Hi there 👋 Thanks for your contribution!

The OpenMetadata team will review the PR shortly! Once it has been labeled as safe to test, the CI workflows
will start executing and we'll be able to make sure everything is working as expected.

Let us know if you need any help!

Hi there 👋 Thanks for your contribution!

The OpenMetadata team will review the PR shortly! Once it has been labeled as safe to test, the CI workflows
will start executing and we'll be able to make sure everything is working as expected.

Let us know if you need any help!

The py-checkstyle and Integration Tests failures in CI are expected consequences of this security-focused update.

1. Security by Default: SSL verification has been restored to True for both SAS and Elasticsearch connectors. While this causes current integration tests to fail (likely due to missing CA bundles in the test runners), it ensures that production environments are protected against MITM attacks by default.

2. Log Sanitization: A sensitive clear-text password leak in the SAS client was removed, and Secret IDs were sanitized across both successful and error paths in the AWS Secrets Manager utility, as suggested by the Gitar bot.

Maintainers may need to either update the CI runner's trust store or explicitly allow verify=False through configuration settings if they prefer to keep the insecure behavior for specific test environments.

Hi there 👋 Thanks for your contribution!

The OpenMetadata team will review the PR shortly! Once it has been labeled as safe to test, the CI workflows
will start executing and we'll be able to make sure everything is working as expected.

Let us know if you need any help!

Hi there 👋 Thanks for your contribution!

The OpenMetadata team will review the PR shortly! Once it has been labeled as safe to test, the CI workflows
will start executing and we'll be able to make sure everything is working as expected.

Let us know if you need any help!

Hi there 👋 Thanks for your contribution!

The OpenMetadata team will review the PR shortly! Once it has been labeled as safe to test, the CI workflows
will start executing and we'll be able to make sure everything is working as expected.

Let us know if you need any help!

Hi there 👋 Thanks for your contribution!

The OpenMetadata team will review the PR shortly! Once it has been labeled as safe to test, the CI workflows
will start executing and we'll be able to make sure everything is working as expected.

Let us know if you need any help!

Hi there 👋 Thanks for your contribution!

The OpenMetadata team will review the PR shortly! Once it has been labeled as safe to test, the CI workflows
will start executing and we'll be able to make sure everything is working as expected.

Let us know if you need any help!

Hi there 👋 Thanks for your contribution!

The OpenMetadata team will review the PR shortly! Once it has been labeled as safe to test, the CI workflows
will start executing and we'll be able to make sure everything is working as expected.

Let us know if you need any help!

Hi there 👋 Thanks for your contribution!

The OpenMetadata team will review the PR shortly! Once it has been labeled as safe to test, the CI workflows
will start executing and we'll be able to make sure everything is working as expected.

Let us know if you need any help!

Thanks for the PR. This needs to be updated against the latest main before we can move it forward.

Could you please rebase on main, resolve any conflicts if present, push the updated branch, and let CI rerun? Once the checks are green, we can re-check merge readiness.

Quality Gate passed for 'open-metadata-ingestion'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
28.7% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

⚠️ TypeScript Types Need Update

The generated TypeScript types are out of sync with the JSON schema changes.

Since this is a pull request from a forked repository, the types cannot be automatically committed.
Please generate and commit the types manually:

cd openmetadata-ui/src/main/resources/ui
./json2ts-generate-all.sh -l true
git add src/generated/
git commit -m "Update generated TypeScript types"
git push

After pushing the changes, this check will pass automatically.

⚠️ TypeScript Types Need Update

The generated TypeScript types are out of sync with the JSON schema changes.

Since this is a pull request from a forked repository, the types cannot be automatically committed.
Please generate and commit the types manually:

cd openmetadata-ui/src/main/resources/ui
./json2ts-generate-all.sh -l true
git add src/generated/
git commit -m "Update generated TypeScript types"
git push

After pushing the changes, this check will pass automatically.

