fix: add Hub and Cube env vars to Docker build secrets

[Dhruwang]

Summary

• Makes HUB_API_URL, HUB_API_KEY, CUBEJS_API_URL, and CUBEJS_API_SECRET required in env.ts — Hub and Cube are mandatory in v5
• Adds all four as Docker build secrets with dummy fallbacks
• Fixes the 5.0.0-beta.1 Docker release build failure

Changes

• apps/web/lib/env.ts — HUB_API_KEY: z.string().trim().min(1), CUBEJS_API_SECRET: z.string().trim().min(1), CUBEJS_API_URL: z.url() (HUB_API_URL was already required)
• read-secrets.sh — reads Hub and Cube secrets with fallbacks
• Dockerfile — mounts hub_api_url, hub_api_key, cubejs_api_url, cubejs_api_secret secrets
• build-and-push-docker/action.yml — passes new secrets and env vars to Depot build
• All Docker workflows — provides dummy values from secrets.*

Required repo secrets

Secret	Value
DUMMY_HUB_API_URL	http://localhost:4000
DUMMY_HUB_API_KEY	any non-empty string
DUMMY_CUBEJS_API_URL	http://localhost:4000
DUMMY_CUBEJS_API_SECRET	any non-empty string

Note: read-secrets.sh has built-in fallbacks, so builds won't break before secrets are added.

Test plan

• Re-run the release Docker build to verify it passes
• Verify docker-build-validation workflow passes on this PR
• Add the 4 new repo secrets listed above

🤖 Generated with Claude Code

[coderabbitai]

Walkthrough

This pull request adds a new hub_api_url build secret throughout the Docker build and CI/CD pipeline. The change flows from the composite GitHub Action definition through workflow environment setup, into the Dockerfile secret mounting, and finally to the runtime script that reads and exports the secret. The composite action now passes hub_api_url to the underlying build tool, workflows supply the DUMMY_HUB_API_URL environment variable, the Dockerfile mounts it as a BuildKit secret, and the read-secrets.sh script loads it with a fallback value when unavailable.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The PR title references 'Hub and Cube' but the raw_summary shows only HUB_API_URL changes, while the description mentions CUBEJS vars that aren't reflected in the title.	Clarify if both Hub and Cube changes are included; if so, the title accurately reflects both main changes, making it complete.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description check	✅ Passed	The pull request description provides comprehensive context on purpose, changes made, and test plan, covering most template requirements.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud