Merge pull request #10703 from ieQu1/replay

Sync master and refactor

.ci/docker-compose-file/.env

@@ -6,23 +6,10 @@ LDAP_TAG=2.4.50
 INFLUXDB_TAG=2.5.0
 TDENGINE_TAG=3.0.2.4
 DYNAMO_TAG=1.21.0
-CASSANDRA_TAG=3.11
-MINIO_TAG=RELEASE.2023-03-20T20-16-18Z
+CASSANDRA_TAG=3.11.6
 OPENTS_TAG=9aa7f88
-KINESIS_TAG=2.1
-HSTREAMDB_TAG=v0.19.3
-HSTREAMDB_ZK_TAG=3.8.1
 
 MS_IMAGE_ADDR=mcr.microsoft.com/mssql/server
 SQLSERVER_TAG=2019-CU19-ubuntu-20.04
 
-
-# Password for the 'elastic' user (at least 6 characters)
-ELASTIC_PASSWORD="emqx123"
-# Password for the 'kibana_system' user (at least 6 characters)
-KIBANA_PASSWORD="emqx123"
-# Version of Elastic products
-ELASTIC_TAG=8.11.4
-LICENSE=basic
-
 TARGET=emqx/emqx

.ci/docker-compose-file/cassandra/Dockerfile

@@ -0,0 +1,4 @@
+ARG CASSANDRA_TAG=3.11.6
+FROM cassandra:${CASSANDRA_TAG}
+COPY cassandra.yaml /etc/cassandra/cassandra.yaml
+CMD ["cassandra", "-f"]

.ci/docker-compose-file/credentials.env

@@ -1,7 +0,0 @@
-MONGO_USERNAME=emqx
-MONGO_PASSWORD=passw0rd
-MONGO_AUTHSOURCE=admin
-
-# See "Environment Variables" @ https://hub.docker.com/_/mongo
-MONGO_INITDB_ROOT_USERNAME=${MONGO_USERNAME}
-MONGO_INITDB_ROOT_PASSWORD=${MONGO_PASSWORD}

.ci/docker-compose-file/docker-compose-azurite.yaml

@@ -1,24 +0,0 @@
-version: '3.9'
-
-services:
-  azurite:
-    container_name: azurite
-    image: mcr.microsoft.com/azure-storage/azurite:3.30.0
-    restart: always
-    expose:
-      - "10000"
-    # ports:
-    #   - "10000:10000"
-    networks:
-      - emqx_bridge
-    healthcheck:
-      test: ["CMD", "curl", "-f", "http://localhost:10000"]
-      interval: 30s
-      timeout: 5s
-      retries: 4
-    command:
-      - azurite-blob
-      - "--blobHost"
-      - 0.0.0.0
-      - "-d"
-      - debug.log

.ci/docker-compose-file/docker-compose-cassandra.yaml

@@ -1,38 +1,32 @@
 version: '3.9'
 
-x-cassandra: &cassandra
-  restart: always
-  image: public.ecr.aws/docker/library/cassandra:${CASSANDRA_TAG:-3.11}
-  environment:
-    CASSANDRA_BROADCAST_ADDRESS: "1.2.3.4"
-    CASSANDRA_RPC_ADDRESS: "0.0.0.0"
-    HEAP_NEWSIZE: "128M"
-    MAX_HEAP_SIZE: "2048M"
-  #ports:
-  #  - "9042:9042"
-  #  - "9142:9142"
-  command:
-    - /bin/bash
-    - -c
-    - |
-      /opt/cassandra/bin/cassandra -f -R > /cassandra.log &
-      /opt/cassandra/bin/cqlsh -u cassandra -p cassandra -e "CREATE KEYSPACE mqtt WITH REPLICATION = { 'class':'SimpleStrategy','replication_factor':1};"
-      while [[ $$? -ne 0 ]];do sleep 5; /opt/cassandra/bin/cqlsh -u cassandra -p cassandra -e "CREATE KEYSPACE mqtt WITH REPLICATION = { 'class':'SimpleStrategy','replication_factor':1};"; done
-      /opt/cassandra/bin/cqlsh -u cassandra -p cassandra -e "describe keyspaces;"
-      tail -f /cassandra.log
-  networks:
-    - emqx_bridge
-
 services:
   cassandra_server:
-    <<: *cassandra
     container_name: cassandra
+    build:
+      context: ./cassandra
+      args:
+        CASSANDRA_TAG: ${CASSANDRA_TAG}
+    image: emqx-cassandra
+    restart: always
+    environment:
+      CASSANDRA_BROADCAST_ADDRESS: "1.2.3.4"
+      CASSANDRA_RPC_ADDRESS: "0.0.0.0"
+      HEAP_NEWSIZE: "128M"
+      MAX_HEAP_SIZE: "2048M"
     volumes:
       - ./certs:/certs
-      - ./cassandra/cassandra.yaml:/etc/cassandra/cassandra.yaml
-  cassandra_noauth_server:
-    <<: *cassandra
-    container_name: cassandra_noauth
-    volumes:
-      - ./certs:/certs
-      - ./cassandra/cassandra_noauth.yaml:/etc/cassandra/cassandra.yaml
+    #ports:
+    #  - "9042:9042"
+    #  - "9142:9142"
+    command:
+      - /bin/bash
+      - -c
+      - |
+        /opt/cassandra/bin/cassandra -f -R > /cassandra.log &
+        /opt/cassandra/bin/cqlsh -u cassandra -p cassandra -e "CREATE KEYSPACE mqtt WITH REPLICATION = { 'class':'SimpleStrategy','replication_factor':1};"
+        while [[ $$? -ne 0 ]];do sleep 5; /opt/cassandra/bin/cqlsh -u cassandra -p cassandra -e "CREATE KEYSPACE mqtt WITH REPLICATION = { 'class':'SimpleStrategy','replication_factor':1};"; done
+        /opt/cassandra/bin/cqlsh -u cassandra -p cassandra -e "describe keyspaces;"
+        tail -f /cassandra.log
+    networks:
+      - emqx_bridge

.ci/docker-compose-file/docker-compose-couchbase.yaml

@@ -1,30 +0,0 @@
-version: '3.9'
-
-services:
-  couchbase:
-    container_name: couchbase
-    hostname: couchbase
-    image: ghcr.io/emqx/couchbase:1.0.0
-    restart: always
-    expose:
-      - 8091-8093
-    # ports:
-    #   - "8091-8093:8091-8093"
-    networks:
-      - emqx_bridge
-    healthcheck:
-      test: ["CMD", "curl", "-f", "http://localhost:8093/admin/ping"]
-      interval: 30s
-      timeout: 5s
-      retries: 4
-    environment:
-      - CLUSTER=localhost
-      - USER=admin
-      - PASS=public
-      - PORT=8091
-      - RAMSIZEMB=2048
-      - RAMSIZEINDEXMB=512
-      - RAMSIZEFTSMB=512
-      - BUCKETS=mqtt
-      - BUCKETSIZES=100
-      - AUTOREBALANCE=true

.ci/docker-compose-file/docker-compose-dynamo.yaml

@@ -3,7 +3,7 @@ version: '3.9'
 services:
   dynamodb-local:
     container_name: dynamo 
-    image: public.ecr.aws/aws-dynamodb-local/aws-dynamodb-local:${DYNAMO_TAG}
+    image: amazon/dynamodb-local:${DYNAMO_TAG}
     restart: always
     ports:
       - "8000:8000"

.ci/docker-compose-file/docker-compose-elastic-search-tls.yaml

@@ -1,111 +0,0 @@
-version: "3.9"
-
-# hint: run the following if the container fails to start locally
-# sysctl -w vm.max_map_count=262144
-services:
-  setup:
-    image: public.ecr.aws/elastic/elasticsearch:${ELASTIC_TAG}
-    volumes:
-      - ./elastic:/usr/share/elasticsearch/config/certs
-    user: "0"
-    command: >
-      bash -c '
-        if [ x${ELASTIC_PASSWORD} == x ]; then
-          echo "Set the ELASTIC_PASSWORD environment variable in the .env file";
-          exit 1;
-        elif [ x${KIBANA_PASSWORD} == x ]; then
-          echo "Set the KIBANA_PASSWORD environment variable in the .env file";
-          exit 1;
-        fi;
-        echo "Setting file permissions"
-        chown -R root:root config/certs;
-        find . -type d -exec chmod 750 \{\} \;;
-        find . -type f -exec chmod 640 \{\} \;;
-        echo "Waiting for Elasticsearch availability";
-        until curl -s --cacert config/certs/ca/ca.crt https://es01:9200 | grep -q "missing authentication credentials"; do sleep 30; done;
-        echo "Setting kibana_system password";
-        until curl -s -X POST --cacert config/certs/ca/ca.crt -u "elastic:${ELASTIC_PASSWORD}" -H "Content-Type: application/json" https://es01:9200/_security/user/kibana_system/_password -d "{\"password\":\"${KIBANA_PASSWORD}\"}" | grep -q "^{}"; do sleep 10; done;
-        echo "All done!";
-      '
-    healthcheck:
-      test: ["CMD-SHELL", "[ -f config/certs/ca/ca.crt ]"]
-      interval: 1s
-      timeout: 5s
-      retries: 120
-
-  es01:
-    depends_on:
-      setup:
-        condition: service_healthy
-    image: public.ecr.aws/elastic/elasticsearch:${ELASTIC_TAG}
-    container_name: elasticsearch
-    hostname: elasticsearch
-    volumes:
-      - ./elastic:/usr/share/elasticsearch/config/certs
-      - esdata01:/usr/share/elasticsearch/data
-    ports:
-      - 9200:9200
-    environment:
-      - node.name=es01
-      - ELASTIC_PASSWORD=${ELASTIC_PASSWORD}
-      - bootstrap.memory_lock=true
-      - discovery.type=single-node
-      - xpack.security.enabled=true
-      - xpack.security.http.ssl.enabled=true
-      - xpack.security.http.ssl.key=certs/es01/es01.key
-      - xpack.security.http.ssl.certificate=certs/es01/es01.crt
-      - xpack.security.http.ssl.certificate_authorities=certs/ca/ca.crt
-      - xpack.license.self_generated.type=${LICENSE}
-    mem_limit: 4G
-    ulimits:
-      memlock:
-        soft: -1
-        hard: -1
-    healthcheck:
-      test:
-        [
-          "CMD-SHELL",
-          "curl -s --cacert config/certs/ca/ca.crt https://localhost:9200 | grep -q 'missing authentication credentials'",
-        ]
-      interval: 10s
-      timeout: 10s
-      retries: 120
-    restart: always
-    networks:
-      - emqx_bridge
-
-  kibana:
-    depends_on:
-      es01:
-        condition: service_healthy
-    image: public.ecr.aws/elastic/kibana:${ELASTIC_TAG}
-    volumes:
-      - ./elastic:/usr/share/kibana/config/certs
-      - kibanadata:/usr/share/kibana/data
-    ports:
-      - 5601:5601
-    environment:
-      - SERVERNAME=kibana
-      - ELASTICSEARCH_HOSTS=https://es01:9200
-      - ELASTICSEARCH_USERNAME=kibana_system
-      - ELASTICSEARCH_PASSWORD=${KIBANA_PASSWORD}
-      - ELASTICSEARCH_SSL_CERTIFICATEAUTHORITIES=config/certs/ca/ca.crt
-    mem_limit: 1073741824
-    healthcheck:
-      test:
-        [
-          "CMD-SHELL",
-          "curl -s -I http://localhost:5601 | grep -q 'HTTP/1.1 302 Found'",
-        ]
-      interval: 10s
-      timeout: 10s
-      retries: 120
-    restart: always
-    networks:
-      - emqx_bridge
-
-volumes:
-  esdata01:
-    driver: local
-  kibanadata:
-    driver: local

.ci/docker-compose-file/docker-compose-emqx-cluster.yaml

@@ -13,15 +13,13 @@ x-default-emqx: &default-emqx
 services:
   haproxy:
     container_name: haproxy
-    image: public.ecr.aws/docker/library/haproxy:2.4
+    image: haproxy:2.4
     depends_on:
       - emqx1
       - emqx2
     volumes:
       - ./haproxy/haproxy.cfg:/usr/local/etc/haproxy/haproxy.cfg
-      - ../../apps/emqx/etc/certs/cert.pem:/usr/local/etc/haproxy/certs/cert.pem
-      - ../../apps/emqx/etc/certs/key.pem:/usr/local/etc/haproxy/certs/key.pem
-      - ../../apps/emqx/etc/certs/cacert.pem:/usr/local/etc/haproxy/certs/cacert.pem
+      - ../../apps/emqx/etc/certs:/usr/local/etc/haproxy/certs
     ports:
       - "18083:18083"
 #     - "1883:1883"
@@ -36,7 +34,7 @@ services:
       - -c
       - |
         set -x
-        cat /usr/local/etc/haproxy/certs/cert.pem /usr/local/etc/haproxy/certs/key.pem > /var/lib/haproxy/emqx.pem
+        cat /usr/local/etc/haproxy/certs/cert.pem /usr/local/etc/haproxy/certs/key.pem > /tmp/emqx.pem
         haproxy -f /usr/local/etc/haproxy/haproxy.cfg
 
   emqx1:

.ci/docker-compose-file/docker-compose-gcp-emulator.yaml

@@ -1,23 +0,0 @@
-version: '3.9'
-
-services:
-  gcp_emulator:
-    container_name: gcp_emulator
-    image: gcr.io/google.com/cloudsdktool/google-cloud-cli:435.0.1-emulators
-    restart: always
-    expose:
-      - "8085"
-    # ports:
-    #   - "8085:8085"
-    networks:
-      - emqx_bridge
-    healthcheck:
-      test: ["CMD", "curl", "-f", "http://localhost:8085"]
-      interval: 30s
-      timeout: 5s
-      retries: 4
-    command:
-      - bash
-      - "-c"
-      - |
-        gcloud beta emulators pubsub start --project=emqx-pubsub --host-port=0.0.0.0:8085 --impersonate-service-account test@emqx.iam.gserviceaccount.com

.ci/docker-compose-file/docker-compose-greptimedb.yaml

@@ -1,22 +0,0 @@
-version: '3.9'
-
-services:
-  greptimedb:
-    container_name: greptimedb
-    hostname: greptimedb
-    image: greptime/greptimedb:v0.7.1
-    expose:
-      - "4000"
-      - "4001"
-    # uncomment for local testing
-    # ports:
-    #   - "4000:4000"
-    #   - "4001:4001"
-    restart: always
-    networks:
-      - emqx_bridge
-    command:
-      standalone start
-      --user-provider=static_user_provider:cmd:greptime_user=greptime_pwd
-      --http-addr="0.0.0.0:4000"
-      --rpc-addr="0.0.0.0:4001"

.ci/docker-compose-file/docker-compose-hstreamdb.yaml

@@ -1,132 +0,0 @@
-version: "3.5"
-
-services:
-  hserver:
-    image: hstreamdb/hstream:${HSTREAMDB_TAG}
-    container_name: hstreamdb
-    depends_on:
-      zookeeper:
-        condition: service_started
-      hstore:
-        condition: service_healthy
-    # ports:
-    #   - "127.0.0.1:6570:6570"
-    expose:
-      - 6570
-    networks:
-      - emqx_bridge
-    volumes:
-      - /var/run/docker.sock:/var/run/docker.sock
-      - /tmp:/tmp
-      - data_store:/data/store
-    command:
-      - bash
-      - "-c"
-      - |
-        set -e
-        /usr/local/script/wait-for-storage.sh hstore 6440 zookeeper 2181 600 \
-        /usr/local/bin/hstream-server \
-        --bind-address 0.0.0.0 --port 6570 \
-        --internal-port 6571 \
-        --server-id 100 \
-        --seed-nodes "$$(hostname -I | awk '{print $$1}'):6571" \
-        --advertised-address $$(hostname -I | awk '{print $$1}') \
-        --metastore-uri zk://zookeeper:2181 \
-        --store-config /data/store/logdevice.conf \
-        --store-admin-host hstore --store-admin-port 6440 \
-        --store-log-level warning \
-        --io-tasks-path /tmp/io/tasks \
-        --io-tasks-network emqx_bridge
-
-  hstore:
-    image: hstreamdb/hstream:${HSTREAMDB_TAG}
-    networks:
-      - emqx_bridge
-    volumes:
-      - data_store:/data/store
-    command:
-      - bash
-      - "-c"
-      - |
-        set -ex
-        # N.B. "enable-dscp-reflection=false" is required for linux kernel which
-        # doesn't support dscp reflection, e.g. centos7.
-        /usr/local/bin/ld-dev-cluster --root /data/store \
-        --use-tcp --tcp-host $$(hostname -I | awk '{print $$1}') \
-        --user-admin-port 6440 \
-        --param enable-dscp-reflection=false \
-        --no-interactive \
-        > /data/store/hstore.log 2>&1
-    healthcheck:
-      test: ["CMD", "grep", "LogDevice Cluster running", "/data/store/hstore.log"]
-      interval: 10s
-      timeout: 10s
-      retries: 60
-      start_period: 60s
-
-  zookeeper:
-    image: zookeeper:${HSTREAMDB_ZK_TAG}
-    expose:
-      - 2181
-    networks:
-      - emqx_bridge
-    volumes:
-      - data_zk_data:/data
-      - data_zk_datalog:/datalog
-
-  ## The three container `hstream-exporter`, `prometheus`, `console`
-  ## is for HStreamDB Web Console
-  ## But HStreamDB Console is not supported in v0.15.0
-  ## because of HStreamApi proto changed
-  # hstream-exporter:
-  #   depends_on:
-  #     hserver:
-  #       condition: service_completed_successfully
-  #   image: hstreamdb/hstream-exporter
-  #   networks:
-  #     - hstream-quickstart
-  #   command:
-  #     - bash
-  #     - "-c"
-  #     - |
-  #       set -ex
-  #       hstream-exporter --addr hstream://hserver:6570
-
-  # prometheus:
-  #   image: prom/prometheus
-  #   expose:
-  #     - 9097
-  #   networks:
-  #     - hstream-quickstart
-  #   ports:
-  #     - "9097:9090"
-  #   volumes:
-  #     - $PWD/prometheus:/etc/prometheus
-
-  # console:
-  #   image: hstreamdb/hstream-console
-  #   depends_on:
-  #     - hserver
-  #   expose:
-  #     - 5177
-  #   networks:
-  #     - hstream-quickstart
-  #   environment:
-  #     - SERVER_PORT=5177
-  #     - PROMETHEUS_URL=http://prometheus:9097
-  #     - HSTREAM_PUBLIC_ADDRESS=hstream.example.com
-  #     - HSTREAM_PRIVATE_ADDRESS=hserver:6570
-  #   ports:
-  #     - "5177:5177"
-
-# networks:
-#   hstream-quickstart:
-#     name: hstream-quickstart
-
-volumes:
-  data_store:
-    name: quickstart_data_store
-  data_zk_data:
-    name: quickstart_data_zk_data
-  data_zk_datalog:
-    name: quickstart_data_zk_datalog

