INFRA-526 and WEB-2064: Update to 5.3.2 and enable TagManager

.github/workflows/dev-build.yml

@@ -1,9 +1,10 @@
 ### This is the Terraform-generated dev-build.yml workflow for the          ###
 ### docker-matomo-dev app repository.                                       ###
-### If this is a Lambda repo, uncomment the FUNCTION line at the end of the ###
-### document. If the container requires any additional pre-build commands,  ###
-### uncomment and edit the PREBUILD line at the end of the document.        ###
 name: Dev Container Build and Deploy
+
+# checkov:skip=CKV2_GHA_1:The shared workflow contains the permissions constraints
+# NOTE: The above checkov skip command doesn't actually work and this workflow
+#       will always show a checkov warning.
 on:
   workflow_dispatch:
   pull_request:
@@ -12,21 +13,12 @@ on:
     paths-ignore:
       - '.github/**'
 
-permissions: read-all
-
 jobs:
   deploy:
-    # These permissions are needed to interact with GitHub's OIDC Token endpoint.
-    permissions:
-      id-token: write
-      contents: read
-
     name: Dev Container Deploy
-    uses: mitlibraries/.github/.github/workflows/ecr-shared-deploy-dev.yml@main
+    uses: mitlibraries/.github/.github/workflows/ecr-shared-deploy-dev.yml@INFRA-526
     secrets: inherit
     with:
       AWS_REGION: "us-east-1"
       GHA_ROLE: "docker-matomo-gha-dev"
       ECR: "docker-matomo-dev"
-      # FUNCTION: ""
-      # PREBUILD: 

.github/workflows/prod-promote.yml

@@ -1,24 +1,21 @@
 ### This is the Terraform-generated prod-promote.yml workflow for the       ###
 ### docker-matomo-prod repository.                                          ###
-### If this is a Lambda repo, uncomment the FUNCTION line at the end of the ###
-### document.                                                               ###
+
 name: Prod Container Promote
+
+# checkov:skip=CKV2_GHA_1:The shared workflow contains the permissions constraints
+# NOTE: The above checkov skip command doesn't actually work and this workflow
+#       will always show a checkov warning.
+
 on:
   workflow_dispatch:
   release:
     types: [published]
 
-permissions: read-all
-
 jobs:
   deploy:
-    # These permissions are needed to interact with GitHub's OIDC Token endpoint.
-    permissions:
-      id-token: write
-      contents: read
-
     name: Prod Container Promote
-    uses: mitlibraries/.github/.github/workflows/ecr-shared-promote-prod.yml@main
+    uses: mitlibraries/.github/.github/workflows/ecr-shared-promote-prod.yml@INFRA-526
     secrets: inherit
     with:
       AWS_REGION: "us-east-1"

.github/workflows/stage-build.yml

@@ -1,9 +1,11 @@
 ### This is the Terraform-generated dev-build.yml workflow for the          ###
 ### docker-matomo-stage app repository.                                     ###
-### If this is a Lambda repo, uncomment the FUNCTION line at the end of the ###
-### document. If the container requires any additional pre-build commands,  ###
-### uncomment and edit the PREBUILD line at the end of the document.        ###
 name: Stage Container Build and Deploy
+
+# checkov:skip=CKV2_GHA_1:The shared workflow contains the permissions constraints
+# NOTE: The above checkov skip command doesn't actually work and this workflow
+#       will always show a checkov warning.
+
 on:
   workflow_dispatch:
   push:
@@ -12,21 +14,13 @@ on:
     paths-ignore:
       - '.github/**'
 
-permissions: read-all
-
 jobs:
   deploy:
-    # These permissions are needed to interact with GitHub's OIDC Token endpoint.
-    permissions:
-      id-token: write
-      contents: read
-
     name: Stage Container Deploy
-    uses: mitlibraries/.github/.github/workflows/ecr-shared-deploy-stage.yml@main
+    uses: mitlibraries/.github/.github/workflows/ecr-shared-deploy-stage.yml@INFRA-526
     secrets: inherit
     with:
       AWS_REGION: "us-east-1"
       GHA_ROLE: "docker-matomo-gha-stage"
       ECR: "docker-matomo-stage"
-      # FUNCTION: ""
-      # PREBUILD: 
+

Dockerfile

@@ -1,6 +1,6 @@
-FROM matomo:5.3.1
+FROM matomo:5.3.2
   # checkov:skip=CKV_DOCKER_2:Skipping HEALTHCHECK configuration for now
-  # checkov:skip=CKV_DOCKER_3:Intentionally using root for the user
+  # checkov:skip=CKV_DOCKER_3:The container actually runs as www-data user
 
 # Add the EnvironmentVariables plugin
 COPY ./files/plugin-EnvironmentVariables-5.0.3/ /var/www/html/plugins/EnvironmentVariables

docs/HowTos/HOWTO-activate-TagManager.md

@@ -0,0 +1,21 @@
+# TagManager core plugin activation
+
+Turns out that the TagManager core plugin needs some extra care and attention if it wasn't initially enabled when first starting with Matomo. Attempting to activate it the usual way causes Matomo to break.
+
+This GitHub Issue documents that problem and provides a simple (but strange) solution:
+
+* [Issue: Can't install TagManager plugin because table _tagmanager_container is missing](https://github.com/matomo-org/matomo/issues/19474)
+
+For our container-based deploy, this means
+
+1. connect to the running container
+1. ensure that a simple text editor is available in the container
+1. deactivate the TagManager plugin: `./console plugin:deactivate TagManager`
+1. edit the config/config.ini.php file to remove the `PluginsInstalled[] = "TagManager"` line
+1. run the `core:update` command: `./console core:update` (nothing should happen)
+1. activate the TagManager plugin: `./console plugin:activate TagManager`
+1. run the `core:update` command again: `./console core:update` (nothing should happen)
+
+The appropriate updates to the database will now be in place.
+
+At this point, proceed with updates to this repository by updating the `config.ini.php` file to match the file from the container.

files/config.ini.php

@@ -96,6 +96,7 @@
 Plugins[] = "CustomDimensions"
 Plugins[] = "FeatureFlags"
 Plugins[] = "MobileAppMeasurable"
+Plugins[] = "TagManager"
 Plugins[] = "CustomVariables"
 Plugins[] = "EnvironmentVariables"
 Plugins[] = "HeatmapSessionRecording"