update env vars (#50963) #3
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Build + Docker Uberjar | |
on: | |
push: | |
branches: | |
- "master" | |
- metabot-v3-second-try | |
paths-ignore: | |
# config files | |
- ".**" | |
# documentation | |
- 'docs/**' | |
- "**.md" | |
# this covers both BE and FE unit tests, as well as E2E tests | |
- '**test/**' | |
- "**_test.clj" | |
- "**/frontend/**.unit.*" | |
workflow_dispatch: | |
inputs: | |
commit: | |
description: 'Optional full-length commit SHA-1 hash' | |
jobs: | |
build: | |
name: Build MB ${{ matrix.edition }} | |
runs-on: ubuntu-22.04 | |
timeout-minutes: 40 | |
strategy: | |
matrix: | |
edition: [ee, oss] | |
env: | |
MB_EDITION: ${{ matrix.edition }} | |
INTERACTIVE: false | |
steps: | |
- name: Check out the code | |
uses: actions/checkout@v4 | |
with: | |
ref: ${{ github.event.inputs.commit }} | |
- name: Prepare front-end environment | |
uses: ./.github/actions/prepare-frontend | |
- name: Prepare back-end environment | |
uses: ./.github/actions/prepare-backend | |
with: | |
m2-cache-key: uberjar | |
# Build with Java 11 so they compiled code doesn't try to use Java >11 classes... see | |
# https://metaboat.slack.com/archives/C5XHN8GLW/p1731517744549619?thread_ts=1731504670.951389&cid=C5XHN8GLW | |
java-version: 11 | |
- name: Build | |
run: ./bin/build.sh | |
- name: Prepare uberjar artifact | |
uses: ./.github/actions/prepare-uberjar-artifact | |
with: | |
name: metabase-${{ matrix.edition }}-${{ github.sha }}-uberjar | |
check_jar_health: | |
runs-on: ubuntu-22.04 | |
name: Is ${{ matrix.edition }} (java ${{ matrix.java-version }}) healthy? | |
needs: build | |
timeout-minutes: 10 | |
strategy: | |
matrix: | |
edition: [ee, oss] | |
java-version: [11, 17, 21] | |
steps: | |
- name: Prepare JRE (Java Run-time Environment) | |
uses: actions/setup-java@v4 | |
with: | |
java-package: jre | |
java-version: ${{ matrix.java-version }} | |
distribution: 'temurin' | |
- run: java -version | |
- uses: actions/download-artifact@v4 | |
name: Retrieve uberjar artifact | |
with: | |
name: metabase-${{ matrix.edition }}-${{ github.sha }}-uberjar | |
- name: Launch uberjar | |
run: >- | |
java --add-opens java.base/java.nio=ALL-UNNAMED -jar ./target/uberjar/metabase.jar & | |
- name: Wait for Metabase to start | |
run: while ! curl 'http://localhost:3000/api/health' | grep '{"status":"ok"}'; do sleep 1; done | |
containerize_test_and_push_container: | |
runs-on: ubuntu-22.04 | |
name: Containerize ${{ matrix.edition }} | |
needs: check_jar_health | |
strategy: | |
matrix: | |
edition: [ee, oss, ee-extra] | |
services: | |
registry: | |
image: registry:2 | |
ports: | |
- 5000:5000 | |
permissions: | |
id-token: write | |
contents: read | |
security-events: write | |
steps: | |
- name: Extract and clean branch name | |
shell: bash | |
run: echo "branch=$(echo $GITHUB_REF_NAME | sed 's/[^-._a-zA-Z0-9]/-/g')" >> $GITHUB_OUTPUT | |
id: extract_branch | |
- name: Verify the intended tag of the container image | |
run: echo "Container image will be tagged as ${{ steps.extract_branch.outputs.branch }}-${{ matrix.edition }}" | |
- name: Check out the code (Dockerfile needed) | |
