chore(runway): cherry-pick chore: validate env expo (#25481)

- chore: validate env expo cp-7.63.0 (#25415)

<!--
Please submit this PR as a draft initially.
Do not mark it as "Ready for review" until the template has been
completely filled out, and PR status checks have passed at least once.
-->

## **Description**
- Move creating .env from push-eas-update.yml to build.sh
- Have eas push platform as an input so we can choose to push to all,
ios or android

## **Changelog**

<!--
If this PR is not End-User-Facing and should not show up in the
CHANGELOG, you can choose to either:
1. Write `CHANGELOG entry: null`
2. Label with `no-changelog`

If this PR is End-User-Facing, please write a short User-Facing
description in the past tense like:
`CHANGELOG entry: Added a new tab for users to see their NFTs`
`CHANGELOG entry: Fixed a bug that was causing some NFTs to flicker`

(This helps the Release Engineer do their job more quickly and
accurately)
-->

CHANGELOG entry: null


## **Related issues**

Fixes:

## **Manual testing steps**

```gherkin
Feature: my feature name

  Scenario: user [verb for user action]
    Given [describe expected initial app state]

    When user [verb for user action]
    Then [describe expected outcome]
```

## **Screenshots/Recordings**

<!-- If applicable, add screenshots and/or recordings to visualize the
before and after of your change. -->

### **Before**

<!-- [screenshots/recordings] -->

### **After**

<!-- [screenshots/recordings] -->

## **Pre-merge author checklist**

- [x] I've followed [MetaMask Contributor
Docs](https://github.com/MetaMask/contributor-docs) and [MetaMask Mobile
Coding

Standards](https://github.com/MetaMask/metamask-mobile/blob/main/.github/guidelines/CODING_GUIDELINES.md).
- [x] I've completed the PR template to the best of my ability
- [x] I've included tests if applicable
- [x] I've documented my code using [JSDoc](https://jsdoc.app/) format
if applicable
- [x] I've applied the right labels on the PR (see [labeling

guidelines](https://github.com/MetaMask/metamask-mobile/blob/main/.github/guidelines/LABELING_GUIDELINES.md)).
Not required for external contributors.

## **Pre-merge reviewer checklist**

- [x] I've manually tested the PR (e.g. pull and build branch, run the
app, test code being changed).
- [x] I confirm that this PR addresses all acceptance criteria described
in the ticket it closes and includes the necessary testing evidence such
as recordings and or screenshots.

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> **Medium Risk**
> Changes the automation that publishes EAS OTA updates by altering
required env validation and how updates are executed per platform, so
misconfiguration could block releases. No product/runtime logic changes,
but CI deployment behavior is affected.
> 
> **Overview**
> Adds a `platform` input to the `push-eas-update` GitHub workflow and
plumbs it through as `OTA_PUSH_PLATFORM` so release operators can
publish OTA updates to `ios`, `android`, or `all`.
> 
> Moves Expo-update environment preparation into `scripts/build.sh` by
generating and sourcing a `.env` from selected CI variables (and
exporting to `GITHUB_ENV`), tightens Expo credential validation (fails
fast on missing `EXPO_TOKEN`), and publishes iOS/Android updates
sequentially with per-platform error reporting. Also removes
`EXPO_NO_LAVAMOAT` from the workflow and hardens Sentry auth token
injection by using a safer `sed` delimiter.
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
fd79d6c. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

---------

Co-authored-by: sethkfman <seth.kaufman@consensys.net>
[7e6bee4](7e6bee4)

Co-authored-by: Wei Sun <wei.sun@consensys.net>
Co-authored-by: sethkfman <seth.kaufman@consensys.net>

Author: 3 people

.github/workflows/push-eas-update.yml

@@ -28,6 +28,15 @@ on:
           - rc
           - production
         default: exp
+      platform:
+        description: 'Platform to update (all, ios, android)'
+        required: true
+        type: choice
+        options:
+          - all
+          - ios
+          - android
+        default: all
 
 permissions:
   contents: read
@@ -39,6 +48,7 @@ env:
   BASE_BRANCH_REF: ${{ inputs.base_branch }}
   UPDATE_MESSAGE: ${{ inputs.message }}
   TARGET_CHANNEL: ${{ inputs.channel }}
+  OTA_PUSH_PLATFORM: ${{ inputs.platform }}
 