.ci/docker-compose-file/docker-compose-influxdb-tcp.yaml

@@ -3,7 +3,7 @@ version: '3.9'
 services:
   influxdb_server_tcp:
     container_name: influxdb_tcp
-    image: public.ecr.aws/docker/library/influxdb:${INFLUXDB_TAG}
+    image: influxdb:${INFLUXDB_TAG}
     expose:
       - "8086"
       - "8089/udp"

.ci/docker-compose-file/docker-compose-influxdb-tls.yaml

@@ -3,7 +3,7 @@ version: '3.9'
 services:
   influxdb_server_tls:
     container_name: influxdb_tls
-    image: public.ecr.aws/docker/library/influxdb:${INFLUXDB_TAG}
+    image: influxdb:${INFLUXDB_TAG}
     expose:
       - "8086"
       - "8089/udp"

.ci/docker-compose-file/docker-compose-iotdb.yaml

@@ -1,53 +1,24 @@
 version: '3.9'
 
 services:
-  iotdb_1_3_0:
-    container_name: iotdb130
-    hostname: iotdb130
-    image: apache/iotdb:1.3.0-standalone
-    restart: always
-    environment:
-      - enable_rest_service=true
-      - cn_internal_address=iotdb130
-      - cn_internal_port=10710
-      - cn_consensus_port=10720
-      - cn_seed_config_node=iotdb130:10710
-      - dn_rpc_address=iotdb130
-      - dn_internal_address=iotdb130
-      - dn_rpc_port=6667
-      - dn_mpp_data_exchange_port=10740
-      - dn_schema_region_consensus_port=10750
-      - dn_data_region_consensus_port=10760
-      - dn_seed_config_node=iotdb130:10710
-    # volumes:
-    #     - ./data:/iotdb/data
-    #     - ./logs:/iotdb/logs
-    expose:
-      - "18080"
-    # IoTDB's REST interface, uncomment for local testing
-    # ports:
-    #     - "18080:18080"
-    networks:
-      - emqx_bridge
-
-  iotdb_1_1_0:
-    container_name: iotdb110
-    hostname: iotdb110
+  iotdb:
+    container_name: iotdb
+    hostname: iotdb
     image: apache/iotdb:1.1.0-standalone
     restart: always
     environment:
       - enable_rest_service=true
-      - cn_internal_address=iotdb110
+      - cn_internal_address=iotdb
       - cn_internal_port=10710
       - cn_consensus_port=10720
-      - cn_target_config_node_list=iotdb110:10710
-      - dn_rpc_address=iotdb110
-      - dn_internal_address=iotdb110
+      - cn_target_config_node_list=iotdb:10710
+      - dn_rpc_address=iotdb
+      - dn_internal_address=iotdb
       - dn_rpc_port=6667
       - dn_mpp_data_exchange_port=10740
       - dn_schema_region_consensus_port=10750
       - dn_data_region_consensus_port=10760
-      - dn_target_config_node_list=iotdb110:10710
+      - dn_target_config_node_list=iotdb:10710
     # volumes:
     #     - ./data:/iotdb/data
     #     - ./logs:/iotdb/logs
@@ -58,33 +29,3 @@ services:
     #     - "18080:18080"
     networks:
       - emqx_bridge
-
-  iotdb_0_13:
-    container_name: iotdb013
-    hostname: iotdb013
-    image: apache/iotdb:0.13.4-node
-    restart: always
-    environment:
-      - enable_rest_service=true
-      - cn_internal_address=iotdb013
-      - cn_internal_port=10710
-      - cn_consensus_port=10720
-      - cn_target_config_node_list=iotdb013:10710
-      - dn_rpc_address=iotdb013
-      - dn_internal_address=iotdb013
-      - dn_rpc_port=6667
-      - dn_mpp_data_exchange_port=10740
-      - dn_schema_region_consensus_port=10750
-      - dn_data_region_consensus_port=10760
-      - dn_target_config_node_list=iotdb013:10710
-    volumes:
-      - ./iotdb013/iotdb-rest.properties:/iotdb/conf/iotdb-rest.properties
-    #     - ./data:/iotdb/data
-    #     - ./logs:/iotdb/logs
-    expose:
-      - "18080"
-    # IoTDB's REST interface, uncomment for local testing
-    # ports:
-    #     - "18080:18080"
-    networks:
-      - emqx_bridge

.ci/docker-compose-file/docker-compose-kafka.yaml

@@ -2,7 +2,7 @@ version: '3.9'
 
 services:
   zookeeper:
-    image: public.ecr.aws/docker/library/zookeeper:3.6
+    image: docker.io/library/zookeeper:3.6
     ports:
       - "2181:2181"
     container_name: zookeeper
@@ -18,7 +18,7 @@ services:
       - /tmp/emqx-ci/emqx-shared-secret:/var/lib/secret
   kdc:
     hostname: kdc.emqx.net
-    image:  ghcr.io/emqx/emqx-builder/5.3-9:1.15.7-26.2.5-3-ubuntu22.04
+    image:  ghcr.io/emqx/emqx-builder/5.0-33:1.13.4-24.3.4.2-3-ubuntu20.04
     container_name: kdc.emqx.net
     expose:
       - 88 # kdc

.ci/docker-compose-file/docker-compose-kinesis.yaml

@@ -1,12 +0,0 @@
-version: '3.9'
-
-services:
-  kinesis:
-    container_name: kinesis
-    image: public.ecr.aws/localstack/localstack:2.1
-    environment:
-      - KINESIS_ERROR_PROBABILITY=0.0
-      - KINESIS_LATENCY=0
-    restart: always
-    networks:
-      - emqx_bridge

.ci/docker-compose-file/docker-compose-ldap-tcp.yaml

@@ -0,0 +1,16 @@
+version: '3.9'
+
+services:
+  ldap_server:
+    container_name: ldap
+    build:
+      context: ../..
+      dockerfile: .ci/docker-compose-file/openldap/Dockerfile
+      args: 
+        LDAP_TAG: ${LDAP_TAG}
+    image: openldap 
+    ports:
+      - 389:389
+    restart: always
+    networks:
+      - emqx_bridge

.ci/docker-compose-file/docker-compose-ldap.yaml

@@ -1,18 +0,0 @@
-version: '3.9'
-
-services:
-  ldap_server:
-    container_name: ldap
-    build:
-      context: ../..
-      dockerfile: .ci/docker-compose-file/openldap/Dockerfile
-    ulimits:
-      nofile: 1024
-    image: openldap
-    #ports:
-    #  - "389:389"
-    volumes:
-      - ./certs/ca.crt:/etc/certs/ca.crt
-    restart: always
-    networks:
-      - emqx_bridge

.ci/docker-compose-file/docker-compose-minio-tcp.yaml

@@ -1,21 +0,0 @@
-version: '3.7'
-
-services:
-  minio:
-    hostname: minio
-    image: quay.io/minio/minio:${MINIO_TAG}
-    command: server --address ":9000" --console-address ":9001" /minio-data
-    expose:
-      - "9000"
-      - "9001"
-    ports:
-      - "9000:9000"
-      - "9001:9001"
-    healthcheck:
-      test: ["CMD", "curl", "-f", "http://localhost:9000/minio/health/live"]
-      interval: 30s
-      timeout: 5s
-      retries: 3
-    networks:
-      emqx_bridge:
-

.ci/docker-compose-file/docker-compose-minio-tls.yaml

@@ -1,23 +0,0 @@
-version: '3.7'
-
-services:
-  minio_tls:
-    hostname: minio-tls
-    image: quay.io/minio/minio:${MINIO_TAG}
-    command: server --certs-dir /etc/certs --address ":9100" --console-address ":9101" /minio-data
-    volumes:
-      - ./certs/server.crt:/etc/certs/public.crt
-      - ./certs/server.key:/etc/certs/private.key
-    expose:
-      - "9100"
-      - "9101"
-    ports:
-      - "9100:9100"
-      - "9101:9101"
-    healthcheck:
-      test: ["CMD", "curl", "-k", "-f", "https://localhost:9100/minio/health/live"]
-      interval: 30s
-      timeout: 5s
-      retries: 3
-    networks:
-      emqx_bridge:

.ci/docker-compose-file/docker-compose-mongo-replicaset-tcp.yaml

@@ -4,7 +4,7 @@ services:
   mongo1:
     hostname: mongo1
     container_name: mongo1
-    image: public.ecr.aws/docker/library/mongo:${MONGO_TAG}
+    image: mongo:${MONGO_TAG}
     environment:
       MONGO_INITDB_DATABASE: mqtt
     networks:
@@ -22,7 +22,7 @@ services:
   mongo2:
     hostname: mongo2
     container_name: mongo2
-    image: public.ecr.aws/docker/library/mongo:${MONGO_TAG}
+    image: mongo:${MONGO_TAG}
     environment:
       MONGO_INITDB_DATABASE: mqtt
     networks:
@@ -40,7 +40,7 @@ services:
   mongo3:
     hostname: mongo3
     container_name: mongo3
-    image: public.ecr.aws/docker/library/mongo:${MONGO_TAG}
+    image: mongo:${MONGO_TAG}
     environment:
       MONGO_INITDB_DATABASE: mqtt
     networks:
@@ -56,7 +56,7 @@ services:
       --replSet rs0
 
   mongo_rs_client:
-    image: public.ecr.aws/docker/library/mongo:${MONGO_TAG}
+    image: mongo:${MONGO_TAG}
     container_name: mongo_rs_client
     networks:
       - emqx_bridge

.ci/docker-compose-file/docker-compose-mongo-replicaset-tls.yaml

@@ -4,7 +4,7 @@ services:
   mongo1:
     hostname: mongo1
     container_name: mongo1
-    image: public.ecr.aws/docker/library/mongo:${MONGO_TAG}
+    image: mongo:${MONGO_TAG}
     environment:
       MONGO_INITDB_DATABASE: mqtt
     networks:
@@ -27,7 +27,7 @@ services:
   mongo2:
     hostname: mongo2
     container_name: mongo2
-    image: public.ecr.aws/docker/library/mongo:${MONGO_TAG}
+    image: mongo:${MONGO_TAG}
     environment:
       MONGO_INITDB_DATABASE: mqtt
     networks:
@@ -50,7 +50,7 @@ services:
   mongo3:
     hostname: mongo3
     container_name: mongo3
-    image: public.ecr.aws/docker/library/mongo:${MONGO_TAG}
+    image: mongo:${MONGO_TAG}
     environment:
       MONGO_INITDB_DATABASE: mqtt
     networks:
@@ -71,7 +71,7 @@ services:
         mongod --ipv6 --bind_ip_all --tlsMode requireTLS --tlsCertificateKeyFile /etc/certs/mongodb.pem --replSet rs0
       
   mongo_client:
-    image: public.ecr.aws/docker/library/mongo:${MONGO_TAG}
+    image: mongo:${MONGO_TAG}
     container_name: mongo_client
     networks:
       - emqx_bridge

.ci/docker-compose-file/docker-compose-mongo-sharded-tcp.yaml

@@ -4,7 +4,7 @@ services:
   mongosharded1:
     hostname: mongosharded1
     container_name: mongosharded1
-    image: public.ecr.aws/docker/library/mongo:${MONGO_TAG}
+    image: mongo:${MONGO_TAG}
     environment:
       MONGO_INITDB_DATABASE: mqtt
     networks:
@@ -24,7 +24,7 @@ services:
   mongosharded2:
     hostname: mongosharded2
     container_name: mongosharded2
-    image: public.ecr.aws/docker/library/mongo:${MONGO_TAG}
+    image: mongo:${MONGO_TAG}
     environment:
       MONGO_INITDB_DATABASE: mqtt
     networks:
@@ -44,7 +44,7 @@ services:
   mongosharded3:
     hostname: mongosharded3
     container_name: mongosharded3
-    image: public.ecr.aws/docker/library/mongo:${MONGO_TAG}
+    image: mongo:${MONGO_TAG}
     environment:
       MONGO_INITDB_DATABASE: mqtt
     networks:
@@ -62,7 +62,7 @@ services:
       --bind_ip_all
 
   mongosharded_client:
-    image: public.ecr.aws/docker/library/mongo:${MONGO_TAG}
+    image: mongo:${MONGO_TAG}
     container_name: mongosharded_client
     networks:
       - emqx_bridge

.ci/docker-compose-file/docker-compose-mongo-single-tcp.yaml

@@ -3,15 +3,12 @@ version: '3.9'
 services:
   mongo_server:
     container_name: mongo
-    image: public.ecr.aws/docker/library/mongo:${MONGO_TAG}
+    image: mongo:${MONGO_TAG}
     restart: always
     networks:
       - emqx_bridge
     ports:
       - "27017:27017"
-    env_file:
-      - .env
-      - credentials.env
     command:
       --ipv6
       --bind_ip_all

.ci/docker-compose-file/docker-compose-mongo-single-tls.yaml

@@ -3,7 +3,7 @@ version: '3.9'
 services:
   mongo_server_tls:
     container_name: mongo-tls
-    image: public.ecr.aws/docker/library/mongo:${MONGO_TAG}
+    image: mongo:${MONGO_TAG}
     restart: always
     environment:
       MONGO_INITDB_DATABASE: mqtt

.ci/docker-compose-file/docker-compose-mysql-tcp.yaml

@@ -3,7 +3,7 @@ version: '3.9'
 services:
   mysql_server:
     container_name: mysql
-    image: public.ecr.aws/docker/library/mysql:${MYSQL_TAG}
+    image: mysql:${MYSQL_TAG}
     restart: always
     ports:
       - "3306:3306"

.ci/docker-compose-file/docker-compose-mysql-tls.yaml

@@ -3,7 +3,7 @@ version: '3.9'
 services:
   mysql_server_tls:
     container_name: mysql-tls
-    image: public.ecr.aws/docker/library/mysql:${MYSQL_TAG}
+    image: mysql:${MYSQL_TAG}
     restart: always
     environment:
       MYSQL_ROOT_PASSWORD: public

.ci/docker-compose-file/docker-compose-otel.yaml

@@ -1,69 +0,0 @@
-version: '3.9'
-
-services:
-  jaeger-all-in-one:
-    image: jaegertracing/all-in-one:1.51.0
-    container_name: jaeger.emqx.net
-    hostname: jaeger.emqx.net
-    networks:
-      - emqx_bridge
-    restart: always
-#    ports:
-#      - "16686:16686"
-    user: "${DOCKER_USER:-root}"
-
-  # Collector
-  otel-collector:
-    image: otel/opentelemetry-collector:0.90.0
-    container_name: otel-collector.emqx.net
-    hostname: otel-collector.emqx.net
-    networks:
-      - emqx_bridge
-    restart: always
-    command: ["--config=/etc/otel-collector-config.yaml", "${OTELCOL_ARGS}"]
-    volumes:
-      - ./otel:/etc/
-#    ports:
-#      - "1888:1888"   # pprof extension
-#      - "8888:8888"   # Prometheus metrics exposed by the collector
-#      - "8889:8889"   # Prometheus exporter metrics
-#      - "13133:13133" # health_check extension
-#      - "4317:4317"   # OTLP gRPC receiver
-#      - "4318:4318"   # OTLP http receiver
-#      - "55679:55679" # zpages extension
-    depends_on:
-      - jaeger-all-in-one
-    user: "${DOCKER_USER:-root}"
-
-
-# Collector
-  otel-collector-tls:
-    image: otel/opentelemetry-collector:0.90.0
-    container_name: otel-collector-tls.emqx.net
-    hostname: otel-collector-tls.emqx.net
-    networks:
-      - emqx_bridge
-    restart: always
-    command: ["--config=/etc/otel-collector-config-tls.yaml", "${OTELCOL_ARGS}"]
-    volumes:
-      - ./otel:/etc/
-      - ./certs:/etc/certs
- #   ports:
- #     - "14317:4317"   # OTLP gRPC receiver
-    depends_on:
-      - jaeger-all-in-one
-    user: "${DOCKER_USER:-root}"
-
-#networks:
-#  emqx_bridge:
-#    driver: bridge
-#    name: emqx_bridge
-#    enable_ipv6: true
-#    ipam:
-#      driver: default
-#      config:
-#        - subnet: 172.100.239.0/24
-#          gateway: 172.100.239.1
-#        - subnet: 2001:3200:3200::/64
-#          gateway: 2001:3200:3200::1
-#

.ci/docker-compose-file/docker-compose-pgsql-tcp.yaml

@@ -3,7 +3,7 @@ version: '3.9'
 services:
   pgsql_server:
     container_name: pgsql
-    image: public.ecr.aws/docker/library/postgres:${PGSQL_TAG}
+    image: postgres:${PGSQL_TAG}
     restart: always
     environment:
       POSTGRES_PASSWORD: public

.ci/docker-compose-file/docker-compose-pgsql-tls.yaml

@@ -8,7 +8,7 @@ services:
       dockerfile: ./pgsql/Dockerfile
       args:
         POSTGRES_USER: postgres
-        BUILD_FROM: public.ecr.aws/docker/library/postgres:${PGSQL_TAG}
+        BUILD_FROM: postgres:${PGSQL_TAG}
     image: emqx_pgsql:${PGSQL_TAG}
     restart: always
     environment:

.ci/docker-compose-file/docker-compose-python.yaml

@@ -3,7 +3,7 @@ version: '3.9'
 services:
   python:
     container_name: python
-    image: public.ecr.aws/docker/library/python:3.9.16-alpine3.18
+    image: python:3.7.2-alpine3.9
     depends_on:
       - emqx1
       - emqx2
@@ -12,3 +12,4 @@ services:
         emqx_bridge:
     volumes:
       - ./python:/scripts
+

.ci/docker-compose-file/docker-compose-rabbitmq.yaml

@@ -3,22 +3,15 @@ version: '3.9'
 services:
   rabbitmq:
     container_name: rabbitmq
-    image: public.ecr.aws/docker/library/rabbitmq:3.11-management
+    image: rabbitmq:3.11-management
 
     restart: always
     expose:
       - "15672"
       - "5672"
-      - "5671"
     # We don't want to take ports from the host
-    #ports:
+    # ports:
     #   - "15672:15672"
     #   - "5672:5672"
-    #   - "5671:5671"
-    volumes:
-      - ./certs/ca.crt:/opt/certs/ca.crt
-      - ./certs/server.crt:/opt/certs/server.crt
-      - ./certs/server.key:/opt/certs/server.key
-      - ./rabbitmq/20-tls.conf:/etc/rabbitmq/conf.d/20-tls.conf
     networks:
       - emqx_bridge

.ci/docker-compose-file/docker-compose-redis-cluster-tcp.yaml

@@ -3,7 +3,7 @@ services:
 
   redis-cluster-1: &redis-node
     container_name: redis-cluster-1
-    image: public.ecr.aws/docker/library/redis:${REDIS_TAG}
+    image: redis:${REDIS_TAG}
     volumes:
     - ./redis/cluster-tcp:/usr/local/etc/redis
     command: redis-server /usr/local/etc/redis/redis.conf

