metabase · WiNloSt · May 16, 2024 · May 10, 2024 · May 13, 2024 · May 13, 2024
diff --git a/.github/workflows/release-embedding-sdk.yml b/.github/workflows/release-embedding-sdk.yml
@@ -0,0 +1,193 @@
+name: Release Metabase Embedding SDK for React
+
+on:
+  workflow_dispatch:
+    inputs:
+      # TODO: Add a version validation, so the workflow won't fail when publishing to npm
+      sdk_version:
+        description: 'SDK version (e.g. 0.1.3)'
+        type: string
+        required: true
+      git_ref:
+        description: 'Valid git reference e.g. branches, tags, hashes'
+        type: string
+        required: true
+
+concurrency:
+  # We want to ensure only one job is running at a time because
+  # there could be a conflict when updating the readme file.
+  group: ${{ github.workflow }}
+  cancel-in-progress: true
+
+jobs:
+  git-tag:
+    runs-on: ubuntu-22.04
+    timeout-minutes: 20
+    env:
+      tag: embedding-sdk-${{ inputs.sdk_version }}
+    steps:
+      - name: Check out the code using the provided ref
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ inputs.git_ref }}
+
+      - name: Setup git user
+        run: |
+          git config --global user.email "metabase-bot@metabase.com"
+          git config --global user.name "Metabase bot"
+
+      - name: Create a new git tag
+        run: |
+          git tag ${{ env.tag }}
+
+      - name: Push the new tag
+        id : push-tag
+        run: |
+          git push origin ${{ env.tag }}
+      - if: ${{ failure() && steps.push-tag.outcome == 'failure' }}
+        run: echo "Tag '${{ env.tag }}' already exists. If you expect to run this workflow with the same tag, please remove the tag first and rerun this workflow again."
+
+  test:
+    needs: git-tag
+    runs-on: ubuntu-22.04
+    timeout-minutes: 20
+    steps:
+      - name: Check out the code using the provided ref
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ inputs.git_ref }}
+
+      - name: Prepare front-end environment
+        uses: ./.github/actions/prepare-frontend
+
+      - name: Prepare back-end environment
+        uses: ./.github/actions/prepare-backend
+        with:
+          m2-cache-key: "release-sdk"
+
+      - name: Run unit tests
+        run: yarn embedding-sdk:test-unit
+
+  build-sdk:
+    needs: test
+    runs-on: ubuntu-22.04
+    timeout-minutes: 20
+    steps:
+      - name: Check out the code using the provided ref
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ inputs.git_ref }}
+
+      - name: Prepare front-end environment
+        uses: ./.github/actions/prepare-frontend
+
+      - name: Prepare back-end environment
+        uses: ./.github/actions/prepare-backend
+        with:
+          m2-cache-key: "release-sdk"
+
+      - name: Bump published npm package version
+        run: |
+          sed -i -E 's/("version": ").*"/\1${{ inputs.sdk_version }}"/' enterprise/frontend/src/embedding-sdk/package.template.json
+
+      - name: Build SDK bundle
+        run: yarn run build-embedding-sdk
+
+      - name: Generate SDK package.json in the build directory
+        run: yarn run embedding-sdk:generate-package
+
+      - name: Upload built SDK package as artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: metabase-sdk
+          path: ./resources/embedding-sdk
+
+  build-jar:
+    needs: test
+    uses: ./.github/workflows/uberjar-sdk.yml
+    with:
+      git_ref: ${{ inputs.git_ref }}
+      image_name: embedding-sdk-${{ inputs.sdk_version }}
+    secrets: inherit
+
+  upload-jar:
+    needs: build-jar
+    runs-on: ubuntu-22.04
+    timeout-minutes: 20
+    steps:
+      - uses: actions/download-artifact@v4
+        name: Retrieve uberjar artifact
+        with:
+          name: metabase-ee-uberjar
+
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-access-key-id: ${{ secrets.AWS_S3_RELEASE_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.AWS_S3_RELEASE_SECRET_ACCESS_KEY }}
+          aws-region: ${{ vars.AWS_REGION }}
+
+      - name: Upload uberjar to S3
+        env:
+          BUCKET: ${{ vars.AWS_S3_DOWNLOADS_BUCKET }}
+          BUCKET_PATH: sdk/v${{ inputs.sdk_version }}/metabase.jar
+          FILE: ./target/uberjar/metabase.jar