uses: actions/checkout@v4 | |
with: | |
ref: ${{ github.event.inputs.commit }} | |
- name: Download uploaded artifacts to insert into container | |
if: ${{ matrix.edition != 'ee-extra' }} | |
uses: actions/download-artifact@v4 | |
with: | |
name: metabase-${{ matrix.edition }}-${{ github.sha }}-uberjar | |
path: bin/docker/ | |
- name: Download uploaded artifacts to insert into container | |
if: ${{ matrix.edition == 'ee-extra' }} | |
uses: actions/download-artifact@v4 | |
with: | |
name: metabase-ee-${{ github.sha }}-uberjar | |
path: bin/docker/ | |
- name: Move the ${{ matrix.edition }} uberjar to the context dir | |
run: mv bin/docker/target/uberjar/metabase.jar bin/docker/. | |
- name: Add partner drivers to the container | |
if: ${{ matrix.edition == 'ee-extra' }} | |
uses: ./.github/actions/build-ee-extra | |
with: | |
iam-role: ${{ secrets.METABASE_EE_EXTRA_IAM_ROLE }} | |
- name: Set up Docker Buildx | |
id: buildx | |
uses: docker/setup-buildx-action@v2.5.0 | |
with: | |
driver-opts: network=host | |
- name: Build ${{ matrix.edition }} container | |
uses: docker/build-push-action@v3 | |
with: | |
context: bin/docker/. | |
platforms: linux/amd64 | |
network: host | |
tags: localhost:5000/metabase-dev:${{ steps.extract_branch.outputs.branch }}-${{ matrix.edition }} | |
build-args: | | |
GIT_COMMIT_SHA=${{ github.sha }} | |
no-cache: true | |
push: true | |
- name: Launch ${{ matrix.edition }} container | |
run: docker run --rm -dp 3000:3000 localhost:5000/metabase-dev:${{ steps.extract_branch.outputs.branch }}-${{ matrix.edition }} | |
timeout-minutes: 5 | |
- name: Is Docker running? | |
run: docker ps | |
- name: Wait for Metabase to start and reach 100% health | |
run: while ! curl -s 'http://localhost:3000/api/health' | grep '{"status":"ok"}'; do sleep 1; done | |
timeout-minutes: 3 | |
- name: Login to Docker Hub | |
uses: docker/login-action@v2 | |
with: | |
username: ${{ secrets.DOCKERHUB_USERNAME }} | |
password: ${{ secrets.DOCKERHUB_TOKEN }} | |
- name: Retag and push images if master (ee) | |
if: ${{ (github.ref_name == 'master') && matrix.edition == 'ee' }} | |
run: docker tag localhost:5000/metabase-dev:${{ steps.extract_branch.outputs.branch }}-ee ${{ github.repository_owner }}/metabase-enterprise-head:latest && docker push ${{ github.repository_owner }}/metabase-enterprise-head:latest | |
# TODO: remove when we're done testing metabot | |
- name: Retag and push images if metabot-v3-second-try (ee) | |
if: ${{ (github.ref_name == 'metabot-v3-second-try') && matrix.edition == 'ee' }} | |
run: docker tag localhost:5000/metabase-dev:${{ steps.extract_branch.outputs.branch }}-ee ${{ github.repository_owner }}/metabase-enterprise-head:metabot && docker push ${{ github.repository_owner }}/metabase-enterprise-head:metabot | |
- name: Retag and push images if master (oss) | |
if: ${{ (github.ref_name == 'master') && matrix.edition == 'oss' }} | |
run: docker tag localhost:5000/metabase-dev:${{ steps.extract_branch.outputs.branch }}-oss ${{ github.repository_owner }}/metabase-head:latest && docker push ${{ github.repository_owner }}/metabase-head:latest | |
- name: Retag and push images if master (ee-extra) | |
