docs(release): v0.3.17.1 release notes (datahub-project#16899)

Co-authored-by: Adrian Machado <adrian.machado@datahub.com>
Co-authored-by: Jay <159848059+jayacryl@users.noreply.github.com>

Author: 3 people

docs/managed-datahub/release-notes/v_0_3_17.md

@@ -1,5 +1,55 @@
 # v0.3.17
 
+### v0.3.17.1
+
+Patch release on top of **v0.3.17-acryl**.
+
+#### Release availability date
+
+7-Apr-2026
+
+#### Recommended versions
+
+- **CLI/SDK**: 1.5.0.3
+- **Remote Executor**: v0.3.17.1-acryl
+- **Helm**: 1.6.64
+
+#### Product
+
+- **Assertions & data health UI**: Filter assertions by **tags** and differentiate Custom assertions by **customType** in the Quality tab; monitor **error messages** are truncated to a safe maximum length before storage so oversized failures cannot break writes.
+- **Data health UI**: Filter incidents by assignee.
+- **Governance inbox (action requests)**: **Scroll-based pagination** for very large inboxes so listing is not capped by Elasticsearch deep-offset limits.
+- **Sessions & access**: Browser session issuance now respects the same “active user” rules as the rest of the platform (for example **suspended**, **soft-deleted**, **not provisioned**, or **inactive** users do not receive a new session token).
+- **Microsoft Teams**: When enabled via feature flag, the Teams integration page can offer a **downloadable Teams app package** (.zip) with a link to the [managed DataHub Teams setup guide](https://docs.datahub.com/docs/managed-datahub/teams/saas-teams-setup).
+
+#### Platform
+
+- **Remote executor & images**: **Wolfi**-based service images, updated **bundled Python venv** policy for the executor, and executor **CLI 1.5.0.3** (see recommended versions above).
+- **Telemetry & REST**: Minor usage/telemetry and REST logging adjustments aligned with session and auth changes.
+- **Search (V2.5)**: Faster, more relevant search via pipeline and ranking updates—including supplementary query handling, tag-aware rescoring, and stronger demotion of obvious non-production and “backup”-style assets—plus synonym tuning.
+- **Lineage graph**: More reliable parallel graph fetches (configurable wait when draining slice work; safer handling when some slice futures finish partially).
+
+#### Ingestion
+
+- **BigQuery (ingestion & Observe-related paths)**: Google clients are built with **explicit service-account credentials** so concurrent jobs in one process no longer race on the shared `GOOGLE_APPLICATION_CREDENTIALS` environment variable.
+
+#### Security
+
+- Additional **dependency and CVE-driven** updates across Java and Python stacks (for example stricter Python floors, Amazon Ion / `ion-java`, and Authlib for SAC).
+- OIDC: Stop exposing the client secret via GraphQL (use hasClientSecret only) and fix SSO save errors by omitting read-only fields from the update mutation.
+
+#### Bug fixes & polish
+
+- **UI**: Square favicon, documentation/summary widgets (**file uploads**, editor **toolbar focus**), and catalog titles for sample content without a misleading `sample_data` prefix where applicable.
+- **GMS / GraphQL**: Safer handling of assertion aspects when envelope payloads are missing (avoids null failures in assertion flows).
+- **Databricks Freshness Assertions** that used `Audit Log` as the change source are now fixed.
+- **Smart Assertions**: Volume and column metric assertions correctly apply floors and ceilings to their predictions based on what makes sense for that metric.
+
+#### Breaking changes
+
+- **None beyond** those already listed under **v0.3.17**. Customers moving from **v0.3.17-acryl** to **v0.3.17.1-acryl** should still satisfy all v0.3.17 requirements (token signing keys, Python 3.10+, theme V2, and so on).
+- GraphQL OidcSettings.clientSecret field replaced with hasClientSecret: Boolean to prevent exposure of OIDC secret; mutation field is now optional to preserve existing secrets.
+
 ---
 
 ## Release Availability Date
@@ -10,6 +60,7 @@
 
 - **CLI/SDK**: 1.4.0.9
 - **Remote Executor**: v0.3.17-acryl
+- **Helm**: 1.6.64
 
 ## Known Issues