chore: enable auto RC builds (#23379)

joaoloureirop · Copilot · metamaskbot · web-flow · commit 5ec97dfa00ba · 2026-01-15T17:25:46.000Z
## **Description**  This PR introduces automation for Release Candidate (RC) builds by adding GitHub Actions workflows that integrate with Bitrise CI/CD. It enables both manual and automatic RC build triggering, streamlines version bumping, and removes redundant build steps from the Bitrise pipeline. ### Key Changes #### New GitHub Actions Workflows 1. **`build-rc-create.yml`** - Manual RC Build Workflow - Triggered via `workflow_dispatch` with semantic version input - Automatically bumps build version before triggering builds - Triggers Bitrise RC pipeline for both iOS and Android 2. **`build-rc-auto.yml`** - Automatic RC Build Workflow - Triggers on pushes to `release/*` branches - Only runs when the associated PR has the `auto-rc-builds` label - Validates branch naming (semantic versioning format) - Automatically bumps version and triggers Bitrise builds #### Enhanced Workflow Reusability - **`update-latest-build-version.yml`** - Now supports `workflow_call` - Can be invoked by other workflows as a reusable action - Exposes outputs: `build-version` and `commit-hash` #### New Build Script - **`.github/scripts/rc-builds.sh`** - Bitrise Build Trigger Script - Triggers Bitrise `pr_rc_rwy_pipeline` via API - Waits for build completion (40-minute timeout) - Retrieves and displays build artifacts and public URLs - Validates required environment variables #### Bitrise Configuration Updates - **`bitrise.yml`** - Removed redundant version bumping step - Removed `bump_version_code` dependency from `pr_rc_rwy_pipeline` - Version bumping now handled by GitHub Actions before triggering Bitrise - Build workflows (`build_ios_rc_and_upload_sourcemaps`, `build_android_rc_and_upload_sourcemaps`) now depend directly on `pr_check_build_cache` ### Usage **Manual RC Build:** 1. Navigate to Actions → "Create RC builds" 2. Click "Run workflow" 3. Enter semantic version (e.g., `7.62.0`) 4. Workflow handles version bumping and Bitrise trigger automatically **Automatic RC Build:** 1. Create/update a release branch (e.g., `release/7.62.0`) 2. Add `auto-rc-builds` label to the associated PR 3. Push commits to the release branch 4. Workflow automatically triggers RC builds ## **Changelog**  CHANGELOG entry: null ## **Related issues** Fixes: #23068 ## **Manual testing steps** ```gherkin Feature: my feature name Scenario: user [verb for user action] Given [describe expected initial app state] When user [verb for user action] Then [describe expected outcome] ``` ## **Screenshots/Recordings**  ### **Before**  ### **After**  ## **Pre-merge author checklist** - [x] I’ve followed [MetaMask Contributor Docs](https://github.com/MetaMask/contributor-docs) and [MetaMask Mobile Coding Standards](https://github.com/MetaMask/metamask-mobile/blob/main/.github/guidelines/CODING_GUIDELINES.md). - [x] I've completed the PR template to the best of my ability - [x] I’ve included tests if applicable - [x] I’ve documented my code using [JSDoc](https://jsdoc.app/) format if applicable - [x] I’ve applied the right labels on the PR (see [labeling guidelines](https://github.com/MetaMask/metamask-mobile/blob/main/.github/guidelines/LABELING_GUIDELINES.md)). Not required for external contributors. ## **Pre-merge reviewer checklist** - [x] I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed). - [x] I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.  --- > [!NOTE] > Introduces end-to-end automation for RC builds via GitHub Actions and Bitrise. > > - New workflows `build-rc-auto.yml` (label-gated on `release/*` pushes) and `build-rc-create.yml` (manual) that bump versions then trigger Bitrise `pr_rc_rwy_pipeline` > - Reusable `update-latest-build-version.yml` now supports `workflow_call` and exposes `build-version` and `commit-hash`; commits bumped files and pushes > - New script `.github/scripts/rc-builds.sh` triggers Bitrise, waits for completion, and surfaces artifact info (Android public link) > - Bitrise `bitrise.yml`: remove `bump_version_code` dependency from `pr_rc_rwy_pipeline`; keep `build_ios_rc_and_upload_sourcemaps` and `build_android_rc_and_upload_sourcemaps` dependent on `pr_check_build_cache`; minor whitespace/comment tidy > - Version bumps: Android `versionCode` to `3432`; iOS `CURRENT_PROJECT_VERSION` to `3432`; env vars `VERSION_NUMBER`/`FLASK_VERSION_NUMBER` updated accordingly > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit fc29a62. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup>  --------- Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Co-authored-by: metamaskbot <metamaskbot@users.noreply.github.com>
diff --git a/.github/scripts/rc-builds.sh b/.github/scripts/rc-builds.sh
@@ -0,0 +1,126 @@
+#!/bin/bash
+
+set -euo pipefail
+
+# Validate required environment variables
+: "${SEMVER:?SEMVER environment variable must be set}"
+: "${BUILD_NUMBER:?BUILD_NUMBER environment variable must be set}"
+: "${BITRISE_APP_ID:?BITRISE_APP_ID environment variable must be set}"
+: "${BITRISE_BUILD_TRIGGER_TOKEN:?BITRISE_BUILD_TRIGGER_TOKEN environment variable must be set}"
+: "${BITRISE_API_TOKEN:?BITRISE_API_TOKEN environment variable must be set}"
+: "${COMMIT_HASH:?COMMIT_HASH environment variable must be set}"
+: "${GH_REF_NAME:?GH_REF_NAME environment variable must be set}"
+
+# Additional validation for semver format
+if ! [[ "${SEMVER:-}" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
+  echo "Error: SEMVER must be numeric X.Y.Z format, got: ${SEMVER:-<empty>}" >&2
+  exit 1
+fi
+
+METAMASK_WORKFLOW="pr_rc_rwy_pipeline"
+
+# Use jq to safely construct JSON payload
+JSON_PAYLOAD=$(jq -n \
+  --arg branch "$GH_REF_NAME" \
+  --arg pipeline_id "$METAMASK_WORKFLOW" \
+  --arg commit_message "RC build ${SEMVER}(${BUILD_NUMBER})" \
+  --arg commit_hash "$COMMIT_HASH" \
+  --arg build_trigger_token "$BITRISE_BUILD_TRIGGER_TOKEN" \
+  '{
+    "build_params": {
+      "branch": $branch,
+      "pipeline_id": $pipeline_id,
+      "commit_message": $commit_message,
+      "commit_hash": $commit_hash
+    },
+    "hook_info": {
+      "type": "bitrise",
+      "build_trigger_token": $build_trigger_token
+    },
+    "triggered_by": "GitHub Actions RC Build"
+  }')
+
+BUILD_RESPONSE=$(curl -s -X POST \
+  "https://app.bitrise.io/app/$BITRISE_APP_ID/build/start.json" \
+  -H "Content-Type: application/json" \
+  -d "$JSON_PAYLOAD")
+
+echo "Build response: $BUILD_RESPONSE"
+BUILD_SLUG=$(echo "$BUILD_RESPONSE" | jq -r '.build_slug')
+echo "Build slug: $BUILD_SLUG"
+
+if [[ -z "$BUILD_SLUG" || "$BUILD_SLUG" == "null" ]]; then
+  echo "Error: Failed to get build slug"
+  echo "Full response: $BUILD_RESPONSE"
+  exit 1
+fi
+
+# Wait for the workflow to complete
+echo "Waiting for $METAMASK_WORKFLOW to complete..."