.ci/docker-compose-file/docker-compose-redis-cluster-tls.yaml

@@ -3,7 +3,7 @@ services:
 
   redis-cluster-tls-1: &redis-node
     container_name: redis-cluster-tls-1
-    image: public.ecr.aws/docker/library/redis:${REDIS_TAG}
+    image: redis:${REDIS_TAG}
     volumes:
     - ./redis/cluster-tls:/usr/local/etc/redis
     - ../../apps/emqx/etc/certs:/etc/certs

.ci/docker-compose-file/docker-compose-redis-sentinel-tcp.yaml

@@ -4,7 +4,7 @@ services:
 
   redis-sentinel-master:
     container_name: redis-sentinel-master
-    image: public.ecr.aws/docker/library/redis:${REDIS_TAG}
+    image: redis:${REDIS_TAG}
     volumes:
     - ./redis/sentinel-tcp:/usr/local/etc/redis
     command: redis-server /usr/local/etc/redis/master.conf
@@ -13,7 +13,7 @@ services:
 
   redis-sentinel-slave:
     container_name: redis-sentinel-slave
-    image: public.ecr.aws/docker/library/redis:${REDIS_TAG}
+    image: redis:${REDIS_TAG}
     volumes:
       - ./redis/sentinel-tcp:/usr/local/etc/redis
     command: redis-server /usr/local/etc/redis/slave.conf
@@ -24,7 +24,7 @@ services:
 
   redis-sentinel:
     container_name: redis-sentinel
-    image: public.ecr.aws/docker/library/redis:${REDIS_TAG}
+    image: redis:${REDIS_TAG}
     volumes:
       - ./redis/sentinel-tcp/sentinel-base.conf:/usr/local/etc/redis/sentinel-base.conf
     depends_on:

.ci/docker-compose-file/docker-compose-redis-sentinel-tls.yaml

@@ -4,7 +4,7 @@ services:
 
   redis-sentinel-tls-master:
     container_name: redis-sentinel-tls-master
-    image: public.ecr.aws/docker/library/redis:${REDIS_TAG}
+    image: redis:${REDIS_TAG}
     volumes:
       - ./redis/sentinel-tls:/usr/local/etc/redis
       - ../../apps/emqx/etc/certs:/etc/certs
@@ -14,7 +14,7 @@ services:
 
   redis-sentinel-tls-slave:
     container_name: redis-sentinel-tls-slave
-    image: public.ecr.aws/docker/library/redis:${REDIS_TAG}
+    image: redis:${REDIS_TAG}
     volumes:
       - ./redis/sentinel-tls:/usr/local/etc/redis
       - ../../apps/emqx/etc/certs:/etc/certs
@@ -26,7 +26,7 @@ services:
 
   redis-sentinel-tls:
     container_name: redis-sentinel-tls
-    image: public.ecr.aws/docker/library/redis:${REDIS_TAG}
+    image: redis:${REDIS_TAG}
     volumes:
       - ./redis/sentinel-tls/sentinel-base.conf:/usr/local/etc/redis/sentinel-base.conf
       - ../../apps/emqx/etc/certs:/etc/certs

.ci/docker-compose-file/docker-compose-redis-single-tcp.yaml

@@ -3,12 +3,13 @@ version: '3.9'
 services:
   redis_server:
     container_name: redis
-    image: public.ecr.aws/docker/library/redis:${REDIS_TAG}
-    volumes:
-      - ./redis/single-tcp:/usr/local/etc/redis/
+    image: redis:${REDIS_TAG}
     ports:
       - "6379:6379"
-    command: redis-server /usr/local/etc/redis/redis.conf
+    command:
+      - redis-server
+      - "--bind 0.0.0.0 ::"
+      - --requirepass public
     restart: always
     networks:
       - emqx_bridge

.ci/docker-compose-file/docker-compose-redis-single-tls.yaml

@@ -3,15 +3,23 @@ version: '3.9'
 services:
   redis_server_tls:
     container_name: redis-tls
-    image: public.ecr.aws/docker/library/redis:${REDIS_TAG}
+    image: redis:${REDIS_TAG}
     volumes:
       - ./certs/server.crt:/etc/certs/redis.crt
       - ./certs/server.key:/etc/certs/redis.key
       - ./certs/ca.crt:/etc/certs/ca.crt
-      - ./redis/single-tls:/usr/local/etc/redis
     ports:
       - "6380:6380"
-    command: redis-server /usr/local/etc/redis/redis.conf
+    command:
+      - redis-server
+      - "--bind 0.0.0.0 ::"
+      - --requirepass public
+      - --tls-port 6380
+      - --tls-cert-file /etc/certs/redis.crt
+      - --tls-key-file /etc/certs/redis.key
+      - --tls-ca-cert-file /etc/certs/ca.crt
+      - --tls-protocols "TLSv1.3"
+      - --tls-ciphersuites "TLS_CHACHA20_POLY1305_SHA256"
     restart: always
     networks:
       emqx_bridge:

.ci/docker-compose-file/docker-compose-rocketmq-ssl.yaml

@@ -1,41 +0,0 @@
-version: '3.9'
-
-services:
-  mqnamesrvssl:
-    image: apache/rocketmq:4.9.4
-    container_name: rocketmq_namesrv_ssl
-#    ports:
-#      - 9876:9876
-    volumes:
-      - ./rocketmq/logs_ssl:/opt/logs
-      - ./rocketmq/store_ssl:/opt/store
-    environment:
-      JAVA_OPT: "-Dtls.server.mode=enforcing"
-    command: ./mqnamesrv
-    networks:
-      - emqx_bridge
-
-  mqbrokerssl:
-    image: apache/rocketmq:4.9.4
-    container_name: rocketmq_broker_ssl
-#    ports:
-#      - 10909:10909
-#      - 10911:10911
-    volumes:
-      - ./rocketmq/logs_ssl:/opt/logs
-      - ./rocketmq/store_ssl:/opt/store
-      - ./rocketmq/conf_ssl/broker.conf:/etc/rocketmq/broker.conf
-      - ./rocketmq/conf_ssl/plain_acl.yml:/home/rocketmq/rocketmq-4.9.4/conf/plain_acl.yml
-    environment:
-        NAMESRV_ADDR: "rocketmq_namesrv_ssl:9876"
-        JAVA_OPTS: " -Duser.home=/opt -Drocketmq.broker.diskSpaceWarningLevelRatio=0.99"
-        JAVA_OPT_EXT: "-server -Xms512m -Xmx512m -Xmn512m -Dtls.server.mode=enforcing"
-    command: ./mqbroker -c /etc/rocketmq/broker.conf
-    depends_on:
-      - mqnamesrvssl
-    networks:
-      - emqx_bridge
-
-networks:
-  emqx_bridge:
-    driver: bridge

.ci/docker-compose-file/docker-compose-rocketmq.yaml

@@ -23,7 +23,6 @@ services:
       - ./rocketmq/logs:/opt/logs
       - ./rocketmq/store:/opt/store
       - ./rocketmq/conf/broker.conf:/etc/rocketmq/broker.conf
-      - ./rocketmq/conf/plain_acl.yml:/home/rocketmq/rocketmq-4.9.4/conf/plain_acl.yml
     environment:
         NAMESRV_ADDR: "rocketmq_namesrv:9876"
         JAVA_OPTS: " -Duser.home=/opt -Drocketmq.broker.diskSpaceWarningLevelRatio=0.99"

.ci/docker-compose-file/docker-compose-toxiproxy.yaml

@@ -13,51 +13,21 @@ services:
     volumes:
       - "./toxiproxy.json:/config/toxiproxy.json"
     ports:
-      # Toxiproxy management API
       - 8474:8474
-      # InfluxDB
       - 8086:8086
-      # InfluxDB TLS
       - 8087:8087
-      # SQL Server
       - 11433:1433
-      # MySQL
       - 13306:3306
-      # MySQL TLS
       - 13307:3307
-      # PostgreSQL
       - 15432:5432
-      # PostgreSQL TLS
       - 15433:5433
-      # TDEngine
       - 16041:6041
-      # DynamoDB
       - 18000:8000
-      # RocketMQ
       - 19876:9876
-      # Cassandra
       - 19042:9042
-      # Cassandra TLS
       - 19142:9142
-      # Cassandra No Auth
-      - 19043:9043
-      # Cassandra TLS No Auth
-      - 19143:9143
-      # S3
-      - 19000:19000
-      # S3 TLS
-      - 19100:19100
-      # IOTDB (3 total)
       - 14242:4242
       - 28080:18080
-      - 38080:38080
-      # HStreamDB
-      - 15670:5670
-      # Kinesis
-      - 4566:4566
-      # GreptimeDB
-      - 4000:4000
-      - 4001:4001
     command:
       - "-host=0.0.0.0"
       - "-config=/config/toxiproxy.json"

.ci/docker-compose-file/docker-compose.yaml

@@ -3,18 +3,17 @@ version: '3.9'
 services:
   erlang:
     container_name: erlang
-    image: ${DOCKER_CT_RUNNER_IMAGE:-ghcr.io/emqx/emqx-builder/5.3-9:1.15.7-26.2.5-3-ubuntu22.04}
+    image: ${DOCKER_CT_RUNNER_IMAGE:-ghcr.io/emqx/emqx-builder/5.0-33:1.13.4-24.3.4.2-3-ubuntu20.04}
     env_file:
-      - credentials.env
       - conf.env
     environment:
-      GITHUB_ACTIONS: ${GITHUB_ACTIONS:-}
-      GITHUB_TOKEN: ${GITHUB_TOKEN:-}
-      GITHUB_RUN_ID: ${GITHUB_RUN_ID:-}
-      GITHUB_SHA: ${GITHUB_SHA:-}
-      GITHUB_RUN_NUMBER: ${GITHUB_RUN_NUMBER:-}
-      GITHUB_EVENT_NAME: ${GITHUB_EVENT_NAME:-}
-      GITHUB_REF: ${GITHUB_REF:-}
+      GITHUB_ACTIONS: ${GITHUB_ACTIONS}
+      GITHUB_TOKEN: ${GITHUB_TOKEN}
+      GITHUB_RUN_ID: ${GITHUB_RUN_ID}
+      GITHUB_SHA: ${GITHUB_SHA}
+      GITHUB_RUN_NUMBER: ${GITHUB_RUN_NUMBER}
+      GITHUB_EVENT_NAME: ${GITHUB_EVENT_NAME}
+      GITHUB_REF: ${GITHUB_REF}
     networks:
       - emqx_bridge
     ports:

.ci/docker-compose-file/elastic/ca/ca.crt

@@ -1,20 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDSjCCAjKgAwIBAgIVAIrN275DCtGnotTPpxwvQ5751N4OMA0GCSqGSIb3DQEB
-CwUAMDQxMjAwBgNVBAMTKUVsYXN0aWMgQ2VydGlmaWNhdGUgVG9vbCBBdXRvZ2Vu
-ZXJhdGVkIENBMB4XDTI0MDExNjAyMzIyMFoXDTI3MDExNTAyMzIyMFowNDEyMDAG
-A1UEAxMpRWxhc3RpYyBDZXJ0aWZpY2F0ZSBUb29sIEF1dG9nZW5lcmF0ZWQgQ0Ew
-ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCy0nwiEurUkIPFMLV1weVM
-pPk/AlwZUzqjkeL44gsY53XI9Q05w/sL9u6PzwrXgTCFWNXzI9+MoAtp8phPkn14
-cmg5/3sLe9YcFVFjYK/MoljlUbPDj+4dgk8l+w5FRSi0+JN5krUm7rYk9lojAkeS
-fX8RU7ekKGbjBXIFtPxX5GNadu9RidR5GkHM3XroAIoris8bFOzMgFn9iybYnkhq
-0S+Hpv0A8FVxzle0KNbPpsIkxXH2DnP2iPTDym9xJNl9Iv9MPtj9XaamH7TmXcSt
-MbjkAudKsCw4bRuhHonM16DIUr8sX5UcRcAWyJ1x1qpZaOzMdh2VdYAHNuOsZwzJ
-AgMBAAGjUzBRMB0GA1UdDgQWBBTAyDlp8NZfPe8NCGVlHJSVclGOhTAfBgNVHSME
-GDAWgBTAyDlp8NZfPe8NCGVlHJSVclGOhTAPBgNVHRMBAf8EBTADAQH/MA0GCSqG
-SIb3DQEBCwUAA4IBAQAeIUXRKmC53iirY4P49YspLafspAMf4ndMFQAp+Oc223Vs
-hQC4axNoYnUdzWDH6LioAN7P826xNPqtXvTZF9fmeX7K8Nm9Kdj+for+QQI3j6+X
-zq98VVkACb8b/Mc9Nac/WBbv/1IKyKgNNta7//WNPgAFolOfti/C0NLsPcKhrM9L
-mGbvRX8ZjH8pVJ0YTy4/xfDcF7G/Lxl4Yvb0ZXpuQbvE1+Y0h5aoTNshT/skJxC4
-iyVseYr21s3pptKcr6H9KZuSdZe5pbEo+81nT15w+50aswFLk9GCYh5UsQ+1jkRK
-cKgxP93i6x8BVbQJGKi1A1jhauSKX2IpWZQsHy4p
------END CERTIFICATE-----

.ci/docker-compose-file/elastic/ca/ca.key

@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEAstJ8IhLq1JCDxTC1dcHlTKT5PwJcGVM6o5Hi+OILGOd1yPUN
-OcP7C/buj88K14EwhVjV8yPfjKALafKYT5J9eHJoOf97C3vWHBVRY2CvzKJY5VGz
-w4/uHYJPJfsORUUotPiTeZK1Ju62JPZaIwJHkn1/EVO3pChm4wVyBbT8V+RjWnbv
-UYnUeRpBzN166ACKK4rPGxTszIBZ/Ysm2J5IatEvh6b9APBVcc5XtCjWz6bCJMVx
-9g5z9oj0w8pvcSTZfSL/TD7Y/V2mph+05l3ErTG45ALnSrAsOG0boR6JzNegyFK/
-LF+VHEXAFsidcdaqWWjszHYdlXWABzbjrGcMyQIDAQABAoIBAAZOLXYanmjpIRpX
-h7h7oikYEplWDRcQBBvvKZaOyuchhznTKTiZmF0xQ3Ny8J4Ndj9ndODWSZxI6uod
-FaGNp+qytwnfgDBVGSVDm6tyRfSkX1fTsA/j3/iupvmO/w9yezdZYgLaCVTyex31
-yVMdchZgYjYDUpEBYzJbV2xL18+GBRmmPjdXumlpcJqcclxjOQJSu/1WCGVfn/e/
-64NQpAm7NSKLqeUl32g0/DvUpmYRfmf7ZjVUjePaJQU6sw5/N+3V9F1hYs8VSWz0
-OMzYIfUcvixw+VWx5bu0nWt98FirhsQPjCTThD+DHP6koXGrdXpeMOQE1YZmoV5T
-vP0X+FECgYEA5dsKVDQFL67muqz3CNRVM0xDWACCoa8789hYoxvhd1iO3e4kwXBa
-ABPcZckioq+HiQ4UIxC2AhQ1FuTeIUTq7LZ0HtAAdKFi48U4LzmPhNUpG1E/HbJ3
-GQbi4u1cAzGYuhdywktgBhn9bJ4XB7+X3815Y9qKkuRcwtXgKGDy8HkCgYEAxyly
-vc7NBkLfIAmkOsm6VXfvfBTEUBUGi6+k1rarTUxWFIgRuk4FHywwWUTdxWBKJz3n
-HNNJb/g7CcufdhLTuWVHQtJDxYf2cJjoi+Kf7/i/Qs9Nyhokj5Mnh6KlZQOWXpZd
-Gwn/O13NeDxt1TIVO2xp6zY4FhVEPvaHuxsMCtECgYA7/eR/P6iO3nZoCJbdXhXy
-spftEw0FSCg8p53SzIcXUCzRrcM4HavP0181zb5VebzFP8Bvun/WoRGOLSPwyP0L
-1T8Pf7huuGSIEERuxvY3dC8raxQvGxJMnOiA0/Ss/Lfg8hfIsEWashPb0pMuOYpZ
-JlblgfejCSlQzOOZhlxB+QKBgQCKmizRLV9/0QAJAsy5YPR9UJdpCebJOKiyg806
-5Ct5AvwRE9UKjAuCczU+mu+f0fApOSpi5CQCeYVUvtG90UJpjrM2LLCfgoyeNbv4
-xgG6dqlcbHrdgK4bATUMbsOd9g4qy4gGLkHi5df9qkhhi5Y9Iajg2X3U2H4DN3yk
-WSFbUQKBgQCLz333qWOuT3OBv+EYxHDQUS4YG+dReUos+v0iPJzu+spnfibBF5IC
-RjHIhPsdN1byNB0naXOkkz4tUlLGXv6umFgDtQvy/2rxvxQmUGp/WY1VM2+164Xe
-NEWdMEU6UckCoMO77kw8JosKhmXCYaSW5bWwnXuEpOj9WWpwjKtxlA==
------END RSA PRIVATE KEY-----

.ci/docker-compose-file/elastic/es01/es01.crt

@@ -1,20 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDQDCCAiigAwIBAgIUe90yOBN1KBxOEr2jro3epamZksIwDQYJKoZIhvcNAQEL
-BQAwNDEyMDAGA1UEAxMpRWxhc3RpYyBDZXJ0aWZpY2F0ZSBUb29sIEF1dG9nZW5l
-cmF0ZWQgQ0EwHhcNMjQwMTE2MDIzMjIyWhcNMjcwMTE1MDIzMjIyWjAPMQ0wCwYD
-VQQDEwRlczAxMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxGEL71pV
-j8qoUxEuL7qjRSeS1eHxeKhu2jqEZb7iA1o/7b/26QuYAkoYL+WuJNfYjg5F/O8W
-VVuAYIlN6a/mC6wT2t3pX4YSrdp+i3gtAC/LX+8mAeqMQPD+4jitOwjOsYzbuFCb
-nYl86dnFPl/+Pmj20mtZ+Wt7oIPD88j6+r5qgv59pHICxS7Cq304LDTRQbNoT8HO
-4c9VGGGtWIdtrqiYrz1OVefkffMrvFt77v6dKHn8g5tSyfQUDCoEKtTOc3Pe5zCB
-vIMs6HaapoSkl8XdpFHQ712PCZRebAMCrVcPYQ3r8e9GYmLY/NhxEn3dWTqRhHeg
-UD13O8o1aBWonwIDAQABo28wbTAdBgNVHQ4EFgQUXvGJtSf2/mLOK17AzUridtCV
-xWwwHwYDVR0jBBgwFoAUwMg5afDWXz3vDQhlZRyUlXJRjoUwIAYDVR0RBBkwF4IJ
-bG9jYWxob3N0hwR/AAABggRlczAxMAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQAD
-ggEBACaNq3ZqrbsGvbEtrf6kJGIsTokTFHeVJUSYmt1ZZzDFLSepXAC/J8gphV45
-B+YSlkDPNTwMYlf7TUYY872zkdqOXN9r0NUx8MzVAX0+rux0RJba5GGUvJGZDNMX
-WM5z9ry1KjQSQ1bSoRQOD3QArmBmhvikHjLc97Vqt56N0wA/ztXWOpNZX/TXmast
-aXlUbcfQE73Cdq9tW1ATXwbQ2Gf7vVAUT3zjZSZbNdgPuBicGJHf85Fhjm2ND4+R
-sjLIOQ2YgVxNHYbueScc6lJM5RNK194K7WrEQnRyGHT3NaDUm0FFNl//aQeq1ZVw
-6gaUYlkTFauXwEYMDK901cWFaBE=
------END CERTIFICATE-----

