from /users/loggedInUser lands before that effect commits the populated ref, refreshToken() returns null and the user is logged out instead of refreshed. With tokenValidity=10s (< EXPIRY_THRESHOLD_MILLES=60s), the UI's proactive timer in startTokenExpiryTimer fires immediately on every mount, so /auth/refresh is exercised on each reload regardless of expiry state. Assertions on token rotation and session continuity still cover "silent refresh works end-to-end". The SAML-session-gone case still waits for expiry — it needs to. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * test(playwright): trigger refresh via SPA nav in SSO renewal specs page.reload() remounts React and re-races the axios interceptor setup in AuthProvider — the useEffect that wires authenticatorRef.renewIdToken onto TokenService has a ref-typed dependency that doesn't reliably re-run, so the first 401 after reload sometimes finds renewToken=null and the interceptor silently logs the user out instead of refreshing. Click the Explore sidebar link instead. The click triggers authenticated API calls while staying inside the already-mounted React tree, so the interceptor always reaches the wired TokenService. Spec now passes 10/10 locally. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Siddhant <siddhant@MacBook-Pro-621.local> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> |
||
|
Chirag Madlani
|
d095413ed1
|
fix(ci): nightly workflow running stale project getting failed [skip-ci] (#27849)
Some checks are pending
Integration Tests - MySQL + Elasticsearch / Detect Changes (push) Waiting to run
Integration Tests - MySQL + Elasticsearch / integration-tests-mysql-elasticsearch (push) Blocked by required conditions
Integration Tests - PostgreSQL + OpenSearch / Detect Changes (push) Waiting to run
Integration Tests - PostgreSQL + OpenSearch / integration-tests-postgres-opensearch (push) Blocked by required conditions
Java Checkstyle / java-checkstyle (push) Waiting to run
Maven Collate Tests / maven-collate-ci (push) Waiting to run
OpenMetadata Service Unit Tests / Detect Changes (push) Waiting to run
OpenMetadata Service Unit Tests / openmetadata-service-unit-tests (mysql) (push) Blocked by required conditions
OpenMetadata Service Unit Tests / openmetadata-service-unit-tests (postgresql) (push) Blocked by required conditions
OpenMetadata Service Unit Tests / k8s_operator-unit-tests (push) Blocked by required conditions
OpenMetadata Service Unit Tests / openmetadata-service-unit-tests-status (push) Blocked by required conditions
Publish Package to Maven Central Repository / publish-maven-packages (push) Waiting to run
|
||
|
miriann-uu
|
7b01731754
|
GEN-5164: Add cherry pick matrix (#27674) | ||
|
IceS2
|
84ed278720
|
chore(ingestion): enable basedpyright across the codebase via baseline (#27755)
* chore(ingestion): enable basedpyright across the codebase via baseline
Removes the ~25 paths from `[tool.basedpyright] ignore` (which excluded
roughly 90% of the codebase from type checking) and grandfathers the
existing violations into a baseline file. New violations in any
previously-ignored file now fail CI.
Changes:
- ingestion/pyproject.toml: drop the entire `ignore = [...]` block
- ingestion/setup.py: bump `basedpyright~=1.14` to `~=1.39.0`
- ingestion/.basedpyright/baseline.json (new, ~13MB): captures the
starting violation set (~18.8K errors + ~37.4K warnings) so the
migration is behavior-preserving. Regenerate with
`cd ingestion && basedpyright -p pyproject.toml --baselinefile
.basedpyright/baseline.json --writebaseline`. basedpyright analysis
has minor non-determinism (similar to ruff's), so re-running
--writebaseline a few times converges the baseline.
- ingestion/noxfile.py: pass `--baselinefile .basedpyright/baseline.json`
to the basedpyright invocation in the `static-checks` session so CI
honors the grandfathering. CI already runs the session via
`cd ingestion && nox --no-venv -s static-checks` (py-tests.yml).
- ingestion/Makefile: `make static-checks` now delegates to
`nox -s static-checks` so local invocations match CI exactly. Also
drops the dead Python 3.9 / OM_SKIP_SDK_PY39 branch (we require
Python >=3.10 since the previous modernization PR).
- .gitignore: add `.serena/` (local language-server cache)
* chore(ingestion): add nox to the dev dependency set
The static-checks Makefile target and the py-tests CI job both delegate
to `nox -s static-checks`, but nox was being installed as a separate
side step (`pip install nox` in `install_dev_env`, `uv pip install nox`
in the test-environment composite action). Listing it in dev extras
means a plain `pip install ingestion[dev]` brings it in.
* chore(ingestion): pin basedpyright analysis to py3.10; CI runs once
Following the basedpyright + multi-Python-version research:
- ingestion/pyproject.toml: add `pythonVersion = "3.10"` to
[tool.basedpyright] so type-checking always analyzes for the lowest
supported Python version. Forward-incompatible code (tomllib usage,
PEP 695 generics, etc.) is caught at type-check time regardless of
which Python interpreter runs the checker.
- .github/workflows/py-tests.yml: gate the "Run Static Checks" step on
`matrix.py-version == '3.10'`. With pythonVersion pinned, results are
identical across the matrix; running once avoids redundant work and
keeps the baseline file deterministic. Unit tests still run on the
full 3.10/3.11/3.12 matrix to verify runtime compatibility.
- ingestion/.basedpyright/baseline.json: regenerated cleanly with the
new pythonVersion config (~18.8K errors / ~37.3K warnings, similar
scale to the previous baseline). Aligns with the canonical
type-check-on-floor / test-on-matrix pattern used by Pydantic, CPython,
and other major Python projects.
* chore(ingestion): pin basedpyright pythonPlatform to Linux + regen baseline
CI's previous run still surfaced ~9 issues (2 errors + 7 warnings) that
weren't in the baseline. Root cause: my local environment differs from
CI's in three ways that affect type inference — Python interpreter
(3.11 vs 3.10), platform (Darwin vs Linux), and pip-resolved package
versions (couchbase, avro, trino, sqlalchemy stubs all differ slightly).
This commit closes the platform gap and regenerates the baseline from a
fresh CI-equivalent environment:
- ingestion/pyproject.toml: add `pythonPlatform = "Linux"` to
[tool.basedpyright] so type-checking uses the Linux subset of stdlib /
third-party stubs regardless of where the analyzer runs.
- ingestion/.basedpyright/baseline.json: regenerated against a fresh
Python 3.10 venv installed via `uv pip install ingestion[test]` (the
same install path CI's setup-openmetadata-test-environment composite
action uses). New scale: ~18.7K errors / ~37.5K warnings — same
ballpark as the previous baseline, with column positions now matching
CI's environment.