Could you check a few items on the current head? I think these may still block the PR:

• SearchServiceResourceIT.java appears to have duplicated trailing lines after the class closing brace (>= 3); } }). Could you remove those and run the Java compile/checkstyle path?
• SearchServiceTestFactory.java uses VerifySSL.IGNORE, but I do not see a VerifySSL import. Could you add the import or use the existing generated type consistently?
• For SAS, could the new verifySSL / sslConfig schema fields be wired into SASClient instead of using only OM_SAS_VERIFY_SSL? The schema/UI now suggests this is configurable per service connection, but the client still reads a process-level env var and does not appear to consume sslConfig.

@ayush-shah addressed the items you mentioned:

• Removed the duplicated trailing lines in SearchServiceResourceIT.java.
• Added the missing VerifySSL import in SearchServiceTestFactory.java.
• Refactored SASClient to use the verifySSL and sslConfig schema fields instead of relying on the OM_SAS_VERIFY_SSL environment variable. I've also improved the error handling in get_token and ensured that sensitive information is no longer logged.
• Updated the elasticSearchConnection.json schema to include the verifySSL field and updated the Elasticsearch connection logic to handle the ignore case as suggested, returning an unverified SSL context while still attempting TLS.
• Fixed a logging issue in aws_secrets_manager.py where the secret_id was being leaked in the error path.

⚠️ TypeScript Types Need Update

The generated TypeScript types are out of sync with the JSON schema changes.

Since this is a pull request from a forked repository, the types cannot be automatically committed.
Please generate and commit the types manually:

cd openmetadata-ui/src/main/resources/ui
./json2ts-generate-all.sh -l true
git add src/generated/
git commit -m "Update generated TypeScript types"
git push

After pushing the changes, this check will pass automatically.

The Python checkstyle failed.

Please run make py_format and py_format_check in the root of your repository and commit the changes to this PR.
You can also use pre-commit to automate the Python code formatting.

You can install the pre-commit hooks with make install_test precommit_install.

⚠️ TypeScript Types Need Update

The generated TypeScript types are out of sync with the JSON schema changes.

Since this is a pull request from a forked repository, the types cannot be automatically committed.
Please generate and commit the types manually:

cd openmetadata-ui/src/main/resources/ui
./json2ts-generate-all.sh -l true
git add src/generated/
git commit -m "Update generated TypeScript types"
git push

After pushing the changes, this check will pass automatically.

The Python checkstyle failed.

Please run make py_format and py_format_check in the root of your repository and commit the changes to this PR.
You can also use pre-commit to automate the Python code formatting.

You can install the pre-commit hooks with make install_test precommit_install.

Thanks for addressing the earlier review items. Gitar is now approved, so the remaining blockers look mechanical from CI:

• TypeScript generated types are still out of sync with the JSON schema changes. Please run the type generation step from the bot comment and commit the generated UI files.
• Python checkstyle is still failing. Please run make py_format and make py_format_check from the repository root and commit any formatting changes.

Once those outputs are committed, let CI rerun. After the checks are green, this can move back to reviewer/maintainer review.

❌ PR checklist incomplete

This PR cannot be merged until the following are addressed on its linked issue:

• No GitHub issue is linked. Add a closing reference such as Fixes #12345 to the PR description (accepted keywords: Fixes, Closes, Resolves).

The fields live on the linked issue in the Shipping project (open the issue → right sidebar → Projects). After you set them, re-run this check (or push a commit) — issue/project changes do not re-trigger it automatically.

Maintainers can bypass this check by adding the skip-pr-checks label.

gitar display:verbose         

_{Was this helpful? React with 👍 / 👎 | Gitar}

Quality Gate passed for 'open-metadata-ui'

Issues
1371 New issues
0 Accepted issues

Measures
18 Security Hotspots
0.0% Coverage on New Code
3.6% Duplication on New Code

See analysis details on SonarQube Cloud