.ci/docker-compose-file/elastic/es01/es01.key

@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEAxGEL71pVj8qoUxEuL7qjRSeS1eHxeKhu2jqEZb7iA1o/7b/2
-6QuYAkoYL+WuJNfYjg5F/O8WVVuAYIlN6a/mC6wT2t3pX4YSrdp+i3gtAC/LX+8m
-AeqMQPD+4jitOwjOsYzbuFCbnYl86dnFPl/+Pmj20mtZ+Wt7oIPD88j6+r5qgv59
-pHICxS7Cq304LDTRQbNoT8HO4c9VGGGtWIdtrqiYrz1OVefkffMrvFt77v6dKHn8
-g5tSyfQUDCoEKtTOc3Pe5zCBvIMs6HaapoSkl8XdpFHQ712PCZRebAMCrVcPYQ3r
-8e9GYmLY/NhxEn3dWTqRhHegUD13O8o1aBWonwIDAQABAoIBADJ3A/Om4az5dcce
-96EBU9q+IDBBh2Wr1wzSk9p3sqoM47fLqH5b4dzYwJ1yZw2FwFtFFLw6jqExyexE
-7JY8gyAFwPZyJ3pKQHuX1gQuRlYxchB9quU8Kn230LA+w1mT2lXrLj2PzWWvAsAv
-m837KiFMpP0O5EjB07u8kLsRr1mG6QQ24Kc8oxd7xLXIiPzSvsOpYwo9hmIWENd5
-kyA7oSa9EmN3TRTkKOHI7cFQ3DqIGdO71waUofKOdx39DyHS2YKWxDE/LUjkS9zw
-1AyZG09l4uowyLRqwYhivEq9Za6rdc64yheuHatAM9kC2AOcVcsCPZquIe90k4t1
-L7e9CAECgYEA1W483xTW8ngzxv9MMuPiW+PwVGRpyQrbO6OZOxdWEYfhrZlk5wlW
-XK2T85jqooJwMWPTk1F49vZ9WN2KuLkL65GlkEtkFbxmOiFJjXuWwycbFSk05hPs
-4AESBYHieaSPcwYhvLeG6g4PFyeqmbAGnKsJaj2ylPwDBOc7LgVlqAECgYEA64wo
-gZwaj5SlP8M/OqGH04UVYr1kP/Eq6eiDfMyV5exy+pyzofZyNKUfJfw6sGgyRRHx
-OVxlnPMsZ8zbdOXsvUEIeavpwDfQcp5eAURL65I6GMLsx2QpfiN2mDe1MqQW0jct
-UleFaURgS84KHLE0+tBBg906jOHGjsE7Q3lyUJ8CgYBYYPev4K9JZGD8bEcfY6Ie
-Lvsb1yC+8VHrFkmjYHxxcfUPr89KpGEwq2fynUW72YufyBiajkgq69Ln84U4DNhU
-ydDnOXDOV191fsc4YQ8C7LSYRKH1DBcwgwD1at1fRbdpCAb8YHrrfLre+bv5PBzg
-zyps5fOHIfwWEbI90lpQAQKBgQDoMMqBMTtxi+r1lucOScrVtFuncOCQs5BE8cIj
-1JxzAQk6iBv/LSvZP2gcDq5f1Oaw9YXfsHguJfwA+ozeiAQ9bw0Gu3N52sstIXWz
-M/rO5d9FJ2k3CEJqqFSwqkGBAQXKBUA06jeF1DREpX+MVxbNo1rhvMOJusn7UPm1
-gtMwKwKBgQCfRzFO10ITwrw8rcRZwO9Axgqf11V7xn6qpgRxj4h0HOErVTCN1H0b
-vE3Pz7cxS/g9vFRP37TuqBLfGVzPt9LAEFwCWPeZJLROBLHyu8XrhTbQx+sI2/pe
-SBEJAQAHtYasFTE0sBEKNEY2rIt1c29XZhyhhtNKD9gRN/gB355wLg==
------END RSA PRIVATE KEY-----

.ci/docker-compose-file/elastic/instances.yml

@@ -1,7 +0,0 @@
-instances:
-   - name: es01
-     dns:
-       - es01
-       - localhost
-     ip:
-       - 127.0.0.1

.ci/docker-compose-file/haproxy/haproxy.cfg

@@ -83,13 +83,13 @@ backend emqx_ws_back
 frontend emqx_ssl
     mode tcp
     option tcplog
-    bind *:8883 ssl crt /var/lib/haproxy/emqx.pem ca-file /usr/local/etc/haproxy/certs/cacert.pem verify required no-sslv3
+    bind *:8883 ssl crt /tmp/emqx.pem ca-file /usr/local/etc/haproxy/certs/cacert.pem verify required no-sslv3
     default_backend emqx_ssl_back
 
 frontend emqx_wss
     mode tcp
     option tcplog
-    bind *:8084 ssl crt /var/lib/haproxy/emqx.pem ca-file /usr/local/etc/haproxy/certs/cacert.pem verify required no-sslv3
+    bind *:8084 ssl crt /tmp/emqx.pem ca-file /usr/local/etc/haproxy/certs/cacert.pem verify required no-sslv3
     default_backend emqx_wss_back
 
 backend emqx_ssl_back

.ci/docker-compose-file/iotdb013/iotdb-rest.properties

@@ -1,58 +0,0 @@
-#
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements.  See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership.  The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License.  You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing,
-# software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-# KIND, either express or implied.  See the License for the
-# specific language governing permissions and limitations
-# under the License.
-#
-
-####################
-### REST Service Configuration
-####################
-
-# Is the REST service enabled
-enable_rest_service=true
-
-# the binding port of the REST service
-# rest_service_port=18080
-
-# the default row limit to a REST query response when the rowSize parameter is not given in request
-# rest_query_default_row_size_limit=10000
-
-# the expiration time of the user login information cache (in seconds)
-# cache_expire_in_seconds=28800
-
-# maximum number of users can be stored in the user login cache.
-# cache_max_num=100
-
-# init capacity of users can be stored in the user login cache.
-# cache_init_num=10
-
-# is SSL enabled
-# enable_https=false
-
-# SSL key store path
-# key_store_path=
-
-# SSL key store password
-# key_store_pwd=
-
-# SSL trust store path
-# trust_store_path=
-
-# SSL trust store password.
-# trust_store_pwd=
-
-# SSL timeout (in seconds)
-# idle_timeout_in_seconds=50000

.ci/docker-compose-file/kafka/kafka-entrypoint.sh

@@ -49,9 +49,6 @@ echo "+++++++ Creating Kafka Topics ++++++++"
 # there seem to be a race condition when creating the topics (too early)
 env KAFKA_CREATE_TOPICS="$KAFKA_CREATE_TOPICS_NG" KAFKA_PORT="$PORT1" create-topics.sh
 
-# create a topic with max.message.bytes=100
-/opt/kafka/bin/kafka-topics.sh --create --bootstrap-server "${SERVER}:${PORT1}" --topic max-100-bytes --partitions 1 --replication-factor 1 --config max.message.bytes=100
-
 echo "+++++++ Wait until Kafka ports are down ++++++++"
 
 bash -c 'while printf "" 2>>/dev/null >>/dev/tcp/$0/$1; do sleep 1; done' $SERVER $PORT1

.ci/docker-compose-file/openldap/Dockerfile

@@ -1,11 +1,18 @@
-FROM docker.io/zmstone/openldap:2.5.16@sha256:a813922115a1d1f1b974399595921d1778fae22b3f1ee15dcfa8cfa89700dbc7
+FROM buildpack-deps:stretch
+
+ARG LDAP_TAG=2.4.50
+
+RUN apt-get update && apt-get install -y groff groff-base
+RUN wget ftp://ftp.openldap.org/pub/OpenLDAP/openldap-release/openldap-${LDAP_TAG}.tgz \
+    && gunzip -c openldap-${LDAP_TAG}.tgz | tar xvfB - \
+    && cd openldap-${LDAP_TAG} \
+    && ./configure && make depend && make && make install \
+    && cd .. && rm -rf  openldap-${LDAP_TAG}
 
 COPY .ci/docker-compose-file/openldap/slapd.conf /usr/local/etc/openldap/slapd.conf
-COPY apps/emqx_ldap/test/data/emqx.io.ldif /usr/local/etc/openldap/schema/emqx.io.ldif
-COPY apps/emqx_ldap/test/data/emqx.schema /usr/local/etc/openldap/schema/emqx.schema
-COPY .ci/docker-compose-file/certs/ca.crt /usr/local/etc/openldap/cacert.pem
-COPY .ci/docker-compose-file/certs/server.crt /usr/local/etc/openldap/cert.pem
-COPY .ci/docker-compose-file/certs/server.key /usr/local/etc/openldap/key.pem
+COPY apps/emqx_authn/test/data/emqx.io.ldif /usr/local/etc/openldap/schema/emqx.io.ldif
+COPY apps/emqx_authn/test/data/emqx.schema /usr/local/etc/openldap/schema/emqx.schema
+COPY apps/emqx_authn/test/data/certs/*.pem /usr/local/etc/openldap/
 
 RUN mkdir -p /usr/local/etc/openldap/data \
     && slapadd -l /usr/local/etc/openldap/schema/emqx.io.ldif -f /usr/local/etc/openldap/slapd.conf

.ci/docker-compose-file/openldap/README.md

@@ -1,61 +0,0 @@
-# LDAP authentication
-
-To run manual tests with the default docker-compose files.
-
-Expose openldap container port by uncommenting the `ports` config in `docker-compose-ldap.yaml `
-
-To start openldap:
-
-```
-docker-compose -f ./.ci/docker-compose-file/docker-compose.yaml -f ./.ci/docker-compose-file/docker-compose-ldap.yaml up -docker
-```
-
-## LDAP database
-
-LDAP database is populated from below files:
-```
-apps/emqx_ldap/test/data/emqx.io.ldif /usr/local/etc/openldap/schema/emqx.io.ldif
-apps/emqx_ldap/test/data/emqx.schema /usr/local/etc/openldap/schema/emqx.schema
-```
-
-## Minimal EMQX config
-
-```
-authentication = [
-  {
-    backend = ldap
-    base_dn = "uid=${username},ou=testdevice,dc=emqx,dc=io"
-    filter = "(& (objectClass=mqttUser) (uid=${username}))"
-    mechanism = password_based
-    method {
-      is_superuser_attribute = isSuperuser
-      password_attribute = userPassword
-      type = hash
-    }
-    password = public
-    pool_size = 8
-    query_timeout = "5s"
-    request_timeout = "10s"
-    server = "localhost:1389"
-    username = "cn=root,dc=emqx,dc=io"
-  }
-]
-```
-
-## Example ldapsearch command
-
-```
-ldapsearch -x -H ldap://localhost:389 -D "cn=root,dc=emqx,dc=io" -W -b "uid=mqttuser0007,ou=testdevice,dc=emqx,dc=io" "(&(objectClass=mqttUser)(uid=mqttuser0007))"
-```
-
-## Example mqttx command
-
-The client password hashes are generated from their username.
-
-```
-# disabled user
-mqttx pub -t 't/1' -h localhost -p 1883 -m x -u mqttuser0006 -P mqttuser0006
-
-# enabled super-user
-mqttx pub -t 't/1' -h localhost -p 1883 -m x -u mqttuser0007 -P mqttuser0007
-```

.ci/docker-compose-file/openldap/slapd.conf

@@ -1,13 +1,14 @@
 include         /usr/local/etc/openldap/schema/core.schema
 include         /usr/local/etc/openldap/schema/cosine.schema
 include         /usr/local/etc/openldap/schema/inetorgperson.schema
+include         /usr/local/etc/openldap/schema/ppolicy.schema
 include         /usr/local/etc/openldap/schema/emqx.schema
 
 TLSCACertificateFile  /usr/local/etc/openldap/cacert.pem
 TLSCertificateFile    /usr/local/etc/openldap/cert.pem
 TLSCertificateKeyFile /usr/local/etc/openldap/key.pem
 
-database mdb
+database bdb
 suffix "dc=emqx,dc=io"
 rootdn "cn=root,dc=emqx,dc=io"
 rootpw {SSHA}eoF7NhNrejVYYyGHqnt+MdKNBh4r1w3W

.ci/docker-compose-file/otel/.gitignore

@@ -1,6 +0,0 @@
-certs
-hostname
-hosts
-otel-collector.json
-otel-collector-tls.json
-resolv.conf

.ci/docker-compose-file/otel/otel-collector-config-tls.yaml

@@ -1,52 +0,0 @@
-receivers:
-  otlp:
-    protocols:
-      grpc:
-        tls:
-          ca_file: /etc/certs/ca.crt
-          cert_file: /etc/certs/server.crt
-          key_file: /etc/certs/server.key
-      http:
-        tls:
-          ca_file: /etc/certs/ca.crt
-          cert_file: /etc/certs/server.crt
-          key_file: /etc/certs/server.key
-
-exporters:
-  logging:
-    verbosity: detailed
-  otlp:
-    endpoint: jaeger.emqx.net:4317
-    tls:
-      insecure: true
-  debug:
-    verbosity: detailed
-  file:
-    path: /etc/otel-collector-tls.json
-
-
-processors:
-  batch:
-    # send data immediately
-    timeout: 0
-
-extensions:
-  health_check:
-  zpages:
-    endpoint: :55679
-
-service:
-  extensions: [zpages, health_check]
-  pipelines:
-    traces:
-      receivers: [otlp]
-      processors: [batch]
-      exporters: [logging, otlp]
-    metrics:
-      receivers: [otlp]
-      processors: [batch]
-      exporters: [logging]
-    logs:
-      receivers: [otlp]
-      processors: [batch]
-      exporters: [logging, file]

.ci/docker-compose-file/otel/otel-collector-config.yaml

@@ -1,51 +0,0 @@
-receivers:
-  otlp:
-    protocols:
-      grpc:
-        tls:
-#          ca_file: /etc/ca.pem
-#          cert_file: /etc/server.pem
-#          key_file: /etc/server.key
-      http:
-        tls:
-#          ca_file: /etc/ca.pem
-#          cert_file: /etc/server.pem
-#          key_file: /etc/server.key
-
-exporters:
-  logging:
-    verbosity: detailed
-  otlp:
-    endpoint: jaeger.emqx.net:4317
-    tls:
-      insecure: true
-  debug:
-    verbosity: detailed
-  file:
-    path: /etc/otel-collector.json
-
-processors:
-  batch:
-    # send data immediately
-    timeout: 0
-
-extensions:
-  health_check:
-  zpages:
-    endpoint: :55679
-
-service:
-  extensions: [zpages, health_check]
-  pipelines:
-    traces:
-      receivers: [otlp]
-      processors: [batch]
-      exporters: [logging, otlp]
-    metrics:
-      receivers: [otlp]
-      processors: [batch]
-      exporters: [logging]
-    logs:
-      receivers: [otlp]
-      processors: [batch]
-      exporters: [logging, file]

.ci/docker-compose-file/pgsql/Dockerfile

@@ -1,4 +1,4 @@
-ARG BUILD_FROM=public.ecr.aws/docker/library/postgres:13@sha256:fa69de30d02652cfdfb68166692e5186f6972c17f83c89c71ac8ff0916d46ae3
+ARG BUILD_FROM=postgres:13
 FROM ${BUILD_FROM}
 ARG POSTGRES_USER=postgres
 COPY --chown=$POSTGRES_USER ./pgsql/pg_hba_tls.conf /var/lib/postgresql/pg_hba.conf

.ci/docker-compose-file/python/pytest.sh

@@ -6,9 +6,6 @@
 set -x
 set +e
 
-# shellcheck disable=SC3028 disable=SC3054
-SCRIPT_DIR="$( dirname -- "$( readlink -f -- "$0"; )"; )"
-
 EMQX_TEST_DB_BACKEND=$1
 if [ "$EMQX_TEST_DB_BACKEND" = "rlog" ]
 then
@@ -21,14 +18,13 @@ else
 fi
 
 apk update && apk add git curl
-git clone -b develop-5.0 https://github.com/emqx/paho.mqtt.testing.git /paho.mqtt.testing
+git clone -b develop-4.0 https://github.com/emqx/paho.mqtt.testing.git /paho.mqtt.testing
+pip install pytest==6.2.5
 
-pip install --require-hashes -r "$SCRIPT_DIR/requirements.txt"
-
-pytest --retries 3 -v /paho.mqtt.testing/interoperability/test_client/V5/test_connect.py -k test_basic --host "$TARGET_HOST"
+pytest -v /paho.mqtt.testing/interoperability/test_client/V5/test_connect.py -k test_basic --host "$TARGET_HOST"
 RESULT=$?
 