Local-developer note: when running `make static-checks` from a venv
that doesn't mirror CI exactly (e.g. macOS, Python 3.11, different
package versions), you may see drift errors. The supported workflow for
regenerating the baseline is to mirror CI:
python3.10 -m venv /tmp/ci-mirror
source /tmp/ci-mirror/bin/activate
uv pip install --upgrade pip "setuptools<81"
uv pip install --no-build-isolation "cx_Oracle>=8.3.0,<9"
uv pip install -e "ingestion[test]"
uv pip install "basedpyright~=1.39.0" nox
cd ingestion && basedpyright -p pyproject.toml \
--baselinefile .basedpyright/baseline.json --writebaseline
* chore(ingestion): drop pythonPlatform pin and regen baseline from CI-mirror
The previous attempt added `pythonPlatform = "Linux"` thinking it would
make the local-generated baseline match CI. It did the opposite — Linux
platform stubs activate additional conditional code paths that weren't
analyzed before, so CI saw 101 errors instead of the prior 2 errors.
Reverting:
- Drop `pythonPlatform = "Linux"` from [tool.basedpyright]. Without it,
basedpyright analyzes for the host platform; on CI's ubuntu-latest
runner that's Linux automatically, but type-stub coverage stays the
same as before (matching the
|
||
|
IceS2
|
1fa0c79d27
|
chore(github): migrate issue templates to structured forms (#27710)
* chore(github): migrate issue templates to structured forms - Convert bug_report, feature_request, doc_update to GitHub issue forms (YAML) - Add connector_bug form with free-text Connector field - Drop epic and feature_task templates (stale since 2022, no usage evidence) - Add auto-label workflow that maps the Connector field to a namespaced connector:<name> label, falling back to connector:other on 0 or 2+ matches - Labels are applied exclusively and auto-created with a grey "Connector" description when missing * chore(github): drop redundant pipeline type field from connector_bug form Feature area already covers metadata/lineage/profiler/usage distinction. * fix(github): address PR review feedback - bug_report.yml: add labels: ["bug"] for pattern consistency - label-connector.yml: add contents: read permission (needed by checkout) - label_connector.py: raise on unexpected HTTP status; accept 404 for idempotent GET-label and DELETE-label-from-issue; stop echoing the raw Connector field value into workflow logs |
||
|
Mayur Singal
|
878421a644
|
fix: enable subprocess coverage tracking for CLI E2E tests (#27329)
* fix: enable subprocess coverage tracking for CLI E2E tests
CLI E2E tests run connectors via `subprocess.Popen("metadata ingest")`
but the subprocess coverage data was silently lost. Two issues:
1. Missing `parallel = true` in coverage config — parent pytest process
and child subprocess both wrote to the same `.coverage` file, causing
data collision. With parallel mode, each process writes to its own
`.coverage.<pid>` file that `coverage combine` can merge.
2. `COVERAGE_PROCESS_START` used a relative path (`ingestion/pyproject.toml`)
in sitecustomize.py. Resolved to absolute using `GITHUB_WORKSPACE`.
Evidence: Metabase (zero unit tests, only E2E) shows 53.6% on SonarCloud
with client.py at 17.2% — inspection of .coverage.metabase confirms only
import-time + in-process setup lines are present, with zero method body
coverage from the subprocess execution.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: remove -a (append) flags incompatible with parallel coverage mode
`coverage run -a` and `coverage combine -a` conflict with `parallel = true`
in the coverage config. In parallel mode each process writes to its own
`.coverage.<pid>` file, and `coverage combine` merges them — no append needed.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* MINOR: Fix snowflake e2e (#26677)
* MINOR: Fix snowflake e2e
* fix pyformat
* improve snowflake test
* fix count
* mark flaky auto classification test
* improve test address comment
---------
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
||
|
Sid
|
0a98f5bf32
|
test(playwright): add nightly SSO login spec starting (#27164)
* test(playwright): add nightly SSO login spec starting with Okta
Extends Playwright coverage end-to-end for SSO login flows. Today's SSO
coverage (Features/SSOConfiguration.spec.ts) only asserts the config
form UI. This adds a new suite that configures OpenMetadata to an
external identity provider, drives a real login through the provider's
hosted UI, and validates the resulting session against the OM API.
Phase 1 ships Okta only (integrator-9351624.okta.com). Additional
providers (Auth0, Azure, Cognito, SAML, Google) plug into the same
dispatcher by adding a ProviderHelper implementation.
## What's new
- playwright/e2e/Auth/SSOLogin.spec.ts — two-test suite tagged @sso
1. Asserts the SSO sign-in button renders on /signin with the correct
brand label and that the basic-auth form is not shown.
2. Clicks the button, drives the provider's login widget, follows the
OAuth callback, completes first-run self-signup when needed,
lands on /my-data, then verifies the JWT by calling
GET /api/v1/users/loggedInUser and asserting the returned email
matches SSO_USERNAME.
- playwright/utils/ssoAuth.ts — provider-agnostic orchestration:
applyProviderConfig (PUT /api/v1/system/security/config),
restoreBasicAuth, buildAuthContextFromJwt, verifyLoggedInUserMatches.
Composes existing getApiContext/getAuthContext/getToken helpers — no
token extraction or HTTP plumbing is reimplemented.
- playwright/utils/sso-providers/{index,okta}.ts — ProviderHelper
interface plus the Okta Identity Engine widget driver. Defaults the
dev tenant values from the committed openmetadata.yaml snippet so the
spec only needs SSO_USERNAME/SSO_PASSWORD to run locally.
- playwright/constant/ssoAuth.ts — env var key constants,
PROVIDER_BUTTON_TEXT map, and the BASIC_AUTH_CONFIG payload used for
cleanup.
- playwright.config.ts — new 'sso-auth' project matching
playwright/e2e/Auth/**/*.spec.ts with its own serial workers, and
'**/Auth/**' added to the chromium project's testIgnore so these
tests never run in the default suite.
## How provider switching works
beforeAll logs in as admin via basic auth, captures the admin JWT via
getToken(page) BEFORE the swap, then PUTs the Okta config. The admin
JWT survives the provider swap because OM's internal JWKS stays in
publicKeyUrls and the admin user's isAdmin flag is persisted in the DB.
afterAll rebuilds an API context from that JWT and restores basic auth,
making the spec fully idempotent — the same OM instance can run the
suite repeatedly without any manual cleanup.
