From 9de7121e338692295719c44cfa2c79f7ae72c317 Mon Sep 17 00:00:00 2001 From: Christopher Butler Date: Wed, 7 May 2025 09:50:13 -0400 Subject: [PATCH 1/3] Update GHA GITHUB_TOKEN Permissions Why these changes are being introduced: There is a potential conflict between GITHUB_TOKEN permissions declared in a caller workflow (like this) and the shared workflow that is being called. After testing various combinations, the end result is as simple as setting the correct GITHUB_TOKEN permissions in the shared workflow and not declaring any permissions in the calling workflow. If there is some need to declare GITHUB_TOKEN permissions in the calling workflow, they MUST match the permissions in the shared workflow. Since checkov will throw a warning if no permissions are declared at all there is a checkov:skip comment in the caller workflow. Sadly, for an unknown reason, checkov doesn't register this skip comment and still shows a warning. How this addresses that need: * Remove all permissions declared in the caller workflows * Add a checkov:skip comment in the workflows, even though it doesn't properly work (this at least lets any future developer know that there is a good reason for not having a permissions statement in the yaml) Side effects of this change: None. Related Jira Tickets: * https://mitlibraries.atlassian.net/browse/IR-238 --- .github/workflows/dev-build.yml | 18 +++++------------- .github/workflows/prod-promote.yml | 14 +++++--------- .github/workflows/stage-build.yml | 17 +++++------------ 3 files changed, 15 insertions(+), 34 deletions(-) diff --git a/.github/workflows/dev-build.yml b/.github/workflows/dev-build.yml index 02a905e..2f66f83 100644 --- a/.github/workflows/dev-build.yml +++ b/.github/workflows/dev-build.yml @@ -1,9 +1,10 @@ ### This is the Terraform-generated dev-build.yml workflow for the ### ### docker-matomo-dev app repository. ### -### If this is a Lambda repo, uncomment the FUNCTION line at the end of the ### -### document. If the container requires any additional pre-build commands, ### -### uncomment and edit the PREBUILD line at the end of the document. ### name: Dev Container Build and Deploy + +# checkov:skip=CKV2_GHA_1:The shared workflow contains the permissions constraints +# NOTE: The above checkov skip command doesn't actually work and this workflow +# will always show a checkov warning. on: workflow_dispatch: pull_request: @@ -12,21 +13,12 @@ on: paths-ignore: - '.github/**' -permissions: read-all - jobs: deploy: - # These permissions are needed to interact with GitHub's OIDC Token endpoint. - permissions: - id-token: write - contents: read - name: Dev Container Deploy - uses: mitlibraries/.github/.github/workflows/ecr-shared-deploy-dev.yml@main + uses: mitlibraries/.github/.github/workflows/ecr-shared-deploy-dev.yml@INFRA-526 secrets: inherit with: AWS_REGION: "us-east-1" GHA_ROLE: "docker-matomo-gha-dev" ECR: "docker-matomo-dev" - # FUNCTION: "" - # PREBUILD: diff --git a/.github/workflows/prod-promote.yml b/.github/workflows/prod-promote.yml index 40d7675..345c36a 100644 --- a/.github/workflows/prod-promote.yml +++ b/.github/workflows/prod-promote.yml @@ -1,22 +1,18 @@ ### This is the Terraform-generated prod-promote.yml workflow for the ### ### docker-matomo-prod repository. ### -### If this is a Lambda repo, uncomment the FUNCTION line at the end of the ### -### document. ### + name: Prod Container Promote +# checkov:skip=CKV2_GHA_1:The shared workflow contains the permissions constraints +# NOTE: The above checkov skip command doesn't actually work and this workflow +# will always show a checkov warning. + on: workflow_dispatch: release: types: [published] -permissions: read-all - jobs: deploy: - # These permissions are needed to interact with