chore: Enable AWS Secrets Manager for EXPO Update (#24508)

sethkfman · weitingsun · cursoragent · web-flow · commit 0a98f56dadfb · 2026-01-15T19:26:08.000Z
## **Description** This PR enables the AWS Secrets Manage System in the Push EXPO Update work flow. 4 steps have been added to the workflow: - Determine signing secret name - Configure AWS credentials - Fetch secret and export as environment variables - Decode and Export EXPO Key  ## **Changelog**  CHANGELOG entry: null ## **Related issues** Fixes: ## **Manual testing steps** ```gherkin Feature: my feature name Scenario: user [verb for user action] Given [describe expected initial app state] When user [verb for user action] Then [describe expected outcome] ``` ## **Screenshots/Recordings**  ### **Before**  ### **After**  ## **Pre-merge author checklist** - [ ] I’ve followed [MetaMask Contributor Docs](https://github.com/MetaMask/contributor-docs) and [MetaMask Mobile Coding Standards](https://github.com/MetaMask/metamask-mobile/blob/main/.github/guidelines/CODING_GUIDELINES.md). - [ ] I've completed the PR template to the best of my ability - [ ] I’ve included tests if applicable - [ ] I’ve documented my code using [JSDoc](https://jsdoc.app/) format if applicable - [ ] I’ve applied the right labels on the PR (see [labeling guidelines](https://github.com/MetaMask/metamask-mobile/blob/main/.github/guidelines/LABELING_GUIDELINES.md)). Not required for external contributors. ## **Pre-merge reviewer checklist** - [ ] I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed). - [ ] I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.  --- > [!NOTE] > Introduces AWS-backed secret management and key handling in `push-eas-update.yml` to support secure EAS OTA updates. > > - Determines `AWS_SIGNING_CERT_SECRET_NAME` per `channel` (exp/rc/production), configures AWS credentials, fetches secrets from Secrets Manager, masks values, and exports them to `GITHUB_ENV`. > - Replaces direct `EXPO_KEY_PRIV` usage with base64-decoded `EXPO_KEY_PRIV_B64` in the build step, failing early if unset. > - Maintains existing build/publish flow while routing to channel-specific update commands. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 5185e12. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup>  --------- Co-authored-by: Wei Sun <wei.sun@consensys.net> Co-authored-by: Cursor Agent <cursoragent@cursor.com>
diff --git a/.github/workflows/push-eas-update.yml b/.github/workflows/push-eas-update.yml
@@ -210,6 +210,52 @@ jobs:
           node-version: '20'
           cache: 'yarn'
 
+      - name: Determine signing secret name
+        shell: bash
+        env:
+          TARGET: ${{ inputs.channel }}
+        run: |
+          case "$TARGET" in
+            exp)
+              SECRET_NAME="metamask-exp-expo-signer"
+              ;;
+            rc)
+              SECRET_NAME="metamask-rc-expo-signer"
+              ;;
+            production)
+              SECRET_NAME="metamask-prod-expo-signer"
+              ;;
+            *)
+              echo "❌ Unknown target: $TARGET"
+              exit 1
+              ;;
+          esac
+          echo "AWS_SIGNING_CERT_SECRET_NAME=$SECRET_NAME" >> "$GITHUB_ENV"
+
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
+          aws-region: 'us-east-2'
+
+      - name: Fetch secret and export as environment variables
+        shell: bash
+        run: |
+          echo "🔐 Fetching secret from Secrets Manager..."
+          secret_json=$(aws secretsmanager get-secret-value \
+            --region 'us-east-2' \
+            --secret-id "${AWS_SIGNING_CERT_SECRET_NAME}" \
+            --query SecretString \
+            --output text)
+
+          keys=$(echo "$secret_json" | jq -r 'keys[]')
+          for key in $keys; do
+            value=$(echo "$secret_json" | jq -r --arg k "$key" '.[$k]')
+            echo "::add-mask::$value"
+            echo "$key=$(printf '%s' "$value")" >> "$GITHUB_ENV"
+            echo "✅ Set secret for key: $key"
+          done
+
       - name: Install dependencies
         run: |
           echo "📦 Installing dependencies..."
@@ -238,14 +284,23 @@ jobs:
 
       - name: Build & Push EAS Update via build.sh
         env:
-          EXPO_KEY_PRIV: ${{ secrets.EXPO_KEY_PRIV }}
-          # Skip linting during Metro transform in CI (linting already done separately)
           SKIP_TRANSFORM_LINT: 'true'
           # Increase Node heap to avoid OOM during Expo export in CI
           NODE_OPTIONS: '--max_old_space_size=8192'
           # Disable LavaMoat sandbox to prevent duplicate bundle executions in CI
           EXPO_NO_LAVAMOAT: '1'
         run: |
+          echo "📦 Configuring EXPO key..."
+          if [[ -z "$EXPO_KEY_PRIV_B64" ]]; then
+            echo "⚠️ EXPO_KEY_PRIV_B64 is not set. Skipping keystore decoding."
+            exit 1
+          fi
+
+          # Decode the key
+          EXPO_KEY_PRIV=$(echo "$EXPO_KEY_PRIV_B64" | base64 --decode)
+          export EXPO_KEY_PRIV
+          echo "✅ Expo key decoded and exported"
+
           echo "🚀 Pushing EAS update for channel: ${TARGET_CHANNEL}"
           case "${TARGET_CHANNEL}" in
             exp)