+TIMEOUT=2400  # 40 minutes
+ELAPSED=0
+
+while [ $ELAPSED -lt $TIMEOUT ]; do
+  BUILD_RESPONSE=$(curl -s -H "Authorization: $BITRISE_API_TOKEN" \
+    "https://api.bitrise.io/v0.1/apps/$BITRISE_APP_ID/pipelines/$BUILD_SLUG")
+
+  BUILD_STATUS=$(echo "$BUILD_RESPONSE" | jq -r '.status')
+  echo "Build status: $BUILD_STATUS (elapsed: ${ELAPSED}s)"
+
+  # Check for successful completion (status 1 or success/succeeded)
+  if [ "$BUILD_STATUS" = "1" ] || [ "$BUILD_STATUS" = "success" ] || [ "$BUILD_STATUS" = "succeeded" ]; then
+    echo "Build completed successfully"
+    break
+  elif [ "$BUILD_STATUS" = "0" ] || [ "$BUILD_STATUS" = "in_progress" ] || [ "$BUILD_STATUS" = "running" ]; then
+    echo "Build is in progress..."
+  elif [ "$BUILD_STATUS" = "2" ] || [ "$BUILD_STATUS" = "failed" ] || [ "$BUILD_STATUS" = "aborted" ]; then
+    echo "Build failed with status: $BUILD_STATUS"
+    exit 1
+  elif [ "$BUILD_STATUS" = "initializing" ]; then
+    echo "Build has started..."
+  else
+    echo "Unknown build status: $BUILD_STATUS"
+  fi
+
+  sleep 30
+  ELAPSED=$((ELAPSED + 30))
+done
+
+if [ "$ELAPSED" -ge "$TIMEOUT" ]; then
+  echo "Timeout waiting for build to complete"
+  echo "Final build status: $BUILD_STATUS"
+  echo "Build slug: $BUILD_SLUG"
+  exit 1
+fi
+
+# Android workflow slug
+ANDROID_WORKFLOW_ID=$(echo "$BUILD_RESPONSE" | jq -r '.workflows | .[] | select(.name=="build_android_rc_and_upload_sourcemaps") | .external_id')
+IOS_WORKFLOW_ID=$(echo "$BUILD_RESPONSE" | jq -r '.workflows | .[] | select(.name=="build_ios_rc_and_upload_sourcemaps") | .external_id')
+
+if [[ -z "$ANDROID_WORKFLOW_ID" || "$ANDROID_WORKFLOW_ID" == "null" ]]; then
+  echo "Error: Failed to get Android workflow ID"
+  exit 1
+fi
+
+if [[ -z "$IOS_WORKFLOW_ID" || "$IOS_WORKFLOW_ID" == "null" ]]; then
+  echo "Error: Failed to get iOS workflow ID"
+  exit 1
+fi
+ANDROID_ARTIFACTS=$(curl -s -H "Authorization: $BITRISE_API_TOKEN" \
+  "https://api.bitrise.io/v0.1/apps/$BITRISE_APP_ID/builds/$ANDROID_WORKFLOW_ID/artifacts")
+
+ANDROID_ARTIFACT_ID=$(echo "$ANDROID_ARTIFACTS" | jq -r '.data | .[] | select(.is_public_page_enabled==true) | .slug')
+
+if [[ -z "$ANDROID_ARTIFACT_ID" || "$ANDROID_ARTIFACT_ID" == "null" ]]; then
+  echo "Warning: No public Android artifact found"
+  ANDROID_PUBLIC_URL="N/A"
+else
+  ANDROID_APK=$(curl -s -H "Authorization: $BITRISE_API_TOKEN" \
+    "https://api.bitrise.io/v0.1/apps/$BITRISE_APP_ID/builds/$ANDROID_WORKFLOW_ID/artifacts/$ANDROID_ARTIFACT_ID")
+  ANDROID_PUBLIC_URL=$(echo "$ANDROID_APK" | jq -r '.data.public_install_page_url')
+fi
+echo "Pipeline ID: $BUILD_SLUG"
+echo "Android build ID: $ANDROID_WORKFLOW_ID"
+echo "iOS Build ID: $IOS_WORKFLOW_ID"
+echo "Android public link: $ANDROID_PUBLIC_URL"
+echo "Build number: $BUILD_NUMBER"
diff --git a/.github/workflows/build-rc-auto.yml b/.github/workflows/build-rc-auto.yml
@@ -0,0 +1,112 @@
+##############################################################################################
+#
+# This Workflow is responsible for triggering release candidate builds (iOS & Android).