GitHub's OIDC Token endpoint. - permissions: - id-token: write - contents: read - name: Prod Container Promote uses: mitlibraries/.github/.github/workflows/ecr-shared-promote-prod.yml@main secrets: inherit diff --git a/.github/workflows/stage-build.yml b/.github/workflows/stage-build.yml index bab5ad8..801799c 100644 --- a/.github/workflows/stage-build.yml +++ b/.github/workflows/stage-build.yml @@ -1,9 +1,10 @@ ### This is the Terraform-generated dev-build.yml workflow for the ### ### docker-matomo-stage app repository. ### -### If this is a Lambda repo, uncomment the FUNCTION line at the end of the ### -### document. If the container requires any additional pre-build commands, ### -### uncomment and edit the PREBUILD line at the end of the document. ### name: Stage Container Build and Deploy +# checkov:skip=CKV2_GHA_1:The shared workflow contains the permissions constraints +# NOTE: The above checkov skip command doesn't actually work and this workflow +# will always show a checkov warning. + on: workflow_dispatch: push: @@ -12,15 +13,8 @@ on: paths-ignore: - '.github/**' -permissions: read-all - jobs: deploy: - # These permissions are needed to interact with GitHub's OIDC Token endpoint. - permissions: - id-token: write - contents: read - name: Stage Container Deploy uses: mitlibraries/.github/.github/workflows/ecr-shared-deploy-stage.yml@main secrets: inherit @@ -28,5 +22,4 @@ jobs: AWS_REGION: "us-east-1" GHA_ROLE: "docker-matomo-gha-stage" ECR: "docker-matomo-stage" - # FUNCTION: "" - # PREBUILD: + From 04eda4aa155ca1df710684deac7db9d75ce67ccc Mon Sep 17 00:00:00 2001 From: Christopher Butler Date: Thu, 8 May 2025 21:34:52 -0400 Subject: [PATCH 2/3] TEMPORARY: Update Workflows Why these changes are being introduced: We are using this docker-matomo repository to verify that the updates to the shared workflows for our automated deployment are working properly. Once this is all the way through to Prod, we'll merge the PR on the .github repo and then go through this again to clean up the workflows. How this addresses that need: * Update the workflows to point to a branch in the .github repository to use updated versions of our shared deployment workflows --- .github/workflows/prod-promote.yml | 3 ++- .github/workflows/stage-build.yml | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/prod-promote.yml b/.github/workflows/prod-promote.yml index 345c36a..d1741d1 100644 --- a/.github/workflows/prod-promote.yml +++ b/.github/workflows/prod-promote.yml @@ -2,6 +2,7 @@ ### docker-matomo-prod repository. ### name: Prod Container Promote + # checkov:skip=CKV2_GHA_1:The shared workflow contains the permissions constraints # NOTE: The above checkov skip command doesn't actually work and this workflow # will always show a checkov warning. @@ -14,7 +15,7 @@ on: jobs: deploy: name: Prod Container Promote - uses: mitlibraries/.github/.github/workflows/ecr-shared-promote-prod.yml@main + uses: mitlibraries/.github/.github/workflows/ecr-shared-promote-prod.yml@INFRA-526 secrets: inherit with: AWS_REGION: "us-east-1" diff --git a/.github/workflows/stage-build.yml b/.github/workflows/stage-build.yml index 801799c..f7a5fc7 100644 --- a/.github/workflows/stage-build.yml +++ b/.github/workflows/stage-build.yml @@ -1,6 +1,7 @@ ### This is the Terraform-generated dev-build.yml workflow for the ### ### docker-matomo-stage app repository. ### name: Stage Container Build and Deploy + # checkov:skip=CKV2_GHA_1:The shared workflow contains the permissions constraints # NOTE: The above checkov skip command doesn't actually work and this workflow # will always show a checkov warning. @@ -16,7 +17,7 @@ on: jobs: deploy: name: Stage Container Deploy - uses: mitlibraries/.github/.github/workflows/ecr-shared-deploy-stage.yml@main + uses: mitlibraries/.github/.github/workflows/ecr-shared-deploy-stage.yml@INFRA-526 secrets: inherit with: AWS_REGION: "us-east-1" From cb34c66ec2385327b85d9301b7fe7c4cb89a195b Mon Sep 17 00:00:00 2001 From: Christopher Butler Date: Thu, 8 May 2025 21:37:32 -0400 Subject: [PATCH 3/3] Update to Matomo 5.3.3 and Fix TagManager Why these changes are being introduced: Along with the 5.3.3 upgrade, we are enabling the TagManager plugin. We just discovered that the TagManager plugin had been enabled via the Matomo UI in Prod, but since this was never captured in the container definition here, it did not persist. NOTE: The steps documented in the HOWTO have already been followed in Dev1, Stage-Workloads, and Prod-Workloads. How this addresses that need: * Create a HOWTO to document the difficulty in enabling the TagManager plugin in our environment * Update the config.ini.php file to reflect the activation of the TagManager plugin * Update the Dockerfile to update to the latest version of Matomo Side effects of this change: None. Relevant ticket(s): * https://mitlibraries.atlassian.net/browse/WEB-2064 * https://mitlibraries.atlassian.net/browse/INFRA-526 --- Dockerfile | 4 ++-- docs/HowTos/HOWTO-activate-TagManager.md | 21 +++++++++++++++++++++ files/config.ini.php | 1 + 3 files changed, 24 insertions(+), 2 deletions(-) create mode 100644 docs/HowTos/HOWTO-activate-TagManager.md diff --git a/Dockerfile b/Dockerfile index 2c62177..69eb01e 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,6 @@ -FROM matomo:5.3.1 +FROM matomo:5.3.2 # checkov:skip=CKV_DOCKER_2:Skipping HEALTHCHECK configuration for now - # checkov:skip=CKV_DOCKER_3:Intentionally using root for the user + # checkov:skip=CKV_DOCKER_3:The container actually runs as www-data user # Add the EnvironmentVariables plugin COPY ./files/plugin-EnvironmentVariables-5.0.3/ /var/www/html/plugins/EnvironmentVariables diff --git a/docs/HowTos/HOWTO-activate-TagManager.md b/docs/HowTos/HOWTO-activate-TagManager.md new file mode 100644 index 0000000..427a7cc --- /dev/null +++ b/docs/HowTos/HOWTO-activate-TagManager.md @@ -0,0 +1,21 @@ +# TagManager core plugin activation + +Turns out that the TagManager core plugin needs some extra care and attention if it wasn't initially enabled when first starting with Matomo. Attempting to activate it the usual way causes Matomo to break. + +This GitHub Issue documents that problem and provides a simple (but strange) solution: + +* [Issue: Can't install TagManager plugin because table _tagmanager_container is missing](https://github.com/matomo-org/matomo/issues/19474) + +For our container-based deploy, this means + +1. connect to the running container +1. ensure that a simple text editor is available in the container +1. deactivate the TagManager plugin: `./console plugin:deactivate TagManager` +1. edit the config/config.ini.php file to remove the `PluginsInstalled[] = "TagManager"` line +1. run the `core:update` command: `./console core:update` (nothing should happen) +1. activate the TagManager plugin: `./console plugin:activate TagManager` +1. run the `core:update` command again: `./console core:update` (nothing should happen) + +The appropriate updates to the database will now be in place. + +At this point, proceed with updates to this repository by updating the `config.ini.php` file to match the file from the container. diff --git a/files/config.ini.php b/files/config.ini.php index 85d1818..3854dee 100644 --- a/files/config.ini.php +++ b/files/config.ini.php @@ -96,6 +96,7 @@ Plugins[] = "CustomDimensions" Plugins[] = "FeatureFlags" Plugins[] = "MobileAppMeasurable" +Plugins[] = "TagManager" Plugins[] = "CustomVariables" Plugins[] = "EnvironmentVariables" Plugins[] = "HeatmapSessionRecording"