GitHub Secrets for Metabase Deployment (socat approach)
✅ Good News: No Secret Values Need to Change
The existing METABASE_DB_CONNECTION_URI secrets are already in the correct format for the socat approach. The workflow parses this URI and extracts the necessary connection details.
Required Secrets
These secrets must be set in GitHub Actions for both staging and production environments.
1. METABASE_DB_CONNECTION_URI (Required)
Format: PostgreSQL connection URI with Unix socket path in the host query parameter
Staging:
postgresql://metabase_user:pDOiV4mWp0UmC8cmCblyASd7BvQbJY4L@/metabase?host=/cloudsql/barto-dev:us-central1:metabase-db-staging
Production:
postgresql://metabase_user:iNE3VNQz1qYH9OLi64XQwG5K9CVM%2FfJv@/metabase?host=/cloudsql/barto-prod:us-central1:metabase-db-production
What the workflow does:
- Parses this URI to extract:
user,password,dbname, and Cloud SQL instance name - Sets individual
MB_DB_*environment variables:MB_DB_TYPE=postgresMB_DB_DBNAME=<dbname>MB_DB_USER=<user>MB_DB_PASS=<password>MB_DB_HOST=127.0.0.1← Metabase connects here (socat forwards to Unix socket)MB_DB_PORT=5432
- Sets
CLOUD_SQL_INSTANCE_METADATAenvironment variable for the startup script
Important: The password in the URI must be URL-encoded if it contains special characters (see below).
2. METABASE_SITE_URL (Optional, but recommended)
Description: Public URL of the Metabase instance
Note: Update this after the first successful deployment with the actual Cloud Run service URL. The workflow will display the URL after deployment.
Example (Staging):
https://flowpos-metabase-staging-xxxxx.a.run.app
Example (Production):
https://flowpos-metabase-production-xxxxx.a.run.app
3. METABASE_EMBED_SECRET_KEY (Required)
Description: JWT secret key for generating embedded Metabase URLs. Must match the value used in your backend application.
Example:
JgFkxtEZcrFLe10MYvewNRN43fkQ8uxOzDpvLUOEsiA=
Important: This secret must be identical in both:
- GitHub Actions secrets (for Metabase)
- Backend application secrets (for generating embed URLs)
4. MB_ANON_TRACKING_ENABLED (Optional)
Description: Disable anonymous usage tracking
Default: false
Value:
false
5. MB_ENABLE_PUBLIC_SHARING (Optional)
Description: Enable/disable public sharing of dashboards and questions
Default: false
Value:
false
URL Encoding for Passwords
If your password contains special characters, they must be URL-encoded in the connection URI:
| Character | Encoded |
|---|---|
/ | %2F |
@ | %40 |
: | %3A |
# | %23 |
? | %3F |
& | %26 |
= | %3D |
+ | %2B |
% | %25 |
Example (Production password):
- Actual password:
iNE3VNQz1qYH9OLi64XQwG5K9CVM/fJv - URL-encoded:
iNE3VNQz1qYH9OLi64XQwG5K9CVM%2FfJv - Connection URI:
postgresql://metabase_user:iNE3VNQz1qYH9OLi64XQwG5K9CVM%2FfJv@/metabase?host=/cloudsql/barto-prod:us-central1:metabase-db-production
Summary: Secrets Checklist
Staging Environment
- ✅
METABASE_DB_CONNECTION_URI- Already correct, no change needed - ⚠️
METABASE_SITE_URL- Update after first deployment - ✅
METABASE_EMBED_SECRET_KEY- Should already be set - ✅
MB_ANON_TRACKING_ENABLED- Optional (defaults tofalse) - ✅
MB_ENABLE_PUBLIC_SHARING- Optional (defaults tofalse)
Production Environment
- ✅
METABASE_DB_CONNECTION_URI- Already correct, no change needed - ⚠️
METABASE_SITE_URL- Update after first deployment - ✅
METABASE_EMBED_SECRET_KEY- Should already be set - ✅
MB_ANON_TRACKING_ENABLED- Optional (defaults tofalse) - ✅
MB_ENABLE_PUBLIC_SHARING- Optional (defaults tofalse)
How to Update Secrets in GitHub
- Go to your repository on GitHub
- Navigate to Settings → Secrets and variables → Actions
- Select the environment (
stagingorproduction) - Click Update on the secret you want to modify
- Paste the new value and click Update secret
Verification
After setting/updating secrets, the workflow will validate them during deployment:
- ✅ Checks that
METABASE_DB_CONNECTION_URIis set and in the correct format - ✅ Validates that
METABASE_EMBED_SECRET_KEYis set - ⚠️ Warns if
METABASE_SITE_URLis not set (but continues deployment)