## Running locally
export SSO_PROVIDER_TYPE=okta
export SSO_USERNAME='<okta-test-user>'
export SSO_PASSWORD='<okta-test-password>'
npx playwright test playwright/e2e/Auth/SSOLogin.spec.ts \
--project=sso-auth --workers=1
Verified end-to-end against integrator-9351624.okta.com — both tests
pass in ~12s on an already-provisioned user, ~14s on first-run
self-signup. Cleanup leaves the server in basic-auth mode.
## Notes for reviewers
- The existing .github/workflows/playwright-sso-tests.yml already wires
up the CI matrix and secret names; this change intentionally does
NOT enable the cron schedule. That lands in a follow-up once one
provider is stable for a few nightly runs.
- OKTA_SSO_CLIENT_ID / OKTA_SSO_DOMAIN / OKTA_SSO_PRINCIPAL_DOMAIN env
vars can override the baked-in dev tenant defaults if a different
Okta tenant is used in CI.
* ci: add dedicated SSO Login Nightly workflow
Adds .github/workflows/playwright-sso-login-nightly.yml, a standalone
workflow that runs the new SSOLogin spec nightly at 03:00 UTC instead
of piggy-backing on playwright-sso-tests.yml.
The existing playwright-sso-tests.yml is left untouched — it still
covers the SSO configuration form UI via SSOConfiguration.spec.ts and
its matrix/secrets wiring is unchanged. The new workflow complements
it with a real end-to-end login round-trip:
- Schedule: cron '0 3 * * *'
- Provider matrix: okta only for Phase 1 (extended as helpers ship)
- Invokes playwright/e2e/Auth/SSOLogin.spec.ts under the new
sso-auth Playwright project with workers=1
- Wires provider credentials via secrets with the existing
{PROVIDER}_SSO_USERNAME / {PROVIDER}_SSO_PASSWORD convention plus
optional OKTA_SSO_CLIENT_ID / OKTA_SSO_DOMAIN /
OKTA_SSO_PRINCIPAL_DOMAIN overrides
- Uses the shared setup-openmetadata-test-environment composite
action, PostgreSQL, ingestion disabled — matching the existing SSO
tests workflow
- Uploads the HTML report as an artifact on every run and cleans up
the docker stack in a final always-run step
* refactor(playwright): simplify ssoAuth helpers
- verifyLoggedInUserMatches now asserts directly on the lowercased
email field instead of building a candidate array and feeding it a
long stringified failure message. The assertion failure already
shows expected vs received, so the wrapper string was just noise.
- Drop buildAuthContextFromJwt — it was a one-line wrapper around
getAuthContext. The spec calls getAuthContext directly now.
* refactor(playwright): address SSO suite review feedback
- Extract OM_BASE_URL from PLAYWRIGHT_TEST_BASE_URL (with the same
http://localhost:8585 default as playwright.config.ts) and export
it from constant/ssoAuth.ts. okta.ts and BASIC_AUTH_CONFIG both
consume it, so callbackUrl, the OM JWKS entry in publicKeyUrls, and
the basic-auth restore payload all match the test target — including
CI runs against non-default hosts.
- Drop PROVIDER_BUTTON_TEXT. It was exported but never imported; the
ProviderHelper.expectedButtonText field is the only source of truth
for the SSO sign-in button label and the spec already reads from it.
- Restore the OM convention adminPrincipals: ['admin'] in the Okta
config (matches conf/openmetadata.yaml's AUTHORIZER_ADMIN_PRINCIPALS
default). The previous code was granting admin to whichever IdP user
ran the suite — verifyLoggedInUserMatches only needs an authenticated
session, not admin, so the elevation was unnecessary. This also drops
the now-unused requireEnv on SSO_USERNAME inside okta.ts; the spec
itself still gates on the env var via test.skip.
- Set workers: 1 on the sso-auth Playwright project. fullyParallel:
false alone wasn't enough — the global workers: 3 on CI could still
fan out across multiple Auth/**/*.spec.ts files in the future. The
explicit limit enforces full isolation as more provider specs land.
* ci: avoid CodeQL "Excessive Secrets Exposure" in SSO Login Nightly
Replaces the dynamic secret lookup
secrets[format('{0}_SSO_USERNAME', upper(matrix.provider))]
with a static reference
secrets.OKTA_SSO_USERNAME
CodeQL flagged the dynamic indexing because GitHub Actions can only
mask & scope secrets that are referenced statically. With a computed
key, the runner has no way to know which single secret is needed and
conservatively materializes EVERY org and repo secret into the step's
environment — even though the test only reads OKTA_SSO_*. Static
references let GitHub expose only the two credentials this step
actually uses.
Phase 1's matrix is okta-only so the change is two lines. The added
inline comment documents the convention for future providers: add a
sibling step gated by `if: matrix.provider == '<provider>'` with that
provider's static secret references — do not bring back the
secrets[format(...)] pattern.
* refactor(playwright): capture/restore real security config in SSO suite
- Snapshot /system/security/config in beforeAll, restore exact payload in
afterAll instead of PUTting a hand-rolled basic-auth baseline (preserves
allowedDomains, forceSecureSessionCookie, adminPrincipals, etc.)
- Strip ldap/saml subtrees from the snapshot: GET returns empty-string
placeholders the PUT validator rejects
- Require OKTA_SSO_{CLIENT_ID,DOMAIN,PRINCIPAL_DOMAIN} via getRequiredEnv;
no more hardcoded tenant defaults
- Fail fast in beforeAll if admin JWT capture returns empty string so the
server is never left stuck in SSO mode
- Shrink Okta provider override to just the fields Okta needs; sibling
authorizer fields come from the captured snapshot
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* ci(sso-login): extract per-provider composite action
Restructures the nightly workflow so provider credentials stay statically
referenced for CodeQL while making it trivial to add new providers:
- New composite action .github/actions/sso-login-run bundles all shared
setup + test-run logic; pulls non-secret provider config from the
caller's vars context dynamically (${PROVIDER_UPPER}_SSO_*)
- playwright-sso-login-nightly.yml becomes a thin dispatcher with one
real job per provider. Each job declares environment: test so it can
resolve its password via a static secrets.<PROVIDER>_SSO_PASSWORD
reference (no secrets[format(...)] dynamic lookup, CodeQL clean)
- Adding a provider = copy the okta job stanza, swap the secret name,
add the provider to the dispatch input choices, register the helper
in sso-providers/index.ts
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* refactor(playwright): move Okta tenant config to a repo constant
The Okta tenant identifiers (clientId, domain, principalDomain) are
non-secret OAuth public values — visible on the hosted login page
during any sign-in. Keeping them in GitHub environment variables cost
setup friction (5 env vars to configure locally, each a potential typo)
without any security benefit. Move them back to a committed OKTA_TENANT
constant in okta.ts where a reviewer can see exactly which tenant the
suite is exercising.