-pytest --retries 3 -v /paho.mqtt.testing/interoperability/test_client --host "$TARGET_HOST"
+pytest -v /paho.mqtt.testing/interoperability/test_client --host "$TARGET_HOST"
 RESULT=$(( RESULT + $? ))
 
 # pytest -v /paho.mqtt.testing/interoperability/test_cluster --host1 "node1.emqx.io" --host2 "node2.emqx.io"

.ci/docker-compose-file/python/requirements.txt

@@ -1,21 +0,0 @@
-pytest-retry==1.6.1 \
-    --hash=sha256:3d420afc08e61ed3be28ecbb544371041b1b8e5fea7c94eb97cefa0d4ea9825c \
-    --hash=sha256:3d663159a9be4d6878705822cf27a0976f99ec1bc4f2d9494e80403b17f700f2
-pytest==7.4.4 \
-    --hash=sha256:2cf0005922c6ace4a3e2ec8b4080eb0d9753fdc93107415332f50ce9e7994280 \
-    --hash=sha256:b090cdf5ed60bf4c45261be03239c2c1c22df034fbffe691abe93cd80cea01d8
-pluggy==1.3.0 \
-    --hash=sha256:cf61ae8f126ac6f7c451172cf30e3e43d3ca77615509771b3a984a0730651e12 \
-    --hash=sha256:d89c696a773f8bd377d18e5ecda92b7a3793cbe66c87060a6fb58c7b6e1061f7
-iniconfig==2.0.0 \
-    --hash=sha256:2d91e135bf72d31a410b17c16da610a82cb55f6b0477d1a902134b24a455b8b3 \
-    --hash=sha256:b6a85871a79d2e3b22d2d1b94ac2824226a63c6b741c88f7ae975f18b6778374
-tomli==2.0.1 \
-    --hash=sha256:939de3e7a6161af0c887ef91b7d41a53e7c5a1ca976325f429cb46ea9bc30ecc \
-    --hash=sha256:de526c12914f0c550d15924c62d72abc48d6fe7364aa87328337a31007fe8a4f
-exceptiongroup==1.2.0 \
-    --hash=sha256:4bfd3996ac73b41e9b9628b04e079f193850720ea5945fc96a08633c66912f14 \
-    --hash=sha256:91f5c769735f051a4290d52edd0858999b57e5876e9f85937691bd4c9fa3ed68
-packaging==23.2 \
-    --hash=sha256:048fb0e9405036518eaaf48a55953c750c11e1a1b68e0dd1a9d62ed0c092cfc5 \
-    --hash=sha256:8c491190033a9af7e1d931d0b5dacc2ef47509b34dd0de67ed209b5203fc88c7

.ci/docker-compose-file/rabbitmq/20-tls.conf

@@ -1,7 +0,0 @@
-listeners.ssl.default = 5671
-
-ssl_options.cacertfile = /opt/certs/ca.crt
-ssl_options.certfile   = /opt/certs/server.crt
-ssl_options.keyfile    = /opt/certs/server.key
-ssl_options.verify     = verify_peer
-ssl_options.fail_if_no_peer_cert = true

.ci/docker-compose-file/redis/cluster-tcp/redis.conf

@@ -1,11 +1,10 @@
 bind :: 0.0.0.0
 port 6379
+requirepass public
 
 cluster-enabled yes
 
-masteruser default
 masterauth public
-aclfile /usr/local/etc/redis/users.acl
 
 protected-mode no
 daemonize no

.ci/docker-compose-file/redis/cluster-tcp/users.acl

@@ -1,2 +0,0 @@
-user default on >public ~* &* +@all
-user test_user on >test_passwd ~* &* +@all

.ci/docker-compose-file/redis/cluster-tls/redis.conf

@@ -1,11 +1,10 @@
 bind :: 0.0.0.0
 port 6379
+requirepass public
 
 cluster-enabled yes
 
-masteruser default
 masterauth public
-aclfile /usr/local/etc/redis/users.acl
 
 tls-port 6389
 tls-cert-file /etc/certs/cert.pem

.ci/docker-compose-file/redis/cluster-tls/users.acl

@@ -1,2 +0,0 @@
-user default on >public ~* &* +@all
-user test_user on >test_passwd ~* &* +@all

.ci/docker-compose-file/redis/sentinel-tcp/master.conf

@@ -1,6 +1,6 @@
 bind :: 0.0.0.0
 port 6379
-aclfile /usr/local/etc/redis/users.acl
+requirepass public
 
 protected-mode no
 daemonize no

.ci/docker-compose-file/redis/sentinel-tcp/sentinel-base.conf

@@ -1,7 +1,7 @@
 sentinel resolve-hostnames yes
 bind :: 0.0.0.0
 
-sentinel monitor mytcpmaster redis-sentinel-master 6379 1
-sentinel auth-pass mytcpmaster public
-sentinel down-after-milliseconds mytcpmaster 10000
-sentinel failover-timeout mytcpmaster 20000
+sentinel monitor mymaster redis-sentinel-master 6379 1
+sentinel auth-pass mymaster public
+sentinel down-after-milliseconds mymaster 10000
+sentinel failover-timeout mymaster 20000

.ci/docker-compose-file/redis/sentinel-tcp/slave.conf

@@ -1,10 +1,9 @@
 bind :: 0.0.0.0
 port 6379
+requirepass public
 
 replicaof redis-sentinel-master 6379
-masteruser default
 masterauth public
-aclfile /usr/local/etc/redis/users.acl
 
 protected-mode no
 daemonize no

.ci/docker-compose-file/redis/sentinel-tcp/users.acl

@@ -1,2 +0,0 @@
-user default on >public ~* &* +@all
-user test_user on >test_passwd ~* &* +@all

.ci/docker-compose-file/redis/sentinel-tls/master.conf

@@ -1,6 +1,6 @@
 bind :: 0.0.0.0
 port 6379
-aclfile /usr/local/etc/redis/users.acl
+requirepass public
 
 tls-port 6389
 tls-cert-file /etc/certs/cert.pem

.ci/docker-compose-file/redis/sentinel-tls/sentinel-base.conf

@@ -8,7 +8,7 @@ tls-key-file /etc/certs/key.pem
 tls-ca-cert-file /etc/certs/cacert.pem
 tls-auth-clients no
 
-sentinel monitor mytlsmaster redis-sentinel-tls-master 6389 1
-sentinel auth-pass mytlsmaster public
-sentinel down-after-milliseconds mytlsmaster 10000
-sentinel failover-timeout mytlsmaster 20000
+sentinel monitor mymaster redis-sentinel-tls-master 6389 1
+sentinel auth-pass mymaster public
+sentinel down-after-milliseconds mymaster 10000
+sentinel failover-timeout mymaster 20000

.ci/docker-compose-file/redis/sentinel-tls/slave.conf

@@ -1,10 +1,9 @@
 bind :: 0.0.0.0
 port 6379
+requirepass public
 
 replicaof redis-sentinel-tls-master 6389
-masteruser default
 masterauth public
-aclfile /usr/local/etc/redis/users.acl
 
 tls-port 6389
 tls-replication yes

.ci/docker-compose-file/redis/sentinel-tls/users.acl

@@ -1,2 +0,0 @@
-user default on >public ~* &* +@all
-user test_user on >test_passwd ~* &* +@all

.ci/docker-compose-file/redis/single-tcp/redis.conf

@@ -1,3 +0,0 @@
-bind :: 0.0.0.0
-port 6379
-aclfile /usr/local/etc/redis/users.acl

.ci/docker-compose-file/redis/single-tcp/users.acl

@@ -1,2 +0,0 @@
-user default on >public ~* &* +@all
-user test_user on >test_passwd ~* &* +@all

.ci/docker-compose-file/redis/single-tls/redis.conf

@@ -1,9 +0,0 @@
-bind :: 0.0.0.0
-aclfile /usr/local/etc/redis/users.acl
-
-tls-port 6380
-tls-cert-file /etc/certs/redis.crt
-tls-key-file /etc/certs/redis.key
-tls-ca-cert-file /etc/certs/ca.crt
-tls-protocols "TLSv1.3"
-tls-ciphersuites "TLS_CHACHA20_POLY1305_SHA256"

.ci/docker-compose-file/redis/single-tls/users.acl

@@ -1,2 +0,0 @@
-user default on >public ~* &* +@all
-user test_user on >test_passwd ~* &* +@all

.ci/docker-compose-file/rocketmq/conf/broker.conf

@@ -20,5 +20,3 @@ maxMessageSize=65536
 brokerRole=ASYNC_MASTER
 
 flushDiskType=ASYNC_FLUSH
-
-aclEnable=true

.ci/docker-compose-file/rocketmq/conf/plain_acl.yml

@@ -1,12 +0,0 @@
-globalWhiteRemoteAddresses:
-
-accounts:
-  - accessKey: RocketMQ
-    secretKey: 12345678
-    whiteRemoteAddress:
-    admin: false
-    defaultTopicPerm: DENY
-    defaultGroupPerm: PUB|SUB
-    topicPerms:
-      - TopicTest=PUB|SUB
-      - Topic2=PUB|SUB

.ci/docker-compose-file/rocketmq/conf_ssl/broker.conf

@@ -1,24 +0,0 @@
-brokerClusterName=DefaultClusterSSL
-brokerName=broker-a
-brokerId=0
-
-brokerIP1=rocketmq_broker_ssl
-
-defaultTopicQueueNums=4
-autoCreateTopicEnable=true
-autoCreateSubscriptionGroup=true
-
-listenPort=10911
-deleteWhen=04
-
-fileReservedTime=120
-mapedFileSizeCommitLog=1073741824
-mapedFileSizeConsumeQueue=300000
-diskMaxUsedSpaceRatio=100
-maxMessageSize=65536
-
-brokerRole=ASYNC_MASTER
-
-flushDiskType=ASYNC_FLUSH
-
-aclEnable=true

.ci/docker-compose-file/rocketmq/conf_ssl/plain_acl.yml

@@ -1,12 +0,0 @@
-globalWhiteRemoteAddresses:
-
-accounts:
-  - accessKey: RocketMQ
-    secretKey: 12345678
-    whiteRemoteAddress:
-    admin: false
-    defaultTopicPerm: DENY
-    defaultGroupPerm: PUB|SUB
-    topicPerms:
-      - TopicTest=PUB|SUB
-      - Topic2=PUB|SUB

.ci/docker-compose-file/toxiproxy.json

@@ -96,18 +96,6 @@
     "upstream": "cassandra:9142",
     "enabled": true
   },
-  {
-    "name": "cassa_no_auth_tcp",
-    "listen": "0.0.0.0:9043",
-    "upstream": "cassandra_noauth:9042",
-    "enabled": true
-  },
-  {
-    "name": "cassa_no_auth_tls",
-    "listen": "0.0.0.0:9143",
-    "upstream": "cassandra_noauth:9142",
-    "enabled": true
-  },
   {
     "name": "sqlserver",
     "listen": "0.0.0.0:1433",
@@ -139,93 +127,9 @@
     "enabled": true
   },
   {
-    "name": "iotdb110",
+    "name": "iotdb",
     "listen": "0.0.0.0:18080",
-    "upstream": "iotdb110:18080",
-    "enabled": true
-  },
-  {
-    "name": "iotdb130",
-    "listen": "0.0.0.0:28080",
-    "upstream": "iotdb130:18080",
-    "enabled": true
-  },
-  {
-    "name": "iotdb013",
-    "listen": "0.0.0.0:38080",
-    "upstream": "iotdb013:18080",
-    "enabled": true
-  },
-  {
-    "name": "minio_tcp",
-    "listen": "0.0.0.0:19000",
-    "upstream": "minio:9000",
-    "enabled": true
-  },
-  {
-    "name": "minio_tls",
-    "listen": "0.0.0.0:19100",
-    "upstream": "minio-tls:9100",
-    "enabled": true
-  },
-  {
-    "name": "gcp_emulator",
-    "listen": "0.0.0.0:8085",
-    "upstream": "gcp_emulator:8085",
-    "enabled": true
-  },
-  {
-    "name": "hstreamdb",
-    "listen": "0.0.0.0:6570",
-    "upstream": "hstreamdb:6570",
-    "enabled": true
-  },
-  {
-    "name": "greptimedb_http",
-    "listen": "0.0.0.0:4000",
-    "upstream": "greptimedb:4000",
-    "enabled": true
-  },
-  {
-    "name": "greptimedb_grpc",
-    "listen": "0.0.0.0:4001",
-    "upstream": "greptimedb:4001",
-    "enabled": true
-  },
-  {
-    "name": "kinesis",
-    "listen": "0.0.0.0:4566",
-    "upstream": "kinesis:4566",
-    "enabled": true
-  },
-  {
-    "name": "ldap_tcp",
-    "listen": "0.0.0.0:389",
-    "upstream": "ldap:389",
-    "enabled": true
-  },
-  {
-    "name": "ldap_ssl",
-    "listen": "0.0.0.0:636",
-    "upstream": "ldap:636",
-    "enabled": true
-  },
-  {
-    "name": "elasticsearch",
-    "listen": "0.0.0.0:9200",
-    "upstream": "elasticsearch:9200",
-    "enabled": true
-  },
-  {
-    "name": "azurite_plain",
-    "listen": "0.0.0.0:10000",
-    "upstream": "azurite:10000",
-    "enabled": true
-  },
-  {
-    "name": "couchbase",
-    "listen": "0.0.0.0:8093",
-    "upstream": "couchbase:8093",
+    "upstream": "iotdb:18080",
     "enabled": true
   }
 ]

.ci/fvt_tests/http_server/rebar.config

@@ -1,11 +1,12 @@
 %% -*- mode: erlang -*-
 
 {erl_opts, [debug_info]}.
-{deps, [
+{deps,
+ [
     {minirest, {git, "https://github.com/emqx/minirest.git", {tag, "1.3.7"}}}
-]}.
+ ]}.
 
 {shell, [
-    % {config, "config/sys.config"},
+  % {config, "config/sys.config"},
     {apps, [http_server]}
 ]}.

.ci/fvt_tests/http_server/src/http_server.app.src

@@ -1,18 +1,18 @@
 %% -*- mode: erlang -*-
-{application, http_server, [
-    {description, "An HTTP server application"},
-    {vsn, "0.2.0"},
-    {registered, []},
-    % {mod, {http_server_app, []}},
-    {modules, []},
-    {applications, [
-        kernel,
-        stdlib,
-        minirest
-    ]},
-    {env, []},
-    {modules, []},
+{application, http_server,
+ [{description, "An HTTP server application"},
+  {vsn, "0.2.0"},
+  {registered, []},
+  % {mod, {http_server_app, []}},
+  {modules, []},
+  {applications,
+   [kernel,
+    stdlib,
+    minirest
+   ]},
+  {env,[]},
+  {modules, []},
 
-    {licenses, ["Apache 2.0"]},
-    {links, []}
-]}.
+  {licenses, ["Apache 2.0"]},
+  {links, []}
+ ]}.

.ci/gitlint.requirements.txt

@@ -1,14 +0,0 @@
-arrow==1.2.3 --hash=sha256:5a49ab92e3b7b71d96cd6bfcc4df14efefc9dfa96ea19045815914a6ab6b1fe2
-click==8.1.3 --hash=sha256:bb4d8133cb15a609f44e8213d9b391b0809795062913b383c62be0ee95b1db48
-exceptiongroup==1.2.0 --hash=sha256:4bfd3996ac73b41e9b9628b04e079f193850720ea5945fc96a08633c66912f14
-gitlint==0.19.1 --hash=sha256:26bb085959148d99fbbc178b4e56fda6c3edd7646b7c2a24d8ee1f8e036ed85d
-gitlint-core==0.19.1 --hash=sha256:f41effd1dcbc06ffbfc56b6888cce72241796f517b46bd9fd4ab1b145056988c
-iniconfig==2.0.0 --hash=sha256:b6a85871a79d2e3b22d2d1b94ac2824226a63c6b741c88f7ae975f18b6778374
-packaging==23.2 --hash=sha256:8c491190033a9af7e1d931d0b5dacc2ef47509b34dd0de67ed209b5203fc88c7
-pluggy==1.3.0 --hash=sha256:d89c696a773f8bd377d18e5ecda92b7a3793cbe66c87060a6fb58c7b6e1061f7
-pytest==7.4.4 --hash=sha256:b090cdf5ed60bf4c45261be03239c2c1c22df034fbffe691abe93cd80cea01d8
-pytest-retry==1.6.1 --hash=sha256:3d420afc08e61ed3be28ecbb544371041b1b8e5fea7c94eb97cefa0d4ea9825c
-python-dateutil==2.8.2 --hash=sha256:961d03dc3453ebbc59dbdea9e4e11c5651520a876d0f4db161e8674aae935da9
-sh==1.14.3 --hash=sha256:e4045b6c732d9ce75d571c79f5ac2234edd9ae4f5fa9d59b09705082bdca18c7
-six==1.16.0 --hash=sha256:8abb2f1d86890a2dfb989f9a77cfcfd3e47c2a354b01111771326f8aa26e0254
-tomli==2.0.1 --hash=sha256:939de3e7a6161af0c887ef91b7d41a53e7c5a1ca976325f429cb46ea9bc30ecc

.github/CODEOWNERS

@@ -1,29 +1,16 @@
 ## Default
 * @emqx/emqx-review-board
 
-# emqx-review-board members
-## HJianBo
-## id
-## ieQu1
-## keynslug
-## qzhuyan
-## savonarola
-## terry-xiaoyu
-## thalesmg
-## zhongwencool
-## zmstone
-
 ## apps
 /apps/emqx/                @emqx/emqx-review-board @lafirest
-/apps/emqx_auth/           @emqx/emqx-review-board @JimMoen
+/apps/emqx_authn/          @emqx/emqx-review-board @JimMoen @savonarola
+/apps/emqx_authz/          @emqx/emqx-review-board @JimMoen @savonarola
 /apps/emqx_connector/      @emqx/emqx-review-board @JimMoen
 /apps/emqx_dashboard/      @emqx/emqx-review-board @JimMoen @lafirest
-/apps/emqx_dashboard_rbac/ @emqx/emqx-review-board @lafirest
-/apps/emqx_dashboard_sso/  @emqx/emqx-review-board @JimMoen @lafirest
-/apps/emqx_exhook/         @emqx/emqx-review-board @JimMoen
+/apps/emqx_exhook/         @emqx/emqx-review-board @JimMoen @lafirest
 /apps/emqx_gateway/        @emqx/emqx-review-board @lafirest
-/apps/emqx_management/     @emqx/emqx-review-board @lafirest
-/apps/emqx_opentelemetry   @emqx/emqx-review-board @SergeTupchiy
+/apps/emqx_management/     @emqx/emqx-review-board @lafirest @sstrigler
+/apps/emqx_plugin_libs/    @emqx/emqx-review-board @lafirest
 /apps/emqx_plugins/        @emqx/emqx-review-board @JimMoen
 /apps/emqx_prometheus/     @emqx/emqx-review-board @JimMoen
 /apps/emqx_psk/            @emqx/emqx-review-board @lafirest
@@ -31,8 +18,7 @@
 /apps/emqx_rule_engine/    @emqx/emqx-review-board @kjellwinblad
 /apps/emqx_slow_subs/      @emqx/emqx-review-board @lafirest
 /apps/emqx_statsd/         @emqx/emqx-review-board @JimMoen
-/apps/emqx_durable_storage/ @emqx/emqx-review-board @keynslug
-
+/apps/emqx_replay          @emqx/emqx-review-board @ieQu1
 ## CI
 /deploy/  @emqx/emqx-review-board @Rory-Z
 

.github/ISSUE_TEMPLATE/bug-report.yaml

@@ -61,6 +61,10 @@ body:
         # paste output here
         $ uname -a
         # paste output here
+
+        # On Windows:
+        C:\> wmic os get Caption, Version, BuildNumber, OSArchitecture
+        # paste output here
         ```
 