 jobs:
   setup-dependencies:
@@ -396,8 +406,6 @@ jobs:
           SKIP_TRANSFORM_LINT: 'true'
           # Increase Node heap to avoid OOM during Expo export in CI
           NODE_OPTIONS: '--max_old_space_size=8192'
-          # Disable LavaMoat sandbox to prevent duplicate bundle executions in CI
-          EXPO_NO_LAVAMOAT: '1'
         run: |
           echo "📦 Configuring EXPO key..."
           if [[ -z "$EXPO_KEY_PRIV_B64" ]]; then

scripts/build.sh

@@ -628,53 +628,194 @@ generateAndroidBinary() {
 	cd ..
 }
 
-buildExpoUpdate() {
-		echo "Build Expo Update $METAMASK_BUILD_TYPE started..."
-
-		if [ -z "${EXPO_TOKEN}" ]; then
-			echo "EXPO_TOKEN is NOT set in build.sh env"
-		else
-			echo "EXPO_TOKEN is set in build.sh env (value masked by GitHub Actions logs)"
+createEnvFile() {
+	echo "📝 Creating .env file from environment variables..."
+
+	# List of environment variable names to export
+	local ENV_VARS=(
+		"MM_MUSD_CONVERSION_FLOW_ENABLED"
+		"MM_NETWORK_UI_REDESIGN_ENABLED"
+		"MM_NOTIFICATIONS_UI_ENABLED"
+		"MM_PERMISSIONS_SETTINGS_V1_ENABLED"
+		"MM_PERPS_BLOCKED_REGIONS"
+		"MM_PERPS_ENABLED"
+		"MM_PERPS_HIP3_ALLOWLIST_MARKETS"
+		"MM_PERPS_HIP3_BLOCKLIST_MARKETS"
+		"MM_PERPS_HIP3_ENABLED"
+		"MM_SECURITY_ALERTS_API_ENABLED"
+		"BRIDGE_USE_DEV_APIS"
+		"SEEDLESS_ONBOARDING_ENABLED"
+		"RAMP_INTERNAL_BUILD"
+		"FEATURES_ANNOUNCEMENTS_ACCESS_TOKEN"
+		"FEATURES_ANNOUNCEMENTS_SPACE_ID"
+		"SEGMENT_WRITE_KEY"
+		"SEGMENT_PROXY_URL"
+		"SEGMENT_DELETE_API_SOURCE_ID"
+		"SEGMENT_REGULATIONS_ENDPOINT"
+		"MM_SENTRY_DSN"
+		"MM_SENTRY_AUTH_TOKEN"
+		"IOS_GOOGLE_CLIENT_ID"
+		"IOS_GOOGLE_REDIRECT_URI"
+		"ANDROID_APPLE_CLIENT_ID"
+		"ANDROID_GOOGLE_CLIENT_ID"
+		"ANDROID_GOOGLE_SERVER_CLIENT_ID"
+		"MM_INFURA_PROJECT_ID"
+		"MM_BRANCH_KEY_LIVE"
+		"MM_BRANCH_KEY_TEST"
+		"MM_CARD_BAANX_API_CLIENT_KEY"
+		"WALLET_CONNECT_PROJECT_ID"
+		"MM_FOX_CODE"
+		"FCM_CONFIG_API_KEY"
+		"FCM_CONFIG_AUTH_DOMAIN"
+		"FCM_CONFIG_STORAGE_BUCKET"
+		"FCM_CONFIG_PROJECT_ID"
+		"FCM_CONFIG_MESSAGING_SENDER_ID"
+		"FCM_CONFIG_APP_ID"
+		"FCM_CONFIG_MEASUREMENT_ID"
+		"QUICKNODE_MAINNET_URL"
+		"QUICKNODE_ARBITRUM_URL"
+		"QUICKNODE_AVALANCHE_URL"
+		"QUICKNODE_BASE_URL"
+		"QUICKNODE_LINEA_MAINNET_URL"
+		"QUICKNODE_MONAD_URL"
+		"QUICKNODE_OPTIMISM_URL"
+		"QUICKNODE_POLYGON_URL"
+	)
+
+	# Create .env file and export to GITHUB_ENV
+	> .env
+	local exported_count=0
+	for var in "${ENV_VARS[@]}"; do
+		# Check if variable is set (defined), not just non-empty
+		# This allows explicitly empty strings to be written to .env
+		if [ -n "${!var+x}" ]; then
+			value="${!var}"
+			echo "${var}=${value}" >> .env
+			
+			# Export to GITHUB_ENV if running in GitHub Actions
+			if [ -n "${GITHUB_ENV:-}" ]; then
+				echo "${var}=${value}" >> "$GITHUB_ENV"
+			fi
+			
+			exported_count=$((exported_count + 1))
 		fi
+	done
 