Net effect:
- Local runs only need SSO_PROVIDER_TYPE, SSO_USERNAME, SSO_PASSWORD.
- The test environment in GH Actions keeps OKTA_SSO_USERNAME (variable)
and OKTA_SSO_PASSWORD (secret); the three tenant variables are no
longer consumed.
- Composite action drops the jq-based dynamic var extraction; the
caller passes sso_username directly.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* ci(sso-login): move timeout-minutes from composite step to job level
Composite actions don't support timeout-minutes on individual steps —
that's a runner job field only. Move the 30-minute test timeout up to
the dispatcher job and bump to 45 minutes to cover docker + maven setup.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* ci(sso-login): consolidate dispatcher + composite action into one file
Collapse the dispatcher workflow + composite action split into a single
~115-line workflow using a strategy matrix and dynamic
vars[format(...)] / secrets[format(...)] credential resolution keyed on
the matrix provider name.
Trade-off:
- CodeQL "Excessive Secrets Exposure" (low severity) will re-flag the
dynamic secret lookup. Accepted in exchange for a single source of
truth and true zero-workflow-churn multi-provider support.
Onboarding a new provider is now:
1. Add its name to the matrix array + dispatch options list.
2. Add <PROVIDER>_SSO_USERNAME (variable) + <PROVIDER>_SSO_PASSWORD
(secret) in the test environment.
3. Register the helper in sso-providers/index.ts.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* ci(sso-login): drop provider-prefix bash step; use case-insensitive lookup
GitHub secret and variable names are case-insensitive, so
format('{0}_SSO_PASSWORD', matrix.provider) with the lowercase matrix
value resolves correctly against the uppercase conventional names like
OKTA_SSO_PASSWORD. That removes the need for a separate "Compute
provider prefix" step and its cross-step env-context plumbing.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* ci(sso-login): drop redundant case-insensitivity comment
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* ci(sso-login): pin playwright install to 1.57.0 to match package.json
The previous 1.51.1 pin was stale vs. the @playwright/test version in
package.json. The mismatch caused browser cache path divergence — the
install step wrote browsers under 1.51.1's cache and the test run
looked for them under 1.57.0's cache and failed with "browsers not
installed."
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* refactor(playwright): address SSO suite review comments [skip ci]
- Drive Okta tenant (clientId, domain, principalDomain) from env vars,
falling back to the existing nightly tenant values as defaults
- Use redirectToHomePage as the final assertion in the SSO login step
- Document why the /signup vs /my-data branch is conditional
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* saml
* test(playwright): add SAML providers to SSO login nightly
Extend the nightly SSO login matrix with Azure AD SAML and a self-contained
Keycloak SAML fixture (Azure-profile + Google-profile realms), so the suite
exercises the full SAML flow end-to-end without relying on a hosted IdP.
- docker/local-sso/keycloak-saml: Keycloak 26.3.3 compose + pre-imported
realms bound to OM at localhost:8585, port-overridable via
KEYCLOAK_SAML_PORT.
- playwright sso-providers: azure-saml helper (hosted tenant, non-secret
federation metadata committed) and keycloak-saml factory that fetches the
realm's IdP X509 at runtime.
- SSO assertion matches OM's actual SAML sign-in label ("Sign in with
SAML SSO"), since providerName isn't propagated into the store for the
SAML provider branch of getAuthConfig.
- Workflow starts/stops the Keycloak stack only for keycloak-* matrix rows
and injects the fixture credentials inline.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* refactor(playwright): fetch Azure SAML IdP cert at runtime
Drop the committed Azure Federated SSO X509 certificate and the
AZURE_SAML_IDP_CERTIFICATE env fallback from the azure-saml provider.
The cert now comes from Azure's federation metadata XML endpoint at test
start, mirroring how the Keycloak provider resolves its realm cert, so the
suite stays aligned with Azure's ~3-year cert rotations automatically.
- New saml-metadata.ts exporting fetchIdpX509Certificate(descriptorUrl,
label), reused by azure-saml and keycloak-saml.
- azure-saml.buildConfigPayload is now async and pulls the cert from
https://login.microsoftonline.com/<tenantId>/federationmetadata/2007-06/federationmetadata.xml
before building the SAML payload.
- keycloak-saml drops its inline cert-fetching helpers and delegates to
the shared util.
- Trim narration comments across the SSO suite to keep only the
non-obvious rationale.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* refactor(playwright): drop hosted Azure SAML provider
The nightly Keycloak SAML fixture with Azure-profile attribute claims
exercises the same OM SAML code path as the hosted Azure AD tenant. The
hosted provider added external tenant/cert coupling without unique
coverage, so this removes it.
Drops the azure-saml helper, its env keys (AZURE_SAML_TENANT_ID /
AZURE_SAML_PRINCIPAL_DOMAIN), the dispatcher registration, and the
workflow dispatch option. Keycloak Azure/Google realms remain.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* test(playwright): cover SSO session lifecycle end-to-end
Extends the SSO login spec beyond "can you log in" to the full session
round-trip: reload survives, same-context tabs inherit auth, sidebar
logout (with modal confirm) lands on /signin, and post-logout refresh
stays signed out.
Adds a describe-scoped userContext/userPage created in beforeAll so
tests 2-6 inherit the IdP-backed session; test 1 keeps its fresh
fixture for the unauthenticated assertion. Cleanup closes the user
context before restoring the server security config.
Verified locally against keycloak-azure-saml and keycloak-google-saml
realms: 6 passed each (was 2).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* remove slow from individual spec
* remove slow from beforeAll
* style(playwright): fix SSOLogin spec prettier issues
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* test(playwright): tighten SSO sign-in locator and await logout response
Address Copilot review comments on PR #27164:
- Use button.signin-button to match the pattern in SSOAuthentication.spec.ts.
- Await /api/v1/users/logout POST alongside the /signin navigation in
the logout test to remove the race against the server response.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix
* Update openmetadata-ui/src/main/resources/ui/playwright/e2e/Auth/SSOLogin.spec.ts
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
* fix
* test(playwright): resolve SSO creds via env vars, drop keycloak-google-saml
Route Keycloak credentials through the same `vars[format(...)]` /
`secrets[format(...)]` indirection as Okta via an `env_prefix` matrix
column, removing the hardcoded fixture literals from the workflow.