         </details>

.github/actions/package-macos/action.yaml

@@ -3,7 +3,7 @@ inputs:
   profile: # emqx, emqx-enterprise
     required: true
     type: string
-  otp:
+  otp: # 25.1.2-2, 24.3.4.2-2
     required: true
     type: string
   os:
@@ -33,7 +33,8 @@ runs:
         HOMEBREW_NO_INSTALL_UPGRADE: 1
         HOMEBREW_NO_INSTALLED_DEPENDENTS_CHECK: 1
       run: |
-        brew install curl zip unzip coreutils openssl@1.1 unixodbc
+        brew update
+        brew install curl zip unzip coreutils openssl@1.1
         echo "/usr/local/opt/bison/bin" >> $GITHUB_PATH
         echo "/usr/local/bin" >> $GITHUB_PATH
         echo "emqx_name=${emqx_name}" >> $GITHUB_OUTPUT
@@ -42,58 +43,33 @@ runs:
         echo "OTP_SOURCE_PATH=$OTP_SOURCE_PATH" >> $GITHUB_OUTPUT
         echo "OTP_INSTALL_PATH=$OTP_INSTALL_PATH" >> $GITHUB_OUTPUT
         mkdir -p "$OTP_SOURCE_PATH" "$OTP_INSTALL_PATH"
-        # we need this to skip using cache for self-hosted runners
-        case ${{ inputs.os }} in
-          *arm64)
-            echo "SELF_HOSTED=true" >> $GITHUB_OUTPUT
-            ;;
-          *)
-            echo "SELF_HOSTED=false" >> $GITHUB_OUTPUT
-            ;;
-        esac
-    - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
+    - uses: actions/cache@v3
       id: cache
-      if: steps.prepare.outputs.SELF_HOSTED != 'true'
       with:
         path: ${{ steps.prepare.outputs.OTP_INSTALL_PATH }}
-        key: otp-install-${{ inputs.otp }}-${{ inputs.os }}-static-ssl-disable-hipe-disable-jit-20240524-1
+        key: otp-install-${{ inputs.otp }}-${{ inputs.os }}-static-ssl-disable-hipe-disable-jit
     - name: build erlang
       if: steps.cache.outputs.cache-hit != 'true'
       shell: bash
       run: |
         OTP_SOURCE_PATH="${{ steps.prepare.outputs.OTP_SOURCE_PATH }}"
         OTP_INSTALL_PATH="${{ steps.prepare.outputs.OTP_INSTALL_PATH }}"
-        SELF_HOSTED="${{ steps.prepare.outputs.SELF_HOSTED }}"
-        # when it's self-hosted, it never hits the cache,
-        # skip rebuild if it's self-hosted and the install path already has a 'bin'
-        if [ "${SELF_HOSTED:-false}" = 'true' ]; then
-          if [ -n "$OTP_INSTALL_PATH" ] && [ -d "$OTP_INSTALL_PATH/bin" ]; then
-            echo "Skip rebuilding OTP, found $OTP_INSTALL_PATH"
-            exit 0
-          fi
-        fi
-        ## when it's not self-hosted, or the install path is not found,
-        ## build otp from source code.
         if [ -d "$OTP_SOURCE_PATH" ]; then
           rm -rf "$OTP_SOURCE_PATH"
         fi
         git clone --depth 1 --branch OTP-${{ inputs.otp }} https://github.com/emqx/otp.git "$OTP_SOURCE_PATH"
         cd "$OTP_SOURCE_PATH"
         if [ "$(arch)" = arm64 ]; then
-            ODBCHOME="$(brew --prefix unixodbc)"
-            export CFLAGS="-O2 -g -I${ODBCHOME}/include"
-            export LDFLAGS="-L${ODBCHOME}/lib"
-            WITH_ODBC="--with-odbc=${ODBCHOME}"
-        else
-            WITH_ODBC=""
+            export LDFLAGS="-L$(brew --prefix unixodbc)/lib"
+            export CC="/usr/bin/gcc -I$(brew --prefix unixodbc)/include"
         fi
-        ./configure --disable-dynamic-ssl-lib --with-ssl=$(brew --prefix openssl@1.1) ${WITH_ODBC} --disable-hipe --disable-jit --prefix="$OTP_INSTALL_PATH"
+        ./configure --disable-dynamic-ssl-lib --with-ssl=$(brew --prefix openssl@1.1) --disable-hipe --disable-jit --prefix="$OTP_INSTALL_PATH"
         make -j$(nproc)
         rm -rf "$OTP_INSTALL_PATH"
         make install
         if [ "$(arch)" = arm64 ]; then
-            unset CFLAGS
             unset LDFLAGS
+            unset CC
         fi
     - name: build
       env:
@@ -111,10 +87,6 @@ runs:
       shell: bash
       run: |
         export PATH="${{ steps.prepare.outputs.OTP_INSTALL_PATH }}/bin:$PATH"
-        # inspec erl in PATH
-        which erl
-        # inspec erl command banner
-        erl -s init stop
         make ensure-rebar3
         mkdir -p $HOME/bin
         cp rebar3 $HOME/bin/rebar3

.github/actions/prepare-jmeter/action.yaml

@@ -1,33 +0,0 @@
-name: 'Prepare jmeter'
-
-runs:
-  using: composite
-  steps:
-    - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
-      with:
-        repository: emqx/emqx-fvt
-        ref: broker-autotest-v5
-        path: scripts
-    - uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9 # v4.2.1
-      with:
-        java-version: '8.0.282' # The JDK version to make available on the path.
-        java-package: jdk # (jre, jdk, or jdk+fx) - defaults to jdk
-        architecture: x64 # (x64 or x86) - defaults to x64
-        # https://github.com/actions/setup-java/blob/main/docs/switching-to-v2.md
-        distribution: 'zulu'
-    - uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
-      with:
-        name: apache-jmeter.tgz
-    - name: install jmeter
-      shell: bash
-      env:
-        JMETER_VERSION: 5.4.3
-      run: |
-        tar -xf apache-jmeter.tgz
-        ln -s apache-jmeter-$JMETER_VERSION jmeter
-        echo "jmeter.save.saveservice.output_format=xml" >> jmeter/user.properties
-        echo "jmeter.save.saveservice.response_data.on_error=true" >> jmeter/user.properties
-        cd jmeter/lib/ext
-        wget --no-verbose https://raw.githubusercontent.com/xmeter-net/mqtt-jmeter/master/Download/v2.0.2/mqtt-xmeter-fuse-2.0.2-jar-with-dependencies.jar
-        wget --no-verbose https://repo1.maven.org/maven2/mysql/mysql-connector-java/8.0.16/mysql-connector-java-8.0.16.jar
-        wget --no-verbose https://repo1.maven.org/maven2/org/postgresql/postgresql/42.2.18/postgresql-42.2.18.jar

.github/dependabot.yml

@@ -1,32 +0,0 @@
-version: 2
-updates:
-  - package-ecosystem: github-actions
-    directory: "/"
-    reviewers:
-      - "emqx/emqx-review-board"
-    schedule:
-      interval: weekly
-    groups:
-      actions:
-        patterns:
-          - "*"
-  - package-ecosystem: github-actions
-    directory: "/.github/actions/package-macos/" # All subdirectories outside of "/.github/workflows" must be explicitly included.
-    reviewers:
-      - "emqx/emqx-review-board"
-    schedule:
-      interval: weekly
-    groups:
-      actions-package-macos:
-        patterns:
-          - "*"
-  - package-ecosystem: github-actions
-    directory: "/.github/actions/prepare-jmeter/" # All subdirectories outside of "/.github/workflows" must be explicitly included.
-    reviewers:
-      - "emqx/emqx-review-board"
-    schedule:
-      interval: weekly
-    groups:
-      actions-prepare-jmeter:
-        patterns:
-          - "*"

.github/pull_request_template.md

@@ -1,18 +1,18 @@
 Fixes <issue-or-jira-number>
 
-Release version: v/e5.?
+<!-- Make sure to target release-50 branch if this PR is intended to fix the issues for the release candidate. -->
 
 ## Summary
+copilot:summary
 
 ## PR Checklist
 Please convert it to a draft if any of the following conditions are not met. Reviewers may skip over until all the items are checked:
 
 - [ ] Added tests for the changes
-- [ ] Added property-based tests for code which performs user input validation
 - [ ] Changed lines covered in coverage report
-- [ ] Change log has been added to `changes/(ce|ee)/(feat|perf|fix|breaking)-<PR-id>.en.md` files
+- [ ] Change log has been added to `changes/{ce,ee}/(feat|perf|fix)-<PR-id>.en.md` files
 - [ ] For internal contributor: there is a jira ticket to track this change
-- [ ] Created PR to [emqx-docs](https://github.com/emqx/emqx-docs) if documentation update is required, or link to a follow-up jira ticket
+- [ ] If there should be document changes, a PR to emqx-docs.git is sent, or a jira ticket is created to follow up
 - [ ] Schema changes are backward compatible
 
 ## Checklist for CI (.github/workflows) changes

.github/workflows/.zipignore

@@ -1,3 +0,0 @@
-.git/*
-*/.git/*
-*/.github/*

.github/workflows/.zipignore2

@@ -1 +0,0 @@
-*/.github/*

.github/workflows/_pr_entrypoint.yaml

@@ -1,244 +0,0 @@
-name: PR Entrypoint
-
-concurrency:
-  group: pr-entrypoint-${{ github.event_name }}-${{ github.ref }}
-  cancel-in-progress: true
-
-on:
-  pull_request:
-  workflow_dispatch:
-    inputs:
-      ref:
-        required: false
-
-defaults:
-  run:
-    shell: bash
-
-env:
-  IS_CI: "yes"
-
-jobs:
-  init:
-    runs-on: ubuntu-22.04
-    outputs:
-      BUILDER_VSN: ${{ steps.env.outputs.BUILDER_VSN }}
-      OTP_VSN: ${{ steps.env.outputs.OTP_VSN }}
-      ELIXIR_VSN: ${{ steps.env.outputs.ELIXIR_VSN }}
-      BUILDER: ${{ steps.env.outputs.BUILDER }}
-    steps:
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-        with:
-          ref: ${{ github.event.inputs.ref }}
-      - name: Set up environment
-        id: env
-        run: |
-          source ./env.sh
-          echo "BUILDER_VSN=$EMQX_BUILDER_VSN" | tee -a "$GITHUB_OUTPUT"
-          echo "OTP_VSN=$OTP_VSN" | tee -a "$GITHUB_OUTPUT"
-          echo "ELIXIR_VSN=$ELIXIR_VSN" | tee -a "$GITHUB_OUTPUT"
-          echo "BUILDER=$EMQX_BUILDER" | tee -a "$GITHUB_OUTPUT"
-
-  sanity-checks:
-    runs-on: ubuntu-22.04
-    needs: init
-    container: ${{ needs.init.outputs.BUILDER }}
-    outputs:
-      ct-matrix: ${{ steps.matrix.outputs.ct-matrix }}
-      ct-host: ${{ steps.matrix.outputs.ct-host }}
-      ct-docker: ${{ steps.matrix.outputs.ct-docker }}
-
-    permissions:
-      contents: read
-
-    steps:
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-        with:
-          ref: ${{ github.event.inputs.ref }}
-          fetch-depth: 0
-      - name: Work around https://github.com/actions/checkout/issues/766
-        run: |
-          git config --global --add safe.directory "$GITHUB_WORKSPACE"
-      - name: Run gitlint
-        env:
-          BEFORE_REF: ${{ github.event_name == 'pull_request' && github.event.pull_request.base.sha || github.event.before }}
-          AFTER_REF: ${{ github.sha }}
-        run: |
-          pip install --require-hashes -r .ci/gitlint.requirements.txt
-          gitlint --commits $BEFORE_REF..$AFTER_REF --config .github/workflows/.gitlint
-      - name: Run shellcheck
-        run: |
-          DEBIAN_FRONTEND=noninteractive apt-get update -qy && apt-get install -qy shellcheck
-          ./scripts/shellcheck.sh
-      - name: Run shell tests
-        run: |
-          DEBIAN_FRONTEND=noninteractive apt-get update -qy && apt-get install -qy shelltestrunner
-          scripts/shelltest/run_tests.sh
-      - name: Check workflow files
-        env:
-          ACTIONLINT_VSN: 1.6.25
-        run: |
-          wget -q https://github.com/rhysd/actionlint/releases/download/v${ACTIONLINT_VSN}/actionlint_${ACTIONLINT_VSN}_linux_$(dpkg --print-architecture).tar.gz -O actionlint.tar.gz
-          tar zxf actionlint.tar.gz actionlint
-          # TODO: enable shellcheck when all the current issues are fixed
-          ./actionlint -color \
-            -shellcheck= \
-            -ignore 'label ".+" is unknown' \
-            -ignore 'value "emqx-enterprise" in "exclude"' \
-            -ignore 'value "emqx-enterprise-elixir" in "exclude"'
-      - name: Check line-break at EOF
-        run: |
-          ./scripts/check-nl-at-eof.sh
-      - name: Check apps version
-        run: |
-          ./scripts/apps-version-check.sh
-      - name: Setup mix
-        env:
-          MIX_ENV: emqx-enterprise
-          PROFILE: emqx-enterprise
-        run: |
-          # mix local.hex --force --if-missing && mix local.rebar --force --if-missing
-          mix local.hex 2.0.6 --force --if-missing && mix local.rebar --force --if-missing
-      - name: Check formatting
-        env:
-          MIX_ENV: emqx-enterprise
-          PROFILE: emqx-enterprise
-        run: |
-          ./scripts/check-format.sh
-      - name: Run elvis check
-        run: |
-          ./scripts/elvis-check.sh $GITHUB_BASE_REF
-      - name: Generate CT Matrix
-        id: matrix
-        run: |
-          MATRIX="$(./scripts/find-apps.sh --ci)"
-          echo "${MATRIX}" | jq
-          CT_MATRIX="$(echo "${MATRIX}" | jq -c 'map({profile}) | unique')"
-          CT_HOST="$(echo "${MATRIX}"   | jq -c 'map(select(.runner == "host"))')"
-          CT_DOCKER="$(echo "${MATRIX}" | jq -c 'map(select(.runner == "docker"))')"
-          echo "ct-matrix=${CT_MATRIX}" | tee -a $GITHUB_OUTPUT
-          echo "ct-host=${CT_HOST}"     | tee -a $GITHUB_OUTPUT
-          echo "ct-docker=${CT_DOCKER}" | tee -a $GITHUB_OUTPUT
-
-  compile:
-    runs-on: ${{ endsWith(github.repository, '/emqx') && 'ubuntu-22.04' || fromJSON('["self-hosted","ephemeral-xl","linux","x64"]') }}
-    container: ${{ needs.init.outputs.BUILDER }}
-    needs:
-      - init
-      - sanity-checks
-    strategy:
-      matrix:
-        profile:
-          - emqx
-          - emqx-enterprise
-
-    permissions:
-      contents: read
-
-    steps:
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-        with:
-          fetch-depth: 0
-      - name: Work around https://github.com/actions/checkout/issues/766
-        run: |
-          git config --global --add safe.directory "$GITHUB_WORKSPACE"
-      - id: compile
-        env:
-          PROFILE: ${{ matrix.profile }}
-          ENABLE_COVER_COMPILE: 1
-        run: |
-          make ensure-rebar3
-          make ${PROFILE}-compile test-compile
-          echo "PROFILE=${PROFILE}" | tee -a .env
-          echo "PKG_VSN=$(./pkg-vsn.sh ${PROFILE})" | tee -a .env
-          zip -ryq -x@.github/workflows/.zipignore $PROFILE.zip .
-      - uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5
-        with:
-          name: ${{ matrix.profile }}
-          path: ${{ matrix.profile }}.zip
-          retention-days: 7
-
-  run_emqx_app_tests:
-    needs:
-      - init
-      - sanity-checks
-      - compile
-    uses: ./.github/workflows/run_emqx_app_tests.yaml
-    with:
-      builder: ${{ needs.init.outputs.BUILDER }}
-      before_ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.base.sha || github.event.before }}
-      after_ref: ${{ github.sha }}
-
-  run_test_cases:
-    needs:
-      - init
-      - sanity-checks
-      - compile
-    uses: ./.github/workflows/run_test_cases.yaml
-    with:
-      builder: ${{ needs.init.outputs.BUILDER }}
-      ct-matrix: ${{ needs.sanity-checks.outputs.ct-matrix }}
-      ct-host: ${{ needs.sanity-checks.outputs.ct-host }}
-      ct-docker: ${{ needs.sanity-checks.outputs.ct-docker }}
-
-  static_checks:
-    needs:
-      - init
-      - sanity-checks
-      - compile
-    uses: ./.github/workflows/static_checks.yaml
-    with:
-      builder: ${{ needs.init.outputs.BUILDER }}
-      ct-matrix: ${{ needs.sanity-checks.outputs.ct-matrix }}
-
-  build_slim_packages:
-    needs:
-      - sanity-checks
-    uses: ./.github/workflows/build_slim_packages.yaml
-
-  build_docker_for_test:
-    needs:
-      - init
-      - sanity-checks
-    uses: ./.github/workflows/build_docker_for_test.yaml
-
-  spellcheck:
-    needs:
-      - sanity-checks
-      - build_slim_packages
-    uses: ./.github/workflows/spellcheck.yaml
-
-  run_conf_tests:
-    needs:
-      - init
-      - sanity-checks
-      - compile
-    uses: ./.github/workflows/run_conf_tests.yaml
-    with:
-      builder: ${{ needs.init.outputs.BUILDER }}
-
-  check_deps_integrity:
-    needs:
-      - init
-      - sanity-checks
-    uses: ./.github/workflows/check_deps_integrity.yaml
-    with:
-      builder: ${{ needs.init.outputs.BUILDER }}
-
-  run_jmeter_tests:
-    needs:
-      - sanity-checks
-      - build_docker_for_test
-    uses: ./.github/workflows/run_jmeter_tests.yaml
-
-  run_docker_tests:
-    needs:
-      - sanity-checks
-      - build_docker_for_test
-    uses: ./.github/workflows/run_docker_tests.yaml
-
-  run_helm_tests:
-    needs:
-      - sanity-checks
-      - build_docker_for_test
-    uses: ./.github/workflows/run_helm_tests.yaml