-		# Validate required Expo Update environment variables
-		if [ -z "${EXPO_CHANNEL}" ]; then
-			echo "::error title=Missing EXPO_CHANNEL::EXPO_CHANNEL environment variable is not set. Cannot publish update." >&2
-			exit 1
-		fi
+	echo "📄 .env file created with ${exported_count} variables"
+}
+
+buildExpoUpdate() {
+	echo "Build Expo Update $METAMASK_BUILD_TYPE started..."
+	
+	# Create .env file and export environment variables
+	createEnvFile
+	
+	# Verify .env file was created and source it
+	if [ -f ".env" ]; then
+		echo "✅ .env file exists at $(pwd)/.env"
+		echo "📊 .env file contains $(wc -l < .env | tr -d ' ') lines"
+		# Show first few variables (without values for security)
+		echo "📝 Sample variables in .env:"
+		head -n 5 .env | cut -d= -f1 | sed 's/^/  - /'
+		
+		# Source the .env file to ensure variables are loaded
+		echo "🔄 Sourcing .env file to load variables..."
+		set -a  # automatically export all variables
+		source .env
+		set +a  # turn off automatic export
+		echo "✅ .env file sourced successfully"
+	else
+		echo "⚠️ WARNING: .env file was not created!"
+	fi
+	
+	if [ -z "${EXPO_TOKEN}" ]; then
+		echo "::error title=Missing EXPO_TOKEN::EXPO_TOKEN secret is not configured. Cannot authenticate with Expo." >&2
+		exit 1
+	fi
+
+	# Validate required Expo Update environment variables
+	if [ -z "${EXPO_CHANNEL}" ]; then
+		echo "::error title=Missing EXPO_CHANNEL::EXPO_CHANNEL environment variable is not set. Cannot publish update." >&2
+		exit 1
+	fi
 
 		if [ -z "${EXPO_KEY_PRIV}" ]; then
 			echo "::error title=Missing EXPO_KEY_PRIV::EXPO_KEY_PRIV secret is not configured. Cannot sign update." >&2
 			exit 1
 		fi
 
-		# Prepare Expo update signing key
-		mkdir -p keys
-		echo "Writing Expo private key to ./keys/private-key.pem"
-		printf '%s' "${EXPO_KEY_PRIV}" > keys/private-key.pem
+	# Prepare Expo update signing key
+	mkdir -p keys
+	echo "Writing Expo private key to ./keys/private-key.pem"
+	printf '%s' "${EXPO_KEY_PRIV}" > keys/private-key.pem
 
-		if [ ! -f keys/private-key.pem ]; then
-			echo "::error title=Missing signing key::keys/private-key.pem not found. Ensure the signing key step ran successfully." >&2
-			exit 1
-		fi
+	if [ ! -f keys/private-key.pem ]; then
+		echo "::error title=Missing signing key::keys/private-key.pem not found. Ensure the signing key step ran successfully." >&2
+		exit 1
+	fi
 
-		echo "🚀 Publishing EAS update..."
+	echo "🚀 Publishing EAS update..."
 
-		echo "ℹ️ Git head: $(git rev-parse HEAD)"
-		echo "ℹ️ Checking for eas script in package.json..."
-		if ! grep -q '"eas": "eas"' package.json; then
-			echo "::error title=Missing eas script::package.json does not include an \"eas\" script. Commit hash: $(git rev-parse HEAD)." >&2
-			exit 1
-		fi
+	echo "ℹ️ Git head: $(git rev-parse HEAD)"
+	echo "ℹ️ Checking for eas script in package.json..."
+	if ! grep -q '"eas": "eas"' package.json; then
+		echo "::error title=Missing eas script::package.json does not include an \"eas\" script. Commit hash: $(git rev-parse HEAD)." >&2
+		exit 1
+	fi
+
+	echo "ℹ️ Available yarn scripts containing eas:"
+	yarn run --json | grep '"name":"eas"' || true
 