if: ${{ (github.ref_name == 'master') && matrix.edition == 'ee-extra' }} | |
run: docker tag localhost:5000/metabase-dev:${{ steps.extract_branch.outputs.branch }}-ee-extra ${{ secrets.METABASE_EE_EXTRA_CONTAINER_REGISTRY }}/metabase-enterprise-head:latest && docker push ${{ secrets.METABASE_EE_EXTRA_CONTAINER_REGISTRY }}/metabase-enterprise-head:latest | |
- name: Retag and push images if dev branch | |
if: ${{ !(startsWith(github.ref_name,'master') || startsWith(github.ref_name,'backport')) && matrix.edition == 'ee' }} | |
run: docker tag localhost:5000/metabase-dev:${{ steps.extract_branch.outputs.branch }}-ee ${{ github.repository_owner }}/metabase-dev:${{ steps.extract_branch.outputs.branch }} && docker push ${{ github.repository_owner }}/metabase-dev:${{ steps.extract_branch.outputs.branch }} | |
- name: Run Trivy vulnerability scanner if master (ee) | |
if: ${{ (github.ref_name == 'master') && matrix.edition == 'ee' }} | |
uses: aquasecurity/trivy-action@0.28.0 | |
env: | |
TRIVY_OFFLINE_SCAN: true | |
with: | |
image-ref: docker.io/${{ github.repository_owner }}/metabase-enterprise-head:latest | |
format: sarif | |
output: trivy-results.sarif | |
version: "v0.57.1" | |
- name: Run Trivy vulnerability scanner if master (oss) | |
if: ${{ (github.ref_name == 'master') && matrix.edition == 'oss' }} | |
uses: aquasecurity/trivy-action@0.28.0 | |
env: | |
TRIVY_OFFLINE_SCAN: true | |
with: | |
image-ref: docker.io/${{ github.repository_owner }}/metabase-head:latest | |
format: sarif | |
output: trivy-results.sarif | |
version: "v0.57.1" | |
- name: Run Trivy vulnerability scanner if dev branch | |
if: ${{ !(startsWith(github.ref_name,'master') || startsWith(github.ref_name,'backport')) && matrix.edition == 'ee' }} | |
uses: aquasecurity/trivy-action@0.28.0 | |
env: | |
TRIVY_OFFLINE_SCAN: true | |
with: | |
version: "v0.57.1" | |
image-ref: docker.io/${{ github.repository_owner }}/metabase-dev:${{ steps.extract_branch.outputs.branch }} | |
format: sarif | |
output: trivy-results.sarif | |
- name: Upload Trivy scan results to GitHub Security tab if master (ee) | |
if: ${{ (github.ref_name == 'master') && matrix.edition == 'ee' }} | |
uses: github/codeql-action/upload-sarif@v2 | |
with: | |
sarif_file: 'trivy-results.sarif' | |
- name: Upload Trivy scan results to GitHub Security tab if master (oss) | |
if: ${{ (github.ref_name == 'master') && matrix.edition == 'oss' }} | |
uses: github/codeql-action/upload-sarif@v2 | |
with: | |
sarif_file: 'trivy-results.sarif' | |
- name: Upload Trivy scan results to GitHub Security tab if dev branch | |
if: ${{ !(startsWith(github.ref_name,'master') || startsWith(github.ref_name,'backport')) && matrix.edition == 'ee' }} | |
uses: github/codeql-action/upload-sarif@v2 | |
with: | |
sarif_file: 'trivy-results.sarif' | |
containerize_multi_arch: | |
runs-on: ubuntu-22.04 | |
name: Containerize multi-arch ${{ matrix.edition }} | |
needs: check_jar_health | |
strategy: | |
matrix: | |
edition: [ee, oss] | |
services: | |
registry: | |
image: registry:2 | |
ports: | |
- 5000:5000 | |
steps: | |
- name: Extract and clean branch name | |
shell: bash | |
run: echo "branch=$(echo $GITHUB_REF_NAME | sed 's/[^-._a-zA-Z0-9]/-/g')" >> $GITHUB_OUTPUT | |