.github/workflows/_push-entrypoint.yaml

@@ -1,214 +0,0 @@
-name: Push Entrypoint
-
-concurrency:
-  group: push-entrypoint-${{ github.event_name }}-${{ github.ref }}
-  cancel-in-progress: true
-
-on:
-  push:
-    tags:
-      - 'v*'
-    branches:
-      - 'master'
-      - 'release-5[0-9]'
-      - 'ci/**'
-  workflow_dispatch:
-    inputs:
-      ref:
-        required: false
-
-defaults:
-  run:
-    shell: bash
-
-env:
-  IS_CI: 'yes'
-
-jobs:
-  init:
-    runs-on: ubuntu-22.04
-    outputs:
-      BUILDER_VSN: ${{ steps.env.outputs.BUILDER_VSN }}
-      OTP_VSN: ${{ steps.env.outputs.OTP_VSN }}
-      ELIXIR_VSN: ${{ steps.env.outputs.ELIXIR_VSN }}
-      BUILDER: ${{ steps.env.outputs.BUILDER }}
-      BUILD_FROM: ${{ steps.env.outputs.BUILD_FROM }}
-      RUN_FROM: ${{ steps.env.outputs.BUILD_FROM }}
-    steps:
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-        with:
-          ref: ${{ github.event.inputs.ref }}
-      - name: Set up environment
-        id: env
-        run: |
-          source env.sh
-          echo "BUILDER_VSN=$EMQX_BUILDER_VSN" >> "$GITHUB_OUTPUT"
-          echo "OTP_VSN=$OTP_VSN" >> "$GITHUB_OUTPUT"
-          echo "ELIXIR_VSN=$ELIXIR_VSN" >> "$GITHUB_OUTPUT"
-          echo "BUILDER=$EMQX_BUILDER" >> "$GITHUB_OUTPUT"
-          echo "BUILD_FROM=$EMQX_DOCKER_BUILD_FROM" >> "$GITHUB_OUTPUT"
-          echo "RUN_FROM=$EMQX_DOCKER_RUN_FROM" >> "$GITHUB_OUTPUT"
-
-  prepare:
-    runs-on: ubuntu-22.04
-    needs: init
-    container: ${{ needs.init.outputs.BUILDER }}
-    outputs:
-      profile: ${{ steps.parse-git-ref.outputs.profile }}
-      release: ${{ steps.parse-git-ref.outputs.release }}
-      latest: ${{ steps.parse-git-ref.outputs.latest }}
-      ct-matrix: ${{ steps.matrix.outputs.ct-matrix }}
-      ct-host: ${{ steps.matrix.outputs.ct-host }}
-      ct-docker: ${{ steps.matrix.outputs.ct-docker }}
-
-    permissions:
-      contents: read
-
-    steps:
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-        with:
-          ref: ${{ github.event.inputs.ref }}
-          fetch-depth: 0
-      - name: Work around https://github.com/actions/checkout/issues/766
-        shell: bash
-        run: |
-          git config --global --add safe.directory "$GITHUB_WORKSPACE"
-      - name: Detect emqx profile
-        id: parse-git-ref
-        run: |
-          JSON="$(./scripts/parse-git-ref.sh $GITHUB_REF)"
-          PROFILE=$(echo "$JSON" | jq -cr '.profile')
-          RELEASE=$(echo "$JSON" | jq -cr '.release')
-          LATEST=$(echo "$JSON"  | jq -cr '.latest')
-          echo "profile=$PROFILE" | tee -a $GITHUB_OUTPUT
-          echo "release=$RELEASE" | tee -a $GITHUB_OUTPUT
-          echo "latest=$LATEST"   | tee -a $GITHUB_OUTPUT
-      - name: Build matrix
-        id: matrix
-        run: |
-          MATRIX="$(./scripts/find-apps.sh --ci)"
-          echo "${MATRIX}" | jq
-          CT_MATRIX="$(echo "${MATRIX}" | jq -c 'map({profile}) | unique')"
-          CT_HOST="$(echo "${MATRIX}"   | jq -c 'map(select(.runner == "host"))')"
-          CT_DOCKER="$(echo "${MATRIX}" | jq -c 'map(select(.runner == "docker"))')"
-          echo "ct-matrix=${CT_MATRIX}" | tee -a $GITHUB_OUTPUT
-          echo "ct-host=${CT_HOST}"     | tee -a $GITHUB_OUTPUT
-          echo "ct-docker=${CT_DOCKER}" | tee -a $GITHUB_OUTPUT
-
-  build_packages:
-    if: needs.prepare.outputs.release == 'true'
-    needs:
-      - init
-      - prepare
-    uses: ./.github/workflows/build_packages.yaml
-    with:
-      profile: ${{ needs.prepare.outputs.profile }}
-      publish: true
-      otp_vsn: ${{ needs.init.outputs.OTP_VSN }}
-      elixir_vsn: ${{ needs.init.outputs.ELIXIR_VSN }}
-      builder_vsn: ${{ needs.init.outputs.BUILDER_VSN }}
-    secrets: inherit
-
-  build_and_push_docker_images:
-    if: needs.prepare.outputs.release == 'true'
-    needs:
-      - init
-      - prepare
-    uses: ./.github/workflows/build_and_push_docker_images.yaml
-    with:
-      profile: ${{ needs.prepare.outputs.profile }}
-      publish: true
-      latest: ${{ needs.prepare.outputs.latest }}
-      build_from: ${{ needs.init.outputs.BUILD_FROM }}
-      run_from: ${{ needs.init.outputs.RUN_FROM }}
-    secrets: inherit
-
-  build_slim_packages:
-    if: needs.prepare.outputs.release != 'true'
-    needs:
-      - init
-      - prepare
-    uses: ./.github/workflows/build_slim_packages.yaml
-
-  compile:
-    if: needs.prepare.outputs.release != 'true'
-    runs-on: ${{ endsWith(github.repository, '/emqx') && 'ubuntu-22.04' || fromJSON('["self-hosted","ephemeral","linux","x64"]') }}
-    container: ${{ needs.init.outputs.BUILDER }}
-    needs:
-      - init
-      - prepare
-    strategy:
-      matrix:
-        profile:
-          - emqx
-          - emqx-enterprise
-
-    permissions:
-      contents: read
-
-    steps:
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-        with:
-          ref: ${{ github.event.inputs.ref }}
-          fetch-depth: 0
-      - name: Work around https://github.com/actions/checkout/issues/766
-        run: |
-          git config --global --add safe.directory "$GITHUB_WORKSPACE"
-      - id: compile
-        env:
-          PROFILE: ${{ matrix.profile }}
-          ENABLE_COVER_COMPILE: 1
-        run: |
-          make $PROFILE
-          echo "PROFILE=${PROFILE}" | tee -a .env
-          echo "PKG_VSN=$(./pkg-vsn.sh ${PROFILE})" | tee -a .env
-          zip -ryq -x@.github/workflows/.zipignore $PROFILE.zip .
-      - uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5
-        with:
-          name: ${{ matrix.profile }}
-          path: ${{ matrix.profile }}.zip
-          retention-days: 1
-
-  run_emqx_app_tests:
-    needs:
-      - init
-      - compile
-    uses: ./.github/workflows/run_emqx_app_tests.yaml
-    with:
-      builder: ${{ needs.init.outputs.BUILDER }}
-      before_ref: ${{ github.event.before }}
-      after_ref: ${{ github.sha }}
-
-  run_test_cases:
-    if: needs.prepare.outputs.release != 'true'
-    needs:
-      - init
-      - prepare
-      - compile
-    uses: ./.github/workflows/run_test_cases.yaml
-    with:
-      builder: ${{ needs.init.outputs.BUILDER }}
-      ct-matrix: ${{ needs.prepare.outputs.ct-matrix }}
-      ct-host: ${{ needs.prepare.outputs.ct-host }}
-      ct-docker: ${{ needs.prepare.outputs.ct-docker }}
-
-  run_conf_tests:
-    if: needs.prepare.outputs.release != 'true'
-    needs:
-      - init
-      - prepare
-      - compile
-    uses: ./.github/workflows/run_conf_tests.yaml
-    with:
-      builder: ${{ needs.init.outputs.BUILDER }}
-
-  static_checks:
-    if: needs.prepare.outputs.release != 'true'
-    needs:
-      - init
-      - prepare
-      - compile
-    uses: ./.github/workflows/static_checks.yaml
-    with:
-      builder: ${{ needs.init.outputs.BUILDER }}
-      ct-matrix: ${{ needs.prepare.outputs.ct-matrix }}

.github/workflows/apps_version_check.yaml

@@ -0,0 +1,14 @@
+name: Check Apps Version
+
+on: [pull_request]
+
+jobs:
+  check_apps_version:
+    runs-on: ubuntu-22.04
+
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+      - name: Check apps version
+        run: ./scripts/apps-version-check.sh

.github/workflows/build_and_push_docker_images.yaml

@@ -5,206 +5,197 @@ concurrency:
   cancel-in-progress: true
 
 on:
-  workflow_call:
-    inputs:
-      profile:
-        required: true
-        type: string
-      latest:
-        required: true
-        type: string
-      publish:
-        required: true
-        type: boolean
-      build_from:
-        required: true
-        type: string
-      run_from:
-        required: true
-        type: string
-    secrets:
-      DOCKER_HUB_USER:
-        required: true
-      DOCKER_HUB_TOKEN:
-        required: true
-      AWS_ACCESS_KEY_ID:
-        required: true
-      AWS_SECRET_ACCESS_KEY:
-        required: true
+  push:
+    tags:
+    - v*
+    - e*
+    - docker-latest-*
   workflow_dispatch:
     inputs:
-      ref:
+      branch_or_tag:
         required: false
       profile:
         required: false
-        type: string
         default: 'emqx'
-      latest:
+      is_latest:
         required: false
-        type: boolean
         default: false
-      publish:
-        required: false
-        type: boolean
-        default: false
-      build_from:
-        required: false
-        type: string
-        default: ghcr.io/emqx/emqx-builder/5.3-9:1.15.7-26.2.5-3-debian12
-      run_from:
-        default: public.ecr.aws/debian/debian:stable-20240612-slim
-
-permissions:
-  contents: read
 
 jobs:
-  build:
-    runs-on: ${{ github.repository_owner == 'emqx' && fromJSON(format('["self-hosted","ephemeral","linux","{0}"]', matrix.arch)) || 'ubuntu-22.04' }}
-    container: ${{ inputs.build_from }}
-    outputs:
-      PKG_VSN: ${{ steps.build.outputs.PKG_VSN }}
+  prepare:
+    runs-on: ubuntu-22.04
+    # prepare source with any OTP version, no need for a matrix
+    container: "ghcr.io/emqx/emqx-builder/5.0-34:1.13.4-24.3.4.2-3-ubuntu22.04"
 
-    strategy:
-      fail-fast: false
-      matrix:
-        profile:
-          - ${{ inputs.profile }}
-          - ${{ inputs.profile }}-elixir
-        arch:
-          - x64
-          - arm64
+    outputs:
+      PROFILE: ${{ steps.get_profile.outputs.PROFILE }}
+      EDITION: ${{ steps.get_profile.outputs.EDITION }}
+      IS_LATEST: ${{ steps.get_profile.outputs.IS_LATEST }}
+      IS_EXACT_TAG: ${{ steps.get_profile.outputs.IS_EXACT_TAG }}
+      VERSION: ${{ steps.get_profile.outputs.VERSION }}
 
     steps:
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - uses: actions/checkout@v3
         with:
-          ref: ${{ github.event.inputs.ref }}
-      - run: git config --global --add safe.directory "$PWD"
-      - name: build release tarball
-        id: build
+          ref: ${{ github.event.inputs.branch_or_tag }} # when input is not given, the event tag is used
+          path: source
+          fetch-depth: 0
+
+      - name: Get profiles to build
+        id: get_profile
+        env:
+          INPUTS_PROFILE: ${{ github.event.inputs.profile }}
         run: |
-          make ${{ matrix.profile }}-tgz
-      - uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5
+          cd source
+          # tag docker-latest-ce or docker-latest-ee
+          if git describe --tags --exact --match 'docker-latest-*' 2>/dev/null; then
+            echo 'is_latest=true due to docker-latest-* tag'
+            is_latest=true
+          elif [ "${{ inputs.is_latest }}" = "true" ]; then
+            echo 'is_latest=true due to manual input from workflow_dispatch'
+            is_latest=true
+          else
+            echo 'is_latest=false'
+            is_latest=false
+          fi
+          # resolve profile
+          if git describe --tags --match "v*" --exact; then
+            echo "This is an exact git tag, will publish images"
+            is_exact='true'
+            PROFILE=emqx
+          elif git describe --tags --match "e*" --exact; then
+            echo "This is an exact git tag, will publish images"
+            is_exact='true'
+            PROFILE=emqx-enterprise
+          else
+            echo "This is NOT an exact git tag, will not publish images"
+            is_exact='false'
+          fi
+
+          case "${PROFILE:-$INPUTS_PROFILE}" in
+            emqx)
+              EDITION='Opensource'
+              ;;
+            emqx-enterprise)
+              EDITION='Enterprise'
+              ;;
+            *)
+              echo "ERROR: Failed to resolve build profile"
+              exit 1
+              ;;
+          esac
+
+          VSN="$(./pkg-vsn.sh "$PROFILE")"
+          echo "Building emqx/$PROFILE:$VSN image (latest=$is_latest)"
+          echo "Push = $is_exact"
+          echo "IS_LATEST=$is_latest" >> $GITHUB_OUTPUT
+          echo "IS_EXACT_TAG=$is_exact" >> $GITHUB_OUTPUT
+          echo "PROFILE=$PROFILE" >> $GITHUB_OUTPUT
+          echo "EDITION=$EDITION" >> $GITHUB_OUTPUT
+          echo "VERSION=$VSN" >> $GITHUB_OUTPUT
+      - name: get_all_deps
+        env:
+          PROFILE: ${{ steps.get_profile.outputs.PROFILE }}
+        run: |
+          PROFILE=$PROFILE make -C source deps-$PROFILE
+          zip -ryq source.zip source/* source/.[^.]*
+      - uses: actions/upload-artifact@v3
         with:
-          name: "${{ matrix.profile }}-${{ matrix.arch }}.tar.gz"
-          path: "_packages/emqx*/emqx-*.tar.gz"
-          retention-days: 7
-          overwrite: true
-          if-no-files-found: error
+          name: source
+          path: source.zip
 
   docker:
-    runs-on: ${{ endsWith(github.repository, '/emqx') && 'ubuntu-22.04' || fromJSON('["self-hosted","ephemeral","linux","x64"]') }}
-    needs:
-      - build
-    defaults:
-      run:
-        shell: bash
+    runs-on: ubuntu-22.04
+    needs: prepare
 
     strategy:
       fail-fast: false
       matrix:
         profile:
-          - ["${{ inputs.profile }}", "${{ inputs.profile == 'emqx' && 'docker.io,public.ecr.aws' || 'docker.io' }}"]
-          - ["${{ inputs.profile }}-elixir", "${{ inputs.profile == 'emqx' && 'docker.io,public.ecr.aws' || 'docker.io' }}"]
+          - "${{ needs.prepare.outputs.PROFILE }}"
+        registry:
+          - 'docker.io'
+          - 'public.ecr.aws'
+        os:
+          - [debian11, "debian:11-slim", "deploy/docker/Dockerfile"]
+        # NOTE: 'otp' and 'elixir' are to configure emqx-builder image
+        #       only support latest otp and elixir, not a matrix
+        builder:
+          - 5.0-34 # update to latest
+        otp:
+          - 24.3.4.2-3 # switch to 25 once ready to release 5.1
+        elixir:
+          - 'no_elixir'
+          - '1.13.4' # update to latest
+        exclude: # TODO: publish enterprise to ecr too?
+          - registry: 'public.ecr.aws'
+            profile: emqx-enterprise
 
     steps:
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-        with:
-          ref: ${{ github.event.inputs.ref }}
-      - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
-        with:
-          pattern: "${{ matrix.profile[0] }}-*.tar.gz"
-          path: _packages
-          merge-multiple: true
+    - uses: actions/download-artifact@v3
+      with:
+        name: source
+        path: .
+    - name: unzip source code
+      run: unzip -q source.zip
 
-      - name: Move artifacts to root directory
-        env:
-          PROFILE: ${{ inputs.profile }}
-        run: |
-          ls -lR _packages/$PROFILE
-          mv _packages/$PROFILE/*.tar.gz ./
+    - uses: docker/setup-qemu-action@v2
+    - uses: docker/setup-buildx-action@v2
 
-      - name: Enable containerd image store on Docker Engine
-        run: |
-          echo "$(sudo cat /etc/docker/daemon.json | jq '. += {"features": {"containerd-snapshotter": true}}')" > daemon.json
-          sudo mv daemon.json /etc/docker/daemon.json
-          sudo systemctl restart docker
+    - name: Login to hub.docker.com
+      uses: docker/login-action@v2
+      if: matrix.registry == 'docker.io'
+      with:
+        username: ${{ secrets.DOCKER_HUB_USER }}
+        password: ${{ secrets.DOCKER_HUB_TOKEN }}
 
-      - uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
-      - uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1
+    - name: Login to AWS ECR
+      uses: docker/login-action@v2
+      if: matrix.registry == 'public.ecr.aws'
+      with:
+        registry: public.ecr.aws
+        username: ${{ secrets.AWS_ACCESS_KEY_ID }}
+        password: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+        ecr: true
 
-      - name: Login to hub.docker.com
-        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
-        if: inputs.publish && contains(matrix.profile[1], 'docker.io')
-        with:
-          username: ${{ secrets.DOCKER_HUB_USER }}
-          password: ${{ secrets.DOCKER_HUB_TOKEN }}
+    - name: prepare for docker/metadata-action
+      id: pre-meta
+      shell: bash
+      run: |
+        extra_labels=
+        img_suffix=
+        if [ "${{ matrix.elixir }}" != 'no_elixir' ]; then
+          img_suffix="-elixir"
+          extra_labels="org.opencontainers.image.elixir.version=${{ matrix.elixir }}"
+        fi
 
-      - name: Login to AWS ECR
-        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
-        if: inputs.publish && contains(matrix.profile[1], 'public.ecr.aws')
-        with:
-          registry: public.ecr.aws
-          username: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          password: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-          ecr: true
+        echo "img_suffix=$img_suffix" >> $GITHUB_OUTPUT
+        echo "extra_labels=$extra_labels" >> $GITHUB_OUTPUT
 
-      - name: Build docker image for smoke test
-        env:
-          PROFILE: ${{ matrix.profile[0] }}
-          DOCKER_REGISTRY: ${{ matrix.profile[1] }}
-          DOCKER_ORG: ${{ github.repository_owner }}
-          DOCKER_LATEST: ${{ inputs.latest }}
-          DOCKER_PUSH: false
-          DOCKER_BUILD_NOCACHE: true
-          BUILD_FROM: ${{ inputs.build_from }}
-          RUN_FROM: ${{ inputs.run_from }}
-          PKG_VSN: ${{ needs.build.outputs.PKG_VSN }}
-          EMQX_SOURCE_TYPE: tgz
-        run: |
-          ./build ${PROFILE} docker
-          echo "Built tags:"
-          echo "==========="
-          cat .emqx_docker_image_tags
-          echo "==========="
-          echo "_EMQX_DOCKER_IMAGE_TAG=$(head -n 1 .emqx_docker_image_tags)" >> $GITHUB_ENV
+    - uses: docker/metadata-action@v4
+      id: meta
+      with:
+        images: |
+          ${{ matrix.registry }}/${{ github.repository_owner }}/${{ matrix.profile }}
+        flavor: |
+          suffix=${{ steps.pre-meta.outputs.img_suffix }}
+        tags: |
+          type=raw,value=${{ needs.prepare.outputs.VERSION }}
+          type=raw,value=latest,enable=${{ needs.prepare.outputs.IS_LATEST }}
+        labels: |
+          org.opencontainers.image.otp.version=${{ matrix.otp }}
+          org.opencontainers.image.edition=${{ needs.prepare.outputs.EDITION }}
+          ${{ steps.pre-meta.outputs.extra_labels }}
 