+        shell: bash
+        run: |
+          aws s3 cp $FILE s3://$BUCKET/$BUCKET_PATH
+
+
+  publish-npm:
+    needs: [build-sdk, upload-jar]
+    runs-on: ubuntu-22.04
+    timeout-minutes: 20
+    steps:
+      - name: Check out master to prepare for a SDK version bump PR
+        uses: actions/checkout@v4
+        with:
+          # when we created version update PR, it would only have diff from 2 files SDK readme and SDK package.json template
+          ref: master
+
+      - name: Setup git user
+        run: |
+          git config --global user.email "metabase-bot@metabase.com"
+          git config --global user.name "Metabase bot"
+
+      - name: Update readme
+        run: |
+          sed -i -E 's|(embedding-sdk-)[0-9.]+|\1${{ inputs.sdk_version }}|' enterprise/frontend/src/embedding-sdk/README.md
+          sed -i -E 's|(http://downloads.metabase.com/sdk/v)[0-9.]+|\1${{ inputs.sdk_version }}|' enterprise/frontend/src/embedding-sdk/README.md
+
+      - name: Bump published npm package version
+        run: |
+          sed -i -E 's/("version": ").*"/\1${{ inputs.sdk_version }}"/' enterprise/frontend/src/embedding-sdk/package.template.json
+
+      - uses: actions/create-github-app-token@v1
 - uses: tibdex/github-app-token@v2.1.0 
   id: generate-token 
   with: 
     app_id: ${{ secrets.METABASE_BOT_APP_ID }} 
     private_key: ${{ secrets.METABASE_BOT_APP_PRIVATE_KEY }} 
 - uses: tibdex/github-app-token@v2.1.0 
   id: generate-token 
   with: 
     app_id: ${{ secrets.METABASE_BOT_APP_ID }} 
     private_key: ${{ secrets.METABASE_BOT_APP_PRIVATE_KEY }} 
+        id: app-token
+        with:
+          app-id: ${{ secrets.METABASE_BOT_APP_ID }}
+          private-key: ${{ secrets.METABASE_BOT_APP_PRIVATE_KEY }}
+
+      - name: Create a PR updating readme + published version
+        run: |
+          git checkout -b update-sdk-version-${{ inputs.sdk_version }}
+          git commit -a -m 'Update Readme version references and published npm version to ${{ inputs.sdk_version }}'
+          git push origin HEAD
+          gh pr create --base master\
+                       --assignee "${GITHUB_ACTOR}"\
+                       --title "Update SDK version to ${{ inputs.sdk_version }}"\
+                       --body "Update Readme version references and published npm package version to ${{ inputs.sdk_version }}"
+        env:
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
+
+      - name: Retrieve build SDK package artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: metabase-sdk
+          path: sdk
+
+      - name: Publish to NPM
+        run: |
+          cd sdk
+          echo //registry.npmjs.org/:_authToken=${{ secrets.NPM_RELEASE_TOKEN }} > .npmrc
+          npm publish
diff --git a/.github/workflows/uberjar-sdk.yml b/.github/workflows/uberjar-sdk.yml
@@ -0,0 +1,157 @@
+name: Build + Docker Uberjar for SDK
+
+on:
+  # This workflow will be called from "release-embedding-sdk.yml"
+  workflow_call:
+    inputs:
+      git_ref:
+        description: 'Valid git reference e.g. branches, tags, hashes'
+        type: string
+        required: true
+      image_name:
+        description: Docker image used to upload to Dockerhub
+        type: string
+        required: true
+
+jobs:
+  build:
+    name: Build MB ${{ matrix.edition }}
+    runs-on: ubuntu-22.04
+    timeout-minutes: 40
+    strategy:
+      matrix:
+        edition: [ee]
+    env:
+      MB_EDITION: ${{ matrix.edition }}
+      INTERACTIVE: false
+    steps:
+    - name: Check out the code
+      uses: actions/checkout@v4
+      with:
+        ref: ${{ inputs.git_ref }}
+    - name: Prepare front-end environment
+      uses: ./.github/actions/prepare-frontend
+    - name: Prepare back-end environment
+      uses: ./.github/actions/prepare-backend
+      with:
+        m2-cache-key: uberjar
+    - name: Build
+      run: ./bin/build.sh
+    - name: Prepare uberjar artifact
+      uses: ./.github/actions/prepare-uberjar-artifact
+      with:
+        name: metabase-ee-uberjar
+
+  check_jar_health:
+    runs-on: ubuntu-22.04
+    name: Is ${{ matrix.edition }} (java ${{ matrix.java-version }}) healthy?