Password lookup falls back `vars || secrets` so fixture passwords can
live as vars while real provider secrets stay in secrets.
Also drop the keycloak-google-saml variant — same IdP and realm shape
as the Azure variant, so it adds CI cost without meaningful coverage.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* test(playwright): post SSO login nightly results to Slack
Adds a per-provider Slack notification step mirroring the pattern used
by the postgresql/mysql nightly workflows — reuses the existing
`slack-cli.config.json` and `playwright-slack-report` CLI against the
`results.json` that the global JSON reporter already emits.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix(playwright): drop logout response wait in SSO spec
OktaAuthenticator.logout clears tokens locally with no backend call, and
GenericAuthenticator (SAML) hits `GET /auth/logout` — neither triggers
the `POST /api/v1/users/logout` the test was waiting on. The listener
never matched, so `Promise.all` hung past the 180s test timeout even
though the page had already navigated to /signin.
Rely on `waitForURL('**/signin')` + the signin button assertion, which
are the actual cross-provider success signals.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: Siddhant <siddhant@MacBook-Pro-457.local>
Co-authored-by: Siddhant <siddhant@MacBook-Pro-529.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: Siddhant <siddhant@MacBook-Pro-621.local>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
|
||
|
Aniket Katkar
|
12ce3b614d
|
Chore(UI): consolidated UI checkstyle fix commands and modify workflow comment (#27402)
* feat: add consolidated UI checkstyle commands for all and changed files * update prt to pr * test commit to fail ui-checkstyle * update the comment * Revert "test commit to fail ui-checkstyle" This reverts commit |
||
|
Teddy
|
50c17502cf
|
MINOR - Enable merge group GH event (#27371)
* chore: added merge_group for github merge queue * chore: remove unnecessary merger group on team labeler * fix: added gates for merge queue and pull request events |
||
|
Pere Miquel Brull
|
1dedc0cf15
|
Add k8s-operator unit tests to PR CI (#27387)
* Add k8s-operator unit tests to PR CI pipeline The k8s operator tests only ran during manual release builds. Add a path-filtered job so they run on PRs touching openmetadata-k8s-operator/**, following the same Detect Changes pattern used by the service unit tests. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Remove -DfailIfNoTests=false — we want to catch missing tests Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Fix k8s-operator tests: add surefire includes and remove unnecessary stub Parent POM surefire includes only match org.openmetadata.service.*, so operator tests under org.openmetadata.operator.* were silently skipped. Override with **/*Test.java in the operator pom.xml. Also remove unused KubernetesClient mock stub from CronOMJobReconcilerTest.setUp — no test reaches the code path that calls context.getClient(), causing UnnecessaryStubbingException. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Rename k8s-operator to k8s_operator in workflow outputs Hyphens in output names are parsed as subtraction in GitHub Actions expressions dot notation, so the job condition would never trigger. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Fix filesystem paths — underscore rename only applies to output keys The replace_all incorrectly changed directory names from openmetadata-k8s-operator to openmetadata-k8s_operator. Only the GitHub Actions output key needs the underscore; all file paths must use the actual hyphenated directory name. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Drop -am flag from k8s-operator test command openmetadata-service is a provided-scope dependency, so -am tries to compile it including shaded ES/OS jars that aren't available in a clean CI environment. The operator module compiles fine on its own. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Fix invalid YAML in conf/openmetadata.yaml The CSP policy line has unescaped colons inside the value which the YAML parser interprets as mapping indicators. Use a folded block scalar (>-) so the value is parsed as a plain string. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Build k8s-operator deps before running tests The operator depends on openmetadata-service (provided scope) which won't be in the Maven cache on a cold CI runner. Build with -am -DskipTests first, then run operator tests separately — same pattern as docker-k8s-operator.yml. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Reintroduce lenient client mock to prevent flaky NPE The reconcile flow is time-dependent — tests using "0 * * * *" can reach context.getClient() near the top of the hour. Stub the full client.resources().inNamespace().resource().create() chain as lenient so early-return tests aren't penalized but happy-path tests won't NPE. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Revert conf/openmetadata.yaml — fix belongs in a separate PR Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> |
||
|
Harsh Vador
|
f4c939869d
|
ci(security): add Retire.js workflow to detect bundled JS vulnerabilities (#27315)
* ci(security): add Retire.js workflow to detect bundled JS vulnerabilities * address gitar * add om existing security scan workflow * address gitar * add slack support & remove PR check * address gitar * change job name * address comment * address comment |
||
|
Sriharsha Chintalapani
|
bb0daa180e
|
RDF, cleanup relations and remove unnecessary bindings, add distributed mode for RDF reindex (#26902)
* RDF, cleanup relations and remove unnecessary bindings, add distributed mode for RDF reindex * Update generated TypeScript types * Address comments from copilot * Update generated TypeScript types * fix test issues * Fix minor UI bugs * Add the missing filters * Fix RDF export API error * Add export functionality * Fix ui-checkstyle * Fix java checkstyle * Fix unit tests * Fix and increase the coverage for KnowledgeGraph.spec.ts * Fix tests * Remove rdf as default in playwright and local docker * fix ui-checkstyle * Address comments * Potential fix for pull request finding 'CodeQL / Artifact poisoning' Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> * Address copilot comments * Address copilot comments * FIx tests * FIx docker * Update openmetadata-service/src/main/java/org/openmetadata/service/apps/bundles/rdf/distributed/DistributedRdfIndexCoordinator.java Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Address copilot review comments: license headers, JSON escaping, type safety, border-color, stop semantics Agent-Logs-Url: https://github.com/open-metadata/OpenMetadata/sessions/c026e52e-162b-4c9a-9874-43791d4aaac1 Co-authored-by: harshach <38649+harshach@users.noreply.github.com> * Show error toast for unsupported export format in KnowledgeGraph Agent-Logs-Url: https://github.com/open-metadata/OpenMetadata/sessions/c026e52e-162b-4c9a-9874-43791d4aaac1 Co-authored-by: harshach <38649+harshach@users.noreply.github.com> * Fix docker * Fix docker for playwright * Fix docker for playwright * Fix tests * Fix tests * Fix docker * Fix docker * Fix glossary and pagination spec flakiness * update the missing translations * Fix docker * Fix docker * Fix integration test * Fix fuseki not starting * Fixed the run local docker script * worked on comments * Fix flakiness in knowledge graph tests * Fix checkstyle --------- Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: Aniket Katkar <aniketkatkar97@gmail.com> Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: harshach <38649+harshach@users.noreply.github.com> |