-		echo "ℹ️ Available yarn scripts containing eas:"
-		yarn run --json | grep '"name":"eas"' || true
+	# Run platforms based on OTA_PUSH_PLATFORM environment variable (default: all)
+	# Run sequentially to avoid LavaMoat lockdown serializer conflicts
+	# when bundling multiple platforms simultaneously
+	OTA_PUSH_PLATFORM="${OTA_PUSH_PLATFORM:-all}"
+	
+	# Track exit codes to ensure failures propagate
+	local ios_exit_code=0
+	local android_exit_code=0
+	
+	if [ "$OTA_PUSH_PLATFORM" = "all" ] || [ "$OTA_PUSH_PLATFORM" = "ios" ]; then
+		echo "📱 Publishing iOS update..."
+		yarn run eas update \
+			--platform ios \
+			--channel "${EXPO_CHANNEL}" \
+			--private-key-path "./keys/private-key.pem" \
+			--message "${UPDATE_MESSAGE}" \
+			--non-interactive
+		ios_exit_code=$?
+		
+		if [ $ios_exit_code -ne 0 ]; then
+			echo "::error title=iOS update failed::iOS EAS update command failed with exit code ${ios_exit_code}" >&2
+		fi
+	fi
 
+	if [ "$OTA_PUSH_PLATFORM" = "all" ] || [ "$OTA_PUSH_PLATFORM" = "android" ]; then
+		echo "🤖 Publishing Android update..."
 		yarn run eas update \
+			--platform android \
 			--channel "${EXPO_CHANNEL}" \
 			--private-key-path "./keys/private-key.pem" \
 			--message "${UPDATE_MESSAGE}" \
 			--non-interactive
+		android_exit_code=$?
+		
+		if [ $android_exit_code -ne 0 ]; then
+			echo "::error title=Android update failed::Android EAS update command failed with exit code ${android_exit_code}" >&2
+		fi
+	fi
+
+	# Check for failures and exit accordingly
+	if [ $ios_exit_code -ne 0 ] || [ $android_exit_code -ne 0 ]; then
+		echo "::error title=EAS update failed::One or more platform updates failed. iOS exit code: ${ios_exit_code}, Android exit code: ${android_exit_code}" >&2
+		exit 1
+	fi
+	
+	if [ "$OTA_PUSH_PLATFORM" = "all" ]; then
+		echo "✅ EAS updates published for both platforms"
+	else
+		echo "✅ EAS update published for ${OTA_PUSH_PLATFORM}"
+	fi
 }
 
 buildAndroid() {
@@ -778,7 +919,8 @@ checkAuthToken() {
 	local propertiesFileName="$1"
 
 	if [ -n "${MM_SENTRY_AUTH_TOKEN}" ]; then
-		sed -i'' -e "s/auth.token.*/auth.token=${MM_SENTRY_AUTH_TOKEN}/" "./${propertiesFileName}";
+		# Use | as delimiter to avoid conflicts with special characters in auth token (e.g., /)
+		sed -i'' -e "s|auth.token.*|auth.token=${MM_SENTRY_AUTH_TOKEN}|" "./${propertiesFileName}";
 	elif ! grep -qE '^auth.token=[[:alnum:]]+$' "./${propertiesFileName}"; then
 		if [ "$METAMASK_ENVIRONMENT" == "production" ]; then
 			printError "Missing auth token in '${propertiesFileName}'; add the token, or set it as MM_SENTRY_AUTH_TOKEN"
@@ -791,7 +933,8 @@ checkAuthToken() {
 	if [ ! -e "./${propertiesFileName}" ]; then
 		if [ -n "${MM_SENTRY_AUTH_TOKEN}" ]; then
 			cp "./${propertiesFileName}.example" "./${propertiesFileName}"
-			sed -i'' -e "s/auth.token.*/auth.token=${MM_SENTRY_AUTH_TOKEN}/" "./${propertiesFileName}";
+			# Use | as delimiter to avoid conflicts with special characters in auth token (e.g., /)
+			sed -i'' -e "s|auth.token.*|auth.token=${MM_SENTRY_AUTH_TOKEN}|" "./${propertiesFileName}";
 		else
 			if [ "$METAMASK_ENVIRONMENT" == "production" ]; then
 				printError "Missing '${propertiesFileName}' file (see '${propertiesFileName}.example' or set MM_SENTRY_AUTH_TOKEN to generate)"