id: extract_branch | |
- name: Verify the intended tag of the container image | |
run: echo "Container image will be tagged as ${{ steps.extract_branch.outputs.branch }}-${{ matrix.edition }}" | |
- name: Check out the code (Dockerfile needed) | |
uses: actions/checkout@v4 | |
with: | |
ref: ${{ github.event.inputs.commit }} | |
- name: Download uploaded artifacts to insert into container | |
uses: actions/download-artifact@v4 | |
with: | |
name: metabase-${{ matrix.edition }}-${{ github.sha }}-uberjar | |
path: bin/docker/ | |
- name: Move the ${{ matrix.edition }} uberjar to the context dir | |
run: mv bin/docker/target/uberjar/metabase.jar bin/docker/. | |
# We need it for multi-arch build | |
- name: Set up QEMU | |
uses: docker/setup-qemu-action@v2 | |
with: | |
platforms: 'arm64' | |
- name: Set up Docker Buildx | |
id: buildx | |
uses: docker/setup-buildx-action@v2.5.0 | |
with: | |
driver-opts: network=host | |
# Build experimental ubuntu-based images only for master | |
- name: Build ${{ matrix.edition }} Ubuntu based multi-arch container | |
uses: docker/build-push-action@v3 | |
with: | |
context: bin/docker/. | |
platforms: linux/amd64,linux/arm64 | |
file: bin/docker/Dockerfile_ubuntu | |
network: host | |
tags: localhost:5000/metabase-dev:${{ steps.extract_branch.outputs.branch }}-${{ matrix.edition }}-ubuntu | |
build-args: | | |
GIT_COMMIT_SHA=${{ github.sha }} | |
no-cache: true | |
push: true | |
- name: Launch ${{ matrix.edition }} Ubuntu based container | |
run: docker run --rm -dp 3001:3000 localhost:5000/metabase-dev:${{ steps.extract_branch.outputs.branch }}-${{ matrix.edition }}-ubuntu | |
timeout-minutes: 5 | |
- name: Is Docker with Ubuntu running? | |
run: docker ps | |
- name: Wait for Ubuntu-based Metabase container to start and reach 100% health | |
run: while ! curl -s 'http://localhost:3001/api/health' | grep '{"status":"ok"}'; do sleep 1; done | |
timeout-minutes: 3 | |
- name: Login to Docker Hub | |
if: ${{ github.ref_name == 'master' }} | |
uses: docker/login-action@v2 | |
with: | |
username: ${{ secrets.DOCKERHUB_USERNAME }} | |
password: ${{ secrets.DOCKERHUB_TOKEN }} | |
# Push experimental ubuntu image only for versions based on a master | |
- name: Install regctl | |
if: ${{ github.ref_name == 'master' }} | |
uses: regclient/actions/regctl-installer@main | |
with: | |
release: 'v0.4.7' | |
- name: Switch regctl to point to localhost:5000 via http | |
if: ${{ github.ref_name == 'master' }} | |
run: regctl registry set --tls disabled localhost:5000 | |
- name: Retag and push ubuntu-based images if master (ee) | |
if: ${{ (matrix.edition == 'ee') && (github.ref_name == 'master') }} | |
run: regctl image copy localhost:5000/metabase-dev:${{ steps.extract_branch.outputs.branch }}-ee-ubuntu ${{ github.repository_owner }}/metabase-enterprise-head:latest-ubuntu | |
- name: Retag and push ubuntu-based images if master (oss) | |
if: ${{ (matrix.edition == 'oss') && (github.ref_name == 'master') }} | |
run: regctl image copy localhost:5000/metabase-dev:${{ steps.extract_branch.outputs.branch }}-oss-ubuntu ${{ github.repository_owner }}/metabase-head:latest-ubuntu |