||
|
Chirag Madlani
|
4f7be5f014
|
fix(ci): filter blob pattern causing failure to sonarcloud (#27357)
* fix(ci): filter blob pattern causing failure to sonarcloud * fix(ci): add missing backslash continuation in sonar-scanner command Agent-Logs-Url: https://github.com/open-metadata/OpenMetadata/sessions/88d229f2-81dd-4662-8295-a3bb0df03815 Co-authored-by: chirag-madlani <12962843+chirag-madlani@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> |
||
|
Aniket Katkar
|
3428dfbd6a
|
Chore(UI): Fix rbac tests not running on PR checks (#26994)
* Fix rbac tests not running on PR checks * update the dependency * Update the SearchRBAC dependency |
||
|
Pere Miquel Brull
|
f6258819e7
|
ci: reduce checkout history footprint in PR workflows (#27221)
* ci: reduce checkout history footprint in PR workflows Optimize actions/checkout usage to avoid downloading the full repo blob history on every PR run. The repo is large, so cloning everything just to run tests wastes minutes of CI time per job. - py-operator-build-test.yml: drop fetch-depth: 0 (no history needed) - openmetadata-service-unit-tests.yml: drop fetch-depth: 0 (Sonar is explicitly skipped via -Dsonar.skip=true); shallow-fetch PR base ref - airflow-apis-tests.yml, py-tests.yml, yarn-coverage.yml: add filter: blob:none to Sonar jobs so commits/trees remain available for blame while blobs are fetched lazily on demand - ui-checkstyle.yml: add filter: blob:none to all jobs that rely on tj-actions/changed-files (needs commit/tree metadata, not blobs) * ci: drop fetch-depth: 0 from jobs that don't walk history Follow-up audit after the initial pass. Four jobs were still declaring fetch-depth: 0 (plus filter: blob:none in two cases) without actually needing any history beyond HEAD. ui-checkstyle.yml - i18n-sync: runs 'yarn i18n' then 'git status --porcelain'. git status compares the working tree to HEAD; no history walk. Default depth 1 is sufficient. - app-docs: same pattern with 'yarn generate:app-docs'. py-sonarcloud-nightly.yml - py-unit-tests: only uploads a coverage artifact, no Sonar invocation. - py-integration-tests: same. - py-combine-coverage: does run SonarSource/sonarqube-scan-action, so it genuinely needs the commit graph — added filter: blob:none for parity with the PR Sonar jobs. * ci: remove unused 'Fetch PR base branch' step from service unit tests Copilot review flagged that the step was using --depth=1 while the main checkout is also shallow, which would break any merge-base operation. On investigation, nothing downstream actually uses the base ref: the only command that runs after the checkout is 'mvn ... -Dsonar.skip=true', which has no git dependency. The step was preserved defensively in the previous commit, but it's dead code — cleanest fix is to delete it. |
||
|
Chirag Madlani
|
917a36c6a4
|
Potential fix for code scanning alert no. 1842: Artifact poisoning (#27220)
* Potential fix for code scanning alert no. 1842: Artifact poisoning Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> * Pin Yarn version to 1.22.18 to fix artifact poisoning alert Agent-Logs-Url: https://github.com/open-metadata/OpenMetadata/sessions/29aebdb5-eef0-4a2a-be01-489deef48d2b Co-authored-by: chirag-madlani <12962843+chirag-madlani@users.noreply.github.com> * Fix artifact poisoning in update-playwright-e2e-docs.yml: replace npm install -g yarn with pinned corepack Agent-Logs-Url: https://github.com/open-metadata/OpenMetadata/sessions/550fba5a-bb13-45da-a144-b67599c9eaa4 Co-authored-by: chirag-madlani <12962843+chirag-madlani@users.noreply.github.com> * Remove corepack prepare to eliminate artifact poisoning: use only corepack enable (bundled yarn) Agent-Logs-Url: https://github.com/open-metadata/OpenMetadata/sessions/90f6ed8d-3f2b-4c3d-9a34-cd1f57c4d89c Co-authored-by: chirag-madlani <12962843+chirag-madlani@users.noreply.github.com> --------- Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> |
||
|
Sriharsha Chintalapani
|
b2b49db75e
|
MSAL Token Renewal Fix — Safari Session Loss (#27214)
* MSAL Token Renewal Fix — Safari Session Loss * MSAL Token Renewal Fix — Safari Session Loss * MSAL Token Renewal Fix — Safari Session Loss * apply lint * MSAL Token Renewal Fix — OIDC fix * wait for token update * fix unit tests * Add SSO playwright tests * Add tests --------- Co-authored-by: Chirag Madlani <12962843+chirag-madlani@users.noreply.github.com> |
||
|
Mohit Yadav
|
3ec31e3e68
|
Make OpeNMetadata Service Unit Test Required (#27099) | ||
|
Suman Maharana
|
7f1fd1dae2
|
fix python e2e coverage (#27125)
* fix e2e coverage * check dbt * fix dbt e2e * fix dbt warnings * Apply suggestion from @Copilot Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> |
||
|
Karan Hotchandani
|
906d7c4c09
|
disable trivy scans from PR checks (#27017)
* disable trivy scans from workflow * update workflows |
||
|
harshsoni2024
|
f6599b285d
|
Fix: Playwright remove all browsers binaries vulnerability (#26959) | ||
|
Pere Miquel Brull
|
ba0b68c9e3
|
Add missing MCP entity types to EntityLink grammar (#26968)
* Add missing MCP entity types to EntityLink grammar Add mcpServer and mcpService to ENTITY_TYPE rule in EntityLink.g4, and add mcpExecution to ENTITIES_EXCLUDED_FROM_GRAMMAR (time-series entity, not independently linkable). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Remove unnecessary safe-to-test label check from unit tests workflow The safe-to-test label is only needed for pull_request_target workflows (which run with base branch context and secrets access). This workflow uses plain pull_request, so the label check was causing spurious failures. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> |
||
|
Aniket Katkar
|
9d6ecb218a
|
Chore(UI): Fix the ui-checkstyle workflow for the json changes (#26937)
* Fix the ui-checkstyle workflow for the json changes [skip ci] * Worked on comments |
||
|
Aniket Katkar
|
1f7d030567
|
Add scripts path to skip file (#26934) | ||
|
Aniket Katkar
|
a106572214
|
Ignore scripts folder for playwright and sonar check (#26929) | ||
|
Aniket Katkar
|
ff6a8c5104
|
Chore(UI): Update the ui-checkstyle PR comments (#26872)
* Update the ui-checkstyle PR comments * Address comments * update PR comments content * worked on comments |
||
|
harshsoni2024
|
821b2aa30f
|
Feat: Add python3.12 ingestion support (#26632)
* add python3.12 support * time utils fix * pyformat fix * version changes, tests add |
||
|
miriann-uu
|
7efbeb555c
|
GEN-4896: Fix/ghsa head ref (#26861)
* Fix github.head_ref injection with github.event.pull_request.number * Fix github.head_ref injection with github.event.pull_request.number * Fix github.head_ref injection with github.event.pull_request.number |
||
|
Suresh Srinivas
|
3ed06f3a78
|
Code cleanup based on IDE flagged warnings (#26808)
* Import cleanup * Remove redundant throw clauses * Unused imports * Remove redundant overrides of method * Fix performance related warnings * Automated code cleanup from IDE * Format code to follow google formatter convention * Simplify checking for empty list * Fix failing tests * Fix broken interface * Address gitar comments * remove unit test coverage report * remove unit test coverage report * fix build --------- Co-authored-by: Sriharsha Chintalapani <harsha@getcollate.io> |
