GitHub Secrets Reference for Metabase Deployment

This document lists all GitHub Secrets that need to be configured for Metabase deployment in GitHub Actions.

Required Secrets

These secrets must be set in GitHub for both staging and production environments.

Metabase Database Configuration

Secret Name	Description	Example Value	Required
METABASE_DB_TYPE	Database type	postgres	No (defaults to postgres)
METABASE_DB_NAME	Metabase metadata database name	metabase	No (defaults to metabase)
METABASE_DB_USER	Metabase metadata database user	metabase_user	No (defaults to metabase_user)
METABASE_DB_PASS	Metabase metadata database password	pDOiV4mWp0UmC8cmCblyASd7BvQbJY4L (staging) iNE3VNQz1qYH9OLi64XQwG5K9CVM/fJv (production)	Yes
METABASE_DB_CONNECTION_URI	Full connection URI for Metabase metadata DB	See values below	Yes

Metabase Application Configuration

Secret Name	Description	Example Value	Required
METABASE_SITE_URL	Metabase public URL	https://flowpos-metabase-staging-xxxxx.a.run.app (staging) https://flowpos-metabase-production-xxxxx.a.run.app (production)	No (can update after deployment)
METABASE_EMBED_SECRET_KEY	JWT secret for embedding (must match backend)	JgFkxtEZcrFLe10MYvewNRN43fkQ8uxOzDpvLUOEsiA=	Yes
MB_ANON_TRACKING_ENABLED	Disable anonymous tracking	false	No (defaults to false)
MB_ENABLE_PUBLIC_SHARING	Disable public sharing	false	No (defaults to false)

Backend Configuration (for Metabase integration)

These should also be set in the backend deployment secrets:

Secret Name	Description	Required
METABASE_SITE_URL	Metabase public URL (same as above)	Yes (after first deployment)
METABASE_EMBED_SECRET_KEY	JWT secret (must match Metabase)	Yes

How to Set GitHub Secrets

For Staging Environment

1. Go to your GitHub repository
2. Navigate to: Settings → Secrets and variables → Actions
3. Click on "staging" environment (or create it if it doesn't exist)
4. Click "New secret" and add each secret listed above

For Production Environment

1. Go to your GitHub repository
2. Navigate to: Settings → Secrets and variables → Actions
3. Click on "production" environment (or create it if it doesn't exist)
4. Click "New secret" and add each secret listed above

Complete Secret Values Reference

Staging Environment (barto-dev)

All values to set in GitHub Secrets (staging environment):

Secret Name	Value
METABASE_DB_TYPE	postgres
METABASE_DB_NAME	metabase
METABASE_DB_USER	metabase_user
METABASE_DB_PASS	pDOiV4mWp0UmC8cmCblyASd7BvQbJY4L
METABASE_DB_CONNECTION	barto-dev:us-central1:metabase-db-staging
METABASE_DB_CONNECTION_URI	postgresql://metabase_user:pDOiV4mWp0UmC8cmCblyASd7BvQbJY4L@/metabase?host=/cloudsql/barto-dev:us-central1:metabase-db-staging
METABASE_SITE_URL	https://flowpos-metabase-staging-xxxxx.a.run.app ⚠️ Update after deployment
METABASE_EMBED_SECRET_KEY	JgFkxtEZcrFLe10MYvewNRN43fkQ8uxOzDpvLUOEsiA=
MB_ANON_TRACKING_ENABLED	false
MB_ENABLE_PUBLIC_SHARING	false

Quick Copy Values:

• METABASE_DB_CONNECTION_URI: postgresql://metabase_user:pDOiV4mWp0UmC8cmCblyASd7BvQbJY4L@/metabase?host=/cloudsql/barto-dev:us-central1:metabase-db-staging
• METABASE_DB_PASS: pDOiV4mWp0UmC8cmCblyASd7BvQbJY4L
• METABASE_EMBED_SECRET_KEY: JgFkxtEZcrFLe10MYvewNRN43fkQ8uxOzDpvLUOEsiA=
• METABASE_SITE_URL: https://flowpos-metabase-staging-xxxxx.a.run.app (update after deployment)

Production Environment (barto-prod)

All values to set in GitHub Secrets (production environment):

Secret Name	Value
METABASE_DB_TYPE	postgres
METABASE_DB_NAME	metabase
METABASE_DB_USER	metabase_user
METABASE_DB_PASS	iNE3VNQz1qYH9OLi64XQwG5K9CVM/fJv
METABASE_DB_CONNECTION	barto-prod:us-central1:metabase-db-production
METABASE_DB_CONNECTION_URI	postgresql://metabase_user:iNE3VNQz1qYH9OLi64XQwG5K9CVM%2FfJv@/metabase?host=/cloudsql/barto-prod:us-central1:metabase-db-production
METABASE_SITE_URL	https://flowpos-metabase-production-xxxxx.a.run.app ⚠️ Update after deployment
METABASE_EMBED_SECRET_KEY	JgFkxtEZcrFLe10MYvewNRN43fkQ8uxOzDpvLUOEsiA=
MB_ANON_TRACKING_ENABLED	false
MB_ENABLE_PUBLIC_SHARING	false

Quick Copy Values:

• METABASE_DB_CONNECTION_URI: postgresql://metabase_user:iNE3VNQz1qYH9OLi64XQwG5K9CVM%2FfJv@/metabase?host=/cloudsql/barto-prod:us-central1:metabase-db-production
• METABASE_DB_PASS: iNE3VNQz1qYH9OLi64XQwG5K9CVM/fJv
• METABASE_EMBED_SECRET_KEY: JgFkxtEZcrFLe10MYvewNRN43fkQ8uxOzDpvLUOEsiA=
• METABASE_SITE_URL: https://flowpos-metabase-production-xxxxx.a.run.app (update after deployment)

Note: The / in the password is URL-encoded as %2F in the connection URI above

URL Encoding for Passwords

If your password contains special characters, they must be URL-encoded in the connection URI:

Character	Encoded
/	%2F
@	%40
:	%3A
#	%23
?	%3F
&	%26
=	%3D
+	%2B
%	%25

Example (Production password):

• Password: iNE3VNQz1qYH9OLi64XQwG5K9CVM/fJv
• Encoded: iNE3VNQz1qYH9OLi64XQwG5K9CVM%2FfJv
• Connection URI: postgresql://metabase_user:iNE3VNQz1qYH9OLi64XQwG5K9CVM%2FfJv@/metabase?host=/cloudsql/barto-prod:us-central1:metabase-db-production

Verification

After setting secrets, verify they're accessible:

# The workflow will validate secrets during deployment
# Check GitHub Actions logs for validation output

Important Notes

1. JWT Secret Consistency: The METABASE_EMBED_SECRET_KEY must be exactly the same in:

   • GitHub Secrets (staging environment)
   • GitHub Secrets (production environment)
   • Backend GitHub Secrets (staging)
   • Backend GitHub Secrets (production)

2. Site URL Update: METABASE_SITE_URL should be updated after the first deployment with the actual Cloud Run service URL. You can get it from:

   gcloud run services describe flowpos-metabase-<env> \
     --region=us-central1 \
     --project=<project-id> \
     --format="value(status.url)"

3. Connection URI: The connection URI uses Unix socket format for Cloud SQL, which is more reliable than private IP connections.

4. Environment-Specific: Make sure to set secrets in the correct environment (staging vs production) in GitHub.

Related Documentation

• Secrets Reference (Doppler): secrets/METABASE_SECRETS_REFERENCE.md
• Deployment Guide: docs/metabase/deployment-guide.md
• Implementation Plan: docs/metabase/implementation-plan.md