-      - name: smoke test
-        timeout-minutes: 1
-        run: |
-          for tag in $(cat .emqx_docker_image_tags); do
-            CID=$(docker run -d -p 18083:18083 $tag)
-            HTTP_PORT=$(docker inspect --format='{{(index (index .NetworkSettings.Ports "18083/tcp") 0).HostPort}}' $CID)
-            ./scripts/test/emqx-smoke-test.sh localhost $HTTP_PORT
-            docker rm -f $CID
-          done
-      - name: dashboard tests
-        working-directory: ./scripts/ui-tests
-        timeout-minutes: 5
-        run: |
-          set -eu
-          docker compose up --abort-on-container-exit --exit-code-from selenium
-          docker compose rm -fsv
-      - name: test node_dump
-        run: |
-          CID=$(docker run -d -P $_EMQX_DOCKER_IMAGE_TAG)
-          docker exec -t -u root -w /root $CID bash -c 'apt-get -y update && apt-get -y install net-tools'
-          docker exec -t -u root $CID node_dump
-          docker rm -f $CID
-
-      - name: Build and push docker image
-        if: inputs.publish || github.repository_owner != 'emqx'
-        env:
-          PROFILE: ${{ matrix.profile[0] }}
-          DOCKER_REGISTRY: ${{ matrix.profile[1] }}
-          DOCKER_ORG: ${{ github.repository_owner }}
-          DOCKER_LATEST: ${{ inputs.latest }}
-          DOCKER_PUSH: true
-          DOCKER_BUILD_NOCACHE: false
-          DOCKER_PLATFORMS: linux/amd64,linux/arm64
-          DOCKER_LOAD: false
-          BUILD_FROM: ${{ inputs.build_from }}
-          RUN_FROM: ${{ inputs.run_from }}
-          PKG_VSN: ${{ needs.build.outputs.PKG_VSN }}
-          EMQX_SOURCE_TYPE: tgz
-        run: |
-          ./build ${PROFILE} docker
+    - uses: docker/build-push-action@v3
+      with:
+        push: ${{ needs.prepare.outputs.IS_EXACT_TAG == 'true' || github.repository_owner != 'emqx' }}
+        pull: true
+        no-cache: true
+        platforms: linux/amd64,linux/arm64
+        tags: ${{ steps.meta.outputs.tags }}
+        labels: ${{ steps.meta.outputs.labels }}
+        build-args: |
+          EMQX_NAME=${{ matrix.profile }}${{ steps.pre-meta.outputs.img_suffix }}
+        file: source/${{ matrix.os[2] }}
+        context: source

.github/workflows/build_docker_for_test.yaml

@@ -1,58 +0,0 @@
-name: Build docker image for test
-
-concurrency:
-  group: docker-test-build-${{ github.event_name }}-${{ github.ref }}
-  cancel-in-progress: true
-
-on:
-  workflow_call:
-
-permissions:
-  contents: read
-
-jobs:
-  docker:
-    runs-on: ${{ endsWith(github.repository, '/emqx') && 'ubuntu-22.04' || fromJSON('["self-hosted","ephemeral","linux","x64"]') }}
-    env:
-      EMQX_NAME: ${{ matrix.profile }}
-
-    strategy:
-      fail-fast: false
-      matrix:
-        profile:
-          - emqx
-          - emqx-enterprise
-          - emqx-elixir
-          - emqx-enterprise-elixir
-
-    steps:
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-      - name: Set up environment
-        id: env
-        run: |
-          source env.sh
-          PKG_VSN=$(docker run --rm -v $(pwd):$(pwd) -w $(pwd) -u $(id -u) "$EMQX_BUILDER" ./pkg-vsn.sh "$EMQX_NAME")
-          echo "PKG_VSN=$PKG_VSN" >> "$GITHUB_ENV"
-      - name: build and export to Docker
-        id: build
-        run: |
-          make ${EMQX_NAME}-docker
-          echo "_EMQX_DOCKER_IMAGE_TAG=$(head -n 1 .emqx_docker_image_tags)" >> $GITHUB_ENV
-      - name: smoke test
-        run: |
-          CID=$(docker run -d --rm -P $_EMQX_DOCKER_IMAGE_TAG)
-          HTTP_PORT=$(docker inspect --format='{{(index (index .NetworkSettings.Ports "18083/tcp") 0).HostPort}}' $CID)
-          ./scripts/test/emqx-smoke-test.sh localhost $HTTP_PORT || {
-            docker logs $CID
-            exit 1
-          }
-          docker stop $CID
-      - name: export docker image
-        if: always()
-        run: |
-          docker save $_EMQX_DOCKER_IMAGE_TAG | gzip > $EMQX_NAME-docker-$PKG_VSN.tar.gz
-      - uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5
-        with:
-          name: "${{ env.EMQX_NAME }}-docker"
-          path: "${{ env.EMQX_NAME }}-docker-${{ env.PKG_VSN }}.tar.gz"
-          retention-days: 3

.github/workflows/build_packages.yaml

@@ -1,90 +1,141 @@
 name: Cross build packages
 
 concurrency:
-  group: build-packages-${{ github.event_name }}-${{ github.ref }}
+  group: build-${{ github.event_name }}-${{ github.ref }}
   cancel-in-progress: true
 
 on:
-  workflow_call:
-    inputs:
-      profile:
-        required: true
-        type: string
-      publish:
-        required: true
-        type: boolean
-      otp_vsn:
-        required: true
-        type: string
-      elixir_vsn:
-        required: true
-        type: string
-      builder_vsn:
-        required: true
-        type: string
-    secrets:
-      AWS_ACCESS_KEY_ID:
-        required: true
-      AWS_SECRET_ACCESS_KEY:
-        required: true
-      AWS_DEFAULT_REGION:
-        required: true
-      AWS_S3_BUCKET:
-        required: true
-      AWS_CLOUDFRONT_ID:
-        required: true
-      APPLE_ID_PASSWORD:
-        required: true
-      APPLE_DEVELOPER_IDENTITY:
-        required: true
-      APPLE_DEVELOPER_ID_BUNDLE:
-        required: true
-      APPLE_DEVELOPER_ID_BUNDLE_PASSWORD:
-        required: true
+  push:
+    branches:
+    - 'ci/**'
+    tags:
+    - v*
+    - e*
   workflow_dispatch:
     inputs:
-      ref:
+      branch_or_tag:
         required: false
       profile:
-        required: true
-        default: 'emqx'
-      publish:
         required: false
-        type: boolean
-        default: false
-      otp_vsn:
-        required: false
-        type: string
-        default: '26.2.5-3'
-      elixir_vsn:
-        required: false
-        type: string
-        default: '1.15.7'
-      builder_vsn:
-        required: false
-        type: string
-        default: '5.3-9'
-
-permissions:
-  contents: read
 
 jobs:
+  prepare:
+    runs-on: ubuntu-22.04
+    container: ghcr.io/emqx/emqx-builder/5.0-34:1.13.4-24.3.4.2-3-ubuntu22.04
+    outputs:
+      BUILD_PROFILE: ${{ steps.get_profile.outputs.BUILD_PROFILE }}
+      IS_EXACT_TAG: ${{ steps.get_profile.outputs.IS_EXACT_TAG }}
+      VERSION: ${{ steps.get_profile.outputs.VERSION }}
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          ref: ${{ github.event.inputs.branch_or_tag }} # when input is not given, the event tag is used
+          fetch-depth: 0
+
+      - name: Get profile to build
+        id: get_profile
+        run: |
+          git config --global --add safe.directory "$GITHUB_WORKSPACE"
+          tag=${{ github.ref }}
+          if git describe --tags --match "[v|e]*" --exact; then
+            echo "WARN: This is an exact git tag, will publish release"
+            is_exact_tag='true'
+          else
+            echo "WARN: This is NOT an exact git tag, will not publish release"
+            is_exact_tag='false'
+          fi
+          echo "IS_EXACT_TAG=${is_exact_tag}" >> $GITHUB_OUTPUT
+          case $tag in
+            refs/tags/v*)
+              PROFILE='emqx'
+              ;;
+            refs/tags/e*)
+              PROFILE=emqx-enterprise
+              ;;
+            *)
+              PROFILE=${{ github.event.inputs.profile }}
+              case "$PROFILE" in
+                emqx)
+                  true
+                  ;;
+                emqx-enterprise)
+                  true
+                  ;;
+                *)
+                  # maybe triggered from schedule
+                  echo "WARN: \"$PROFILE\" is not a valid profile."
+                  echo "building the default profile 'emqx' instead"
+                  PROFILE='emqx'
+                  ;;
+              esac
+              ;;
+          esac
+          echo "BUILD_PROFILE=$PROFILE" >> $GITHUB_OUTPUT
+          echo "VERSION=$(./pkg-vsn.sh $PROFILE)" >> $GITHUB_OUTPUT
+
+  windows:
+    runs-on: windows-2019
+    if: startsWith(github.ref_name, 'v')
+    strategy:
+      fail-fast: false
+      matrix:
+        profile: # for now only CE for windows
+          - emqx
+    steps:
+    - uses: actions/checkout@v3
+      with:
+        ref: ${{ github.event.inputs.branch_or_tag }}
+        fetch-depth: 0
+
+    - uses: ilammy/msvc-dev-cmd@v1.12.0
+    - uses: erlef/setup-beam@v1.15.2
+      with:
+        otp-version: 24.3.4.6
+    - name: build
+      env:
+        PYTHON: python
+        DIAGNOSTIC: 1
+      run: |
+        # ensure crypto app (openssl)
+        erl -eval "erlang:display(crypto:info_lib())" -s init stop
+        make ${{ matrix.profile }}-tgz
+    - name: run emqx
+      timeout-minutes: 5
+      run: |
+        ./_build/${{ matrix.profile }}/rel/emqx/bin/emqx start
+        Start-Sleep -s 5
+        echo "EMQX started"
+        ./_build/${{ matrix.profile }}/rel/emqx/bin/emqx stop
+        echo "EMQX stopped"
+        ./_build/${{ matrix.profile }}/rel/emqx/bin/emqx install
+        echo "EMQX installed"
+        ./_build/${{ matrix.profile }}/rel/emqx/bin/emqx uninstall
+        echo "EMQX uninstalled"
+    - uses: actions/upload-artifact@v3
+      if: success()
+      with:
+        name: ${{ matrix.profile }}
+        path: _packages/${{ matrix.profile }}/
+
   mac:
+    needs: prepare
     strategy:
       fail-fast: false
       matrix:
         profile:
-          - ${{ inputs.profile }}
-        os:
-          - macos-13
-          - macos-14
+          - ${{ needs.prepare.outputs.BUILD_PROFILE }}
         otp:
-          - ${{ inputs.otp_vsn }}
+          - 24.3.4.2-3
+        os:
+          - macos-11
+          - macos-12
+          - macos-12-arm64
     runs-on: ${{ matrix.os }}
     steps:
-    - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+    - uses: emqx/self-hosted-cleanup-action@v1.0.3
+    - uses: actions/checkout@v3
       with:
-        ref: ${{ github.event.inputs.ref }}
+        ref: ${{ github.event.inputs.branch_or_tag }}
         fetch-depth: 0
     - uses: ./.github/actions/package-macos
       with:
@@ -95,115 +146,147 @@ jobs:
         apple_developer_identity: ${{ secrets.APPLE_DEVELOPER_IDENTITY }}
         apple_developer_id_bundle: ${{ secrets.APPLE_DEVELOPER_ID_BUNDLE }}
         apple_developer_id_bundle_password: ${{ secrets.APPLE_DEVELOPER_ID_BUNDLE_PASSWORD }}
-    - uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5
+    - uses: actions/upload-artifact@v3
       if: success()
       with:
-        name: ${{ matrix.profile }}-${{ matrix.os }}-${{ matrix.otp }}
+        name: ${{ matrix.profile }}
         path: _packages/${{ matrix.profile }}/
-        retention-days: 7
 
   linux:
-    runs-on: [self-hosted, ephemeral, linux, "${{ matrix.arch == 'arm64' && 'arm64' || 'x64' }}"]
+    needs: prepare
+    runs-on: ${{ matrix.build_machine }}
+    # always run in builder container because the host might have the wrong OTP version etc.
+    # otherwise buildx.sh does not run docker if arch and os matches the target arch and os.
+    container:
+      image: "ghcr.io/emqx/emqx-builder/${{ matrix.builder }}:${{ matrix.elixir }}-${{ matrix.otp }}-${{ matrix.os }}"
+
     strategy:
       fail-fast: false
       matrix:
         profile:
-          - ${{ inputs.profile }}
+          - ${{ needs.prepare.outputs.BUILD_PROFILE }}
+        otp:
+          - 24.3.4.2-3
+        arch:
+          - amd64
+          - arm64
         os:
-          - ubuntu24.04
           - ubuntu22.04
           - ubuntu20.04
-          - debian12
+          - ubuntu18.04
           - debian11
           - debian10
           - el9
           - el8
+          - el7
           - amzn2
-          - amzn2023
-        arch:
-          - amd64
-          - arm64
-        with_elixir:
-          - 'no'
-        otp:
-          - ${{ inputs.otp_vsn }}
+        build_machine:
+          - aws-arm64
+          - ubuntu-22.04
         builder:
-          - ${{ inputs.builder_vsn }}
+          - 5.0-34
         elixir:
-          - ${{ inputs.elixir_vsn }}
+          - 1.13.4
+        exclude:
+        - arch: arm64
+          build_machine: ubuntu-22.04
+        - arch: amd64
+          build_machine: aws-arm64
         include:
-          - profile: ${{ inputs.profile }}
-            os: ubuntu22.04
+          - profile: emqx
+            otp: 25.1.2-3
             arch: amd64
-            with_elixir: 'yes'
-            otp: ${{ inputs.otp_vsn }}
-            builder: ${{ inputs.builder_vsn }}
-            elixir: ${{ inputs.elixir_vsn }}
+            os: ubuntu22.04
+            build_machine: ubuntu-22.04
+            builder: 5.0-34
+            elixir: 1.13.4
+            release_with: elixir
+          - profile: emqx
+            otp: 25.1.2-3
+            arch: amd64
+            os: amzn2
+            build_machine: ubuntu-22.04
+            builder: 5.0-34
+            elixir: 1.13.4
+            release_with: elixir
 
     defaults:
       run:
         shell: bash
 
     steps:
-    - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+    - uses: AutoModality/action-clean@v1
+      if: matrix.build_machine == 'aws-arm64'
+
+    - uses: actions/checkout@v3
       with:
-        ref: ${{ github.event.inputs.ref }}
+        ref: ${{ github.event.inputs.branch_or_tag }}
         fetch-depth: 0
-    - name: build tgz
+
+    - name: build emqx packages
       env:
+        ELIXIR: ${{ matrix.elixir }}
         PROFILE: ${{ matrix.profile }}
         ARCH: ${{ matrix.arch }}
-        OS: ${{ matrix.os }}
-        IS_ELIXIR: ${{ matrix.with_elixir }}
-        BUILDER: "ghcr.io/emqx/emqx-builder/${{ matrix.builder }}:${{ matrix.elixir }}-${{ matrix.otp }}-${{ matrix.os }}"
-        BUILDER_SYSTEM: force_docker
       run: |
-        ./scripts/buildx.sh \
-          --profile $PROFILE \
-          --arch $ARCH \
-          --builder $BUILDER \
-          --elixir $IS_ELIXIR \
-          --pkgtype tgz
-    - name: build pkg
-      if: matrix.with_elixir == 'no'
-      env:
-        PROFILE: ${{ matrix.profile }}
-        ARCH: ${{ matrix.arch }}
-        OS: ${{ matrix.os }}
-        IS_ELIXIR: ${{ matrix.with_elixir }}
-        BUILDER: "ghcr.io/emqx/emqx-builder/${{ matrix.builder }}:${{ matrix.elixir }}-${{ matrix.otp }}-${{ matrix.os }}"
-        BUILDER_SYSTEM: force_docker
-      run: |
-        ./scripts/buildx.sh \
-          --profile $PROFILE \
-          --arch $ARCH \
-          --builder $BUILDER \
-          --elixir $IS_ELIXIR \
-          --pkgtype pkg
-    - uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5
+        set -eu
+        git config --global --add safe.directory "$GITHUB_WORKSPACE"
+        # Align path for CMake caches
+        if [ ! "$PWD" = "/emqx" ]; then
+          ln -s $PWD /emqx
+          cd /emqx
+        fi
+        echo "pwd is $PWD"
+        PKGTYPES="tgz pkg"
+        IS_ELIXIR="no"
+        WITH_ELIXIR=${{ matrix.release_with }}
+        if [ "${WITH_ELIXIR:-}" == 'elixir' ]; then
+          PKGTYPES="tgz"
+          # set Elixir build flag
+          IS_ELIXIR="yes"
+        fi
+        for PKGTYPE in ${PKGTYPES};
+        do
+          ./scripts/buildx.sh \
+            --profile "${PROFILE}" \
+            --pkgtype "${PKGTYPE}" \
+            --arch "${ARCH}" \
+            --elixir "${IS_ELIXIR}" \
+            --builder "force_host"
+        done
+    - uses: actions/upload-artifact@v3
+      if: success()
       with:
-        name: ${{ matrix.profile }}-${{ matrix.os }}-${{ matrix.arch }}${{ matrix.with_elixir == 'yes' && '-elixir' || '' }}-${{ matrix.builder }}-${{ matrix.otp }}-${{ matrix.elixir }}
+        name: ${{ matrix.profile }}
         path: _packages/${{ matrix.profile }}/
-        retention-days: 7
 
   publish_artifacts:
-    runs-on: ubuntu-latest
-    needs:
-      - mac
-      - linux
-    if: inputs.publish
+    runs-on: ubuntu-22.04
+    needs: [prepare, mac, linux]
+    if: needs.prepare.outputs.IS_EXACT_TAG == 'true'
     strategy:
       fail-fast: false
       matrix:
         profile:
-          - ${{ inputs.profile }}
+          - ${{ needs.prepare.outputs.BUILD_PROFILE }}
     steps:
-    - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+    - uses: actions/download-artifact@v3
       with:
-        pattern: "${{ matrix.profile }}-*"
+        name: ${{ matrix.profile }}
         path: packages/${{ matrix.profile }}
-        merge-multiple: true
-    - uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+    - name: install dos2unix
+      run: sudo apt-get update && sudo apt install -y dos2unix
+    - name: get packages
+      run: |
+        set -e -u
+        cd packages/${{ matrix.profile }}
+        # fix the .sha256 file format
+        for var in $(ls | grep emqx | grep -v sha256); do
+          dos2unix $var.sha256
+          echo "$(cat $var.sha256) $var" | sha256sum -c || exit 1
+        done
+        cd -
+    - uses: aws-actions/configure-aws-credentials@v2
       with:
         aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
         aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
@@ -211,11 +294,8 @@ jobs:
     - name: upload to aws s3
       env:
         PROFILE: ${{ matrix.profile }}
-        REF_NAME: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.ref || github.ref_name }}
-        AWS_S3_BUCKET: ${{ secrets.AWS_S3_BUCKET }}
-        AWS_CLOUDFRONT_ID: ${{ secrets.AWS_CLOUDFRONT_ID }}
       run: |
-        set -eu
+        set -e -u
         if [ $PROFILE = 'emqx' ]; then
             s3dir='emqx-ce'
         elif [ $PROFILE = 'emqx-enterprise' ]; then
@@ -224,5 +304,5 @@ jobs:
             echo "unknown profile $PROFILE"
             exit 1
         fi
-        aws s3 cp --recursive packages/$PROFILE s3://$AWS_S3_BUCKET/$s3dir/$REF_NAME
-        aws cloudfront create-invalidation --distribution-id "$AWS_CLOUDFRONT_ID" --paths "/$s3dir/$REF_NAME/*"
+        aws s3 cp --recursive packages/$PROFILE s3://${{ secrets.AWS_S3_BUCKET }}/$s3dir/${{ github.ref_name }}
+        aws cloudfront create-invalidation --distribution-id ${{ secrets.AWS_CLOUDFRONT_ID }} --paths "/$s3dir/${{ github.ref_name }}/*"