fix(ci): validate yaml workflow failing

[chirag-madlani]

This pull request updates the Content Security Policy (CSP) configuration in the openmetadata.yaml file. The default CSP policy is now set to an empty string, rather than a restrictive default, making it easier for deployments to define their own policies as needed.

Configuration changes:

• Changed the default value of the policy field under web.csp in openmetadata.yaml from a restrictive policy string to an empty string, allowing for more flexible CSP configuration.

Describe your changes:

Fixes

I worked on ... because ...

Type of change:

• Bug fix
• Improvement
• New feature
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Documentation

Checklist:

• I have read the CONTRIBUTING document.
• My PR title is Fixes <issue-number>: <short explanation>
• I have commented on my code, particularly in hard-to-understand areas.
• For JSON Schema changes: I updated the migration scripts or explained why it is not needed.

[gitar-bot]

Code Review ✅ Approved

Updates YAML workflow validation to resolve recent CI failures. No issues found.

Options

Display: compact → Showing less information.

Comment with these commands to change:

Compact

gitar display:verbose

_{Was this helpful? React with 👍 / 👎 | Gitar}

[Copilot]

Pull request overview

Updates the default Content Security Policy (CSP) configuration in conf/openmetadata.yaml by removing the previously hard-coded default CSP string and defaulting the policy value to an empty string, so deployments can more easily provide their own CSP via environment variables/config overrides.

Changes:

• Replaced the default web.csp.policy value from a restrictive CSP string to an empty string ("").
• Added the previous CSP value as an inline comment for reference.

[Copilot]

The PR title indicates this is a CI/YAML-validation fix, but the actual change modifies the default CSP behavior. Please align the PR title/description with the change (or explain how this change addresses the CI failure) so reviewers understand the motivation and potential security impact.

[Copilot]

Changing the default web.csp.policy to an empty string means that if someone sets web.csp.enabled: true but forgets to also set WEB_CONF_XSS_CSP_POLICY, no CSP header will be sent (CspHeaderFactory omits empty policies). If the intent is to keep a secure-by-default behavior when CSP is enabled, consider keeping a minimal default policy (e.g., default-src 'self') and documenting how to override it, or add configuration validation to fail fast when enabled is true but policy is empty.

Suggested change

	policy: ${WEB_CONF_XSS_CSP_POLICY:-""}
	# Use a minimal secure default when CSP is enabled and no explicit policy is provided.
	policy: ${WEB_CONF_XSS_CSP_POLICY:-"default-src 'self'"}

[github-actions]

🟡 Playwright Results — all passed (32 flaky)

✅ 3624 passed · ❌ 0 failed · 🟡 32 flaky · ⏭️ 84 skipped

Shard	Passed	Failed	Flaky	Skipped
🟡 Shard 1	479	0	1	4
🟡 Shard 2	640	0	5	7
🟡 Shard 3	647	0	6	1
🟡 Shard 4	620	0	6	22
🟡 Shard 5	610	0	2	42
🟡 Shard 6	628	0	12	8

🟡 32 flaky test(s) (passed on retry)

• Pages/UserCreationWithPersona.spec.ts › Create user with persona and verify on profile (shard 1, 1 retry)
• Features/BulkEditEntity.spec.ts › Glossary (shard 2, 1 retry)
• Features/ChangeSummaryBadge.spec.ts › Automated badge should appear on entity description with Automated source (shard 2, 1 retry)
• Features/DataProductPersonaCustomization.spec.ts › Data Product - customization should work (shard 2, 1 retry)
• Features/Glossary/GlossaryHierarchy.spec.ts › should cancel move operation (shard 2, 1 retry)
• Features/Glossary/GlossaryWorkflow.spec.ts › should inherit reviewers from glossary when term is created (shard 2, 1 retry)
• Features/Permissions/GlossaryPermissions.spec.ts › Team-based permissions work correctly (shard 3, 1 retry)
• Features/RestoreEntityInheritedFields.spec.ts › Validate restore with Inherited domain and data products assigned (shard 3, 1 retry)
• Features/RestoreEntityInheritedFields.spec.ts › Validate restore with Inherited domain and data products assigned (shard 3, 1 retry)
• Features/RestoreEntityInheritedFields.spec.ts › Validate restore with Inherited domain and data products assigned (shard 3, 1 retry)
• Features/RTL.spec.ts › Verify Following widget functionality (shard 3, 1 retry)
• Flow/AppBasic.spec.ts › should call installed app api and it should respond with 200 (shard 3, 1 retry)
• Pages/Customproperties-part2.spec.ts › entityReferenceList shows item count, scrollable list, no expand toggle (shard 4, 1 retry)
• Pages/DataContractInheritance.spec.ts › Delete Asset Contract - Falls back to showing inherited contract from Data Product (shard 4, 2 retries)
• Pages/Domains.spec.ts › Rename domain with deeply nested subdomains (3+ levels) verifies FQN propagation (shard 4, 1 retry)
• Pages/Domains.spec.ts › Subdomain rename does not affect parent domain and updates nested children (shard 4, 1 retry)
• Pages/Entity.spec.ts › Tier Add, Update and Remove (shard 4, 1 retry)
• Pages/Entity.spec.ts › Glossary Term Add, Update and Remove (shard 4, 1 retry)
• Pages/EntityDataSteward.spec.ts › User as Owner Add, Update and Remove (shard 5, 1 retry)
• Pages/Glossary.spec.ts › Add and Remove Assets (shard 5, 2 retries)
• Pages/Lineage/DataAssetLineage.spec.ts › verify create lineage for entity - Search Index (shard 6, 1 retry)
• Pages/Lineage/DataAssetLineage.spec.ts › verify create lineage for entity - Data Model (shard 6, 1 retry)
• Pages/Lineage/DataAssetLineage.spec.ts › verify create lineage for entity - Api Endpoint (shard 6, 1 retry)
• Pages/Lineage/DataAssetLineage.spec.ts › verify create lineage for entity - Spreadsheet (shard 6, 1 retry)
• Pages/Lineage/DataAssetLineage.spec.ts › Column lineage for table -> table (shard 6, 1 retry)
• Pages/Lineage/LineageFilters.spec.ts › Verify lineage schema filter selection (shard 6, 1 retry)
• Pages/Lineage/LineageRightPanel.spec.ts › Verify custom properties tab IS visible for supported type: searchIndex (shard 6, 1 retry)
• Pages/ODCSImportExport.spec.ts › Multi-object ODCS contract - object selector shows all schema objects (shard 6, 1 retry)
• Pages/TestSuite.spec.ts › Logical TestSuite (shard 6, 1 retry)
• Pages/Users.spec.ts › Permissions for table details page for Data Consumer (shard 6, 1 retry)
• ... and 2 more

📦 Download artifacts

How to debug locally

# Download playwright-test-results-<shard> artifact and unzip
npx playwright show-trace path/to/trace.zip    # view trace