+    needs: build
+    timeout-minutes: 10
+    strategy:
+      matrix:
+        edition: [ee]
+        java-version: [11, 17]
+    steps:
+    - name: Prepare JRE (Java Run-time Environment)
+      uses: actions/setup-java@v4
+      with:
+        java-package: jre
+        java-version: ${{ matrix.java-version }}
+        distribution: 'temurin'
+    - run: java -version
+    - uses: actions/download-artifact@v4
+      name: Retrieve uberjar artifact
+      with:
+        name: metabase-ee-uberjar
+    - name: Launch uberjar
+      run: java -jar ./target/uberjar/metabase.jar &
+    - name: Wait for Metabase to start
+      run: while ! curl 'http://localhost:3000/api/health' | grep '{"status":"ok"}'; do sleep 1; done
+
+  containerize_test_and_push_container:
+    runs-on: ubuntu-22.04
+    name: Containerize ${{ matrix.edition }}
+    needs: check_jar_health
+    strategy:
+      matrix:
+        edition: [ee]
+    services:
+      registry:
+        image: registry:2
+        ports:
+          - 5000:5000
+    steps:
+      - name: Extract and clean branch name
+        shell: bash
+        run: echo "branch=$(echo $GITHUB_REF_NAME | sed 's/[^-._a-zA-Z0-9]/-/g')" >> $GITHUB_OUTPUT
+        id: extract_branch
+
+      - name: Set image name to env
+        run: echo "image_name=${{ inputs.image_name || steps.extract_branch.outputs.branch }}" >> "$GITHUB_ENV"
+
+      - name: Verify the intended tag of the container image
+        run: echo "Container image will be tagged as ${{ env.image_name }}-${{ matrix.edition }}"
+
+      - name: Check out the code (Dockerfile needed)
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ inputs.git_ref }}
+
+      - name: Download uploaded artifacts to insert into container
+        uses: actions/download-artifact@v4
+        with:
+          name: metabase-ee-uberjar
+          path: bin/docker/
+
+      - name: Move the ${{ matrix.edition }} uberjar to the context dir
+        run: mv bin/docker/target/uberjar/metabase.jar bin/docker/.
+
+      - name: Set up Docker Buildx
+        id: buildx
+        uses: docker/setup-buildx-action@v2.5.0
+        with:
+          driver-opts: network=host
+
+      - name: Build ${{ matrix.edition }} container
+        uses: docker/build-push-action@v3
+        with:
+          context: bin/docker/.
+          platforms: linux/amd64
+          network: host
+          tags: localhost:5000/metabase-dev:${{ env.image_name }}-${{ matrix.edition }}
+          no-cache: true
+          push: true
+
+      - name: Launch ${{ matrix.edition }} container
+        run: docker run --rm -dp 3000:3000 localhost:5000/metabase-dev:${{ env.image_name }}-${{ matrix.edition }}
+        timeout-minutes: 5
+
+      - name: Is Docker running?
+        run: docker ps
+
+      - name: Wait for Metabase to start and reach 100% health
+        run: while ! curl -s 'http://localhost:3000/api/health' | grep '{"status":"ok"}'; do sleep 1; done
+        timeout-minutes: 3
+
+      - name: Login to Docker Hub
+        uses: docker/login-action@v2
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Retag and push images
+        run: docker tag localhost:5000/metabase-dev:${{ env.image_name }}-ee ${{ github.repository_owner }}/metabase-dev:${{ env.image_name }} && docker push ${{ github.repository_owner }}/metabase-dev:${{ env.image_name }}
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        env:
+          TRIVY_OFFLINE_SCAN: true
+        with:
+          image-ref: docker.io/${{ github.repository_owner }}/metabase-dev:${{ env.image_name }}
+          format: sarif
+          output: trivy-results.sarif
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: 'trivy-results.sarif'
diff --git a/package.json b/package.json
@@ -355,6 +355,7 @@
     "embedding-sdk:fixup-types-imports": "node ./bin/embedding-sdk/fixup-types-after-compilation.js",
     "embedding-sdk:generate-package": "node ./bin/embedding-sdk/generate-sdk-package-files.js",
     "embedding-sdk:publish": "cd ./resources/embedding-sdk && npm publish",
+    "embedding-sdk:test-unit": "yarn test-unit enterprise/frontend/src/embedding-sdk/",
     "eslint-fix": "yarn lint-eslint --fix",
     "generate-cypress-html-report": "mochawesome-merge cypress/reports/mochareports/*.json > cypress/reports/cypress-test-report.json && marge cypress/reports/cypress-test-report.json -o cypress/reports/mochareports --inline",
     "lint": "yarn lint-eslint && yarn lint-prettier && yarn lint-docs-links && yarn lint-yaml && yarn type-check",