||
|
Aniket Katkar
|
d1fb0445fd
|
Chore(UI): Add pretty and eslint for openmetadata-ui-core-components for code quality (#26686)
* Add pretty and eslint for openmetadata-ui-core-components for code quality
* Fix eslint errors
* Address comments
* Address comments
* update checkstyle workflow to check for core-components
* work on comments
* change the workflow trigger for testing
* Add console log for testing
* fix checkstyle yml
* Fix checkstyle
* Revert the console.log
* Revert the trigger changes
* Worked on comments
* Revert all progress-indicators.tsx changes
* Work on comments
* Update the checkstyle yml for testing
* add console log
* update workflow
* test ui-checkstyle
* update workflow
* Add missing id
* Remove the console log
* Add and use core component nvmrc in checkstyle
* move the nvmrc to ui folder
* test failure
* remove console log
* Fix the checkstyle
* Add prettier fix
* Fix the format
* Update workflows and files
* Fix playwright checkstyle
* Fix playwright changes
* Fix scripts
* failing commit
* Revert "failing commit"
This reverts commit
|
||
|
Ram Narayan Balaji
|
5da884e6b8
|
ci: fix Detect Changes job failing on push to main (#26717)
Add checkout step before dorny/paths-filter@v3 in the changes job. For push events, paths-filter runs git branch --show-current locally which fails without a checkout; pull_request events use the GitHub API and are unaffected. Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> |
||
|
Copilot
|
f6c183ed0d
|
ci: Remove dedicated ingestion shard — unify PostgreSQL E2E sharding to 5-way chromium (#26703)
* Initial plan * Apply workflow changes: remove ingestion shard, unify args, 5-way chromium sharding Co-authored-by: ShaileshParmar11 <71748675+ShaileshParmar11@users.noreply.github.com> Agent-Logs-Url: https://github.com/open-metadata/OpenMetadata/sessions/8f0cdfed-62e8-4726-9e8b-3feeb7ab0b9f --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: ShaileshParmar11 <71748675+ShaileshParmar11@users.noreply.github.com> |
||
|
Sriharsha Chintalapani
|
860c82fab2
|
Add Unit Tests coverage (#26360)
* Enable more service unit tests and fix uncovered regressions * Fix remaining broadened unit-suite regressions * Add meaningful Handlebars helper coverage * Add formatter decorator unit coverage * Improve formatter decorator coverage * Improve utility, validator, and formatter coverage * Expand OIDC validator coverage * Tighten shared OIDC validator coverage * Improve user and connection utility coverage * Cover subscription utility workflows * Cover entity field utility workflows * Expand lineage and helper utility coverage * Improve auth code flow handler coverage * Expand auth code flow handler coverage * Cover entity csv parsing flows * Deepen entity csv parser coverage * Fix search builder aggregation null handling * Expand entity utility core coverage * Cover search index utility workflows * Expand search utility coverage * Expand formatter message coverage * Harden notification markdown rendering coverage * Add notification card assembler coverage * Expand EntityCsv coverage and dry-run fixes * Expand K8s pipeline client coverage * Expand saml validator coverage * Expand rdf property mapper coverage * Expand subscription utility coverage * Fix schema field extractor coverage gaps * Expand auth refresh flow coverage * Add service unit test workflow * Enforce new-code coverage on service PRs * Add Unit Test Coverage * Expand k8s pipeline and auth flow coverage * Expand entity csv batch import coverage * Expand entity csv entity creation coverage * Expand entity csv user and flush coverage * Expand entity csv typed import coverage * Cover entity csv dependency validation paths * Expand airflow and csv utility coverage * Replace placeholder authorizer tests with real coverage * Cover PII masking security flows * Tighten async service retry and shutdown coverage * Expand security util claim coverage * Fix checkstyle * Strengthen user bootstrap utility coverage * Expand user activity tracker coverage * Expand ODCS converter coverage * Expand S3 log storage coverage * Expand search repository and lineage coverage * Expand search filter and index factory coverage * Expand reindex handler coverage * Expand inherited field search coverage * Expand search cluster metrics coverage * Expand search repository lifecycle coverage * Expand slack client coverage and stabilize tests * Expand search index executor control flow coverage * Cover search index utility helpers * Cover distributed indexing strategy flows * Strengthen distributed search executor coverage * Cover search reindex pipeline flows * Cover search index logging flows * Cover search index stats tracking * Cover quartz search index progress flows * Cover search index app coordination * Cover slack progress listener behavior * Cover polling job notifier behavior * Cover redis job notifier behavior * Expand Slack notifier coverage * Cover partition worker processing flows * Expand distributed participant coverage * Cover orphan job monitor behavior * Expand distributed stats aggregator coverage * Expand distributed partition coverage * Strengthen distributed coordinator coverage * Expand search index and repository coverage * Expand search executor control flow coverage * Expand search repository delegation coverage * Expand search index executor coverage * Expand search repository helper coverage * Expand search utility coverage * Expand search index executor coverage * Expand search repository coverage * Strengthen search index manager coverage * Strengthen distributed recovery and worker coverage * Strengthen distributed executor coverage * Fix index sink batching and stats coverage * Expand elastic bulk sink behavior coverage * Expand open search bulk sink behavior coverage * Fix dropped bulk processor failure accounting * Cover migration workflow discovery paths * fix java checkstyle * Fix permission debug effect normalization * Cover migration FQN repair workflows * Fix glossary workflow migration idempotency * Cover v1100 migration utility flows * Cover v1104 migration extension flows * Fix and cover v160 migration policy flows * fix java checkstyle * Address PR review comments on vector search and csv docs * fix java checkstyle * Harden service unit test PR workflow * Cover migration utility repair flows * fix java checkstyle * Fix service unit test regressions * Split service new-code coverage check * fix java checkstyle * Fix service diff coverage regressions * fix java checkstyle * Clarify missing JaCoCo artifact failures * fix java checkstyle * Fix bulk sink lifecycle tests * simplify CI * Address PR review feedback after main merge * Fix merged service unit test expectations * Fix search repository bulk update tests * Apply spotless formatting * Use standard exception logging in search repository * Stabilize multi-domain search integration test * Apply spotless formatting * Isolate web analytic event integration timestamps --------- Co-authored-by: Pere Miquel Brull <peremiquelbrull@gmail.com> |
||
|
IceS2
|
5d44a496b4
|
Clean up dead/legacy GitHub Actions workflows (#26634)
* Remove disabled maven-build and maven-build-skip workflows
These workflows have been fully replaced by the integration-tests-* workflows.
maven-build.yml was gated by `if: false` and maven-build-skip.yml only existed
to satisfy required checks for the disabled workflow.
* Remove disabled Maven Postgres test workflows
maven-postgres-rdf-tests-build.yml and maven-postgres-tests-build.yml were
disabled (if: false / workflow_dispatch-only) and replaced by the
integration-tests-* workflows. maven-postgres-tests-build-skip.yml was their
required-check placeholder.
* Remove placeholder ui-core-components-tests workflow
The workflow only echoed "Nothing to test" with no actual test steps.
Can be re-added when tests are implemented for the core components library.
* Remove inactive claude-code-review workflow
PR trigger was commented out, making it dispatch-only and unused.
The active claude.yml workflow (triggered by @claude mentions) remains.
* Remove legacy Selenium E2E test workflow
All E2E tests have migrated to Playwright. This Selenium workflow also had
hardcoded sleep instead of health checks and no Docker cleanup step.
* Update monitor-slack-link from Python 3.9 (EOL) to 3.11
* Remove experimental py-nox-ci workflow
Manual-only experimental workflow for testing Nox as a Python CI replacement.
No longer in use — existing py-tests workflows handle Python CI.
* Revert "Update monitor-slack-link from Python 3.9 (EOL) to 3.11"
This reverts commit
|
||
|
Suman Maharana
|
108cfe7897
|
chore(ci): enhance Python E2E and SonarCloud workflows with unit and and integration tests (#26481)
* chore(ci): enhance Python E2E and SonarCloud workflows with unit and integration tests * seperate the unit and integration test * address commensts * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * address comments --------- Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> Co-authored-by: ulixius9 <mayursingal9@gmail.com> |
||
|
Teddy
|
d03373c5e2
|
Stale pr workflow (#26667)
* stale pr automation * chore: auto close stale pr * chore: auto close stale pr * Update .github/workflows/stale.yml Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Update .github/workflows/stale.yml Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Update .github/workflows/stale.yml Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Update .github/workflows/stale.yml Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> |
||
|
Chirag Madlani
|
0996e716bb
|
ci: ui checkstyle workflow in favour to remove pre-commit (#26445)
* ci: ui checkstyle workflow in favour to remove pre-commit * update workflow * update workflow * testing workflow with manual run * test wokflow * update * bump yarn.lock * add install antlr * fix organize-imports script * fix lint issues * revert authorize changes * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * ci: fix UI checkstyle workflow - workflow_dispatch support, step isolation, and pre-commit cleanup (#26474) * Initial plan * fix: address review comments - workflow dispatch, step isolation, pre-commit, ja-jp locale Co-authored-by: chirag-madlani <12962843+chirag-madlani@users.noreply.github.com> * remove pre-commit as not needed --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: chirag-madlani <12962843+chirag-madlani@users.noreply.github.com> * update workflow * test workflow * checkout pr * fix workflow * update * add debug logs * apply prettier * update workflow * update script * fix workflow * Fix: Remove all `any` types from UI core component theme and utility files (#26534) * Initial plan * Fix: Remove all any types from UI core component theme and utility files Co-authored-by: karanh37 <33024356+karanh37@users.noreply.github.com> * Changes before error encountered Co-authored-by: karanh37 <33024356+karanh37@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: karanh37 <33024356+karanh37@users.noreply.github.com> * seprate playwright lint * apply prettier to playwright * fix tsc step * update * skip tsc check for now * update lint:playwright * remove import-cli from playwright check * address comments * fix lint issues * fix lint * fix lint * update pull_request to pull_request target * remove pre-commit completly --------- Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com> Co-authored-by: karanh37 <33024356+karanh37@users.noreply.github.com> |
||
|
IceS2
|
3c89f26422
|
Move path filtering from trigger level to job level for integration test workflows (#26631)
Replace `paths:` on `pull_request_target` with a `changes` detection job using dorny/paths-filter. This prevents required checks from getting stuck as pending when PRs modify files outside the monitored paths. A job skipped by its `if` condition reports as "Success", so branch protection still works. |
||
|
Vishnu Jain
|
3aed159069
|
Fix MCP tools entity status (#26567)
* fix MCP tools entity status * add unit tests for MCP tools and CI path trigger |
||
|
IceS2
|
e6bfa1f567
|
fix(ci): replace py-tests skip workflow with job-level path filtering and gate jobs (#26556)
* fix(ci): replace py-tests skip workflow with job-level path filtering and gate jobs Replace the dual-workflow (real + skip) pattern with a single-workflow approach using dorny/paths-filter for change detection and job-level `if` conditions. A job skipped by `if` reports as "Success" for required checks, eliminating the need for companion skip workflows. Add inverse-gate status jobs (`py-tests-status`, `py-tests-postgres-status`) that only run on failure/cancellation. These are the only jobs that need to be set as required checks in branch protection — one per workflow instead of one per matrix expansion. How the gate works: - All tests pass or skipped → gate is skipped → reports "Success" - Any test fails → gate runs → exits 1 → blocks merge Changes: - py-tests.yml: remove `paths:` filter, add `changes` detection job, gate test jobs on its output, add `py-tests-status` gate job - py-tests-postgres.yml: same approach, add `py-tests-postgres-status` - Delete py-tests-skip.yml (no longer needed) * fix(ci): rename postgres gate job to py-tests-status for consistency The workflow name already provides the context (py-tests-postgres), so the gate job should just be py-tests-status like in the mysql workflow. |