+# It runs on every commit pushed to a release branch, but only when the release PR
+# has the 'auto-rc-builds' label.
+#
+##############################################################################################
+name: Auto RC builds
+
+on:
+  push:
+    branches:
+      - 'release/*'
+
+
+jobs:
+  validate-and-check-label:
+    name: Validate branch and check PR label
+    runs-on: ubuntu-latest
+    outputs:
+      semver: ${{ steps.extract-version.outputs.semver }}
+      has-label: ${{ steps.check-label.outputs.has-label }}
+      branch-name: ${{ steps.extract-version.outputs.branch-name }}
+    permissions:
+      pull-requests: read
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 1
+
+      - name: Extract semver from branch name
+        id: extract-version
+        run: |
+          BRANCH_NAME="${{ github.ref_name }}"
+          echo "Checking branch: $BRANCH_NAME"
+          echo "branch-name=$BRANCH_NAME" >> "$GITHUB_OUTPUT"
+
+          # Validate branch matches release/x.y.z format (semantic versioning)
+          if [[ "$BRANCH_NAME" =~ ^release/[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
+            VERSION="${BRANCH_NAME#release/}"
+            echo "Valid release branch detected: $BRANCH_NAME (version: $VERSION)"
+            echo "semver=$VERSION" >> "$GITHUB_OUTPUT"
+          else
+            echo "Branch '$BRANCH_NAME' does not match release/x.y.z pattern. Skipping."
+            echo "semver=" >> "$GITHUB_OUTPUT"
+            exit 1
+          fi
+
+      - name: Find PR and check for auto-rc-builds label
+        id: check-label
+        run: |
+          BRANCH_NAME="${{ github.ref_name }}"
+          echo "Looking for PR with head branch: $BRANCH_NAME"
+
+          # Find PRs where the head branch matches our release branch
+          PR_NUMBER=$(gh pr list --head "$BRANCH_NAME" --json number --jq '.[0].number' || echo "")
+
+          if [[ -z "$PR_NUMBER" ]]; then
+            echo "No PR found for branch $BRANCH_NAME. Skipping."
+            echo "has-label=false" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+
+          echo "Found PR #$PR_NUMBER"
+
+          # Check if PR has the auto-rc-builds label
+          LABELS=$(gh pr view "$PR_NUMBER" --json labels --jq '.labels[].name' || echo "")
+          if echo "$LABELS" | grep -qx "auto-rc-builds"; then
+            echo "PR #$PR_NUMBER has 'auto-rc-builds' label. Proceeding with build."
+            echo "has-label=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "PR #$PR_NUMBER does not have 'auto-rc-builds' label. Skipping build."
+            echo "has-label=false" >> "$GITHUB_OUTPUT"
+          fi
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+  bump-version:
+    uses: ./.github/workflows/update-latest-build-version.yml
+    needs: validate-and-check-label
+    if: needs.validate-and-check-label.outputs.has-label == 'true'
+    with:
+      base-branch: ${{ github.ref_name }}
+    secrets:
+      PR_TOKEN: ${{ secrets.PR_TOKEN }}
+    permissions:
+      id-token: write
+      contents: write
+
+  trigger-rc-build:
+    runs-on: ubuntu-latest
+    needs:
+      - validate-and-check-label
+      - bump-version
+    if: needs.validate-and-check-label.outputs.has-label == 'true'
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+          ref: ${{ github.ref }}
+      - name: Trigger RC Build
+        env:
+          SEMVER: ${{ needs.validate-and-check-label.outputs.semver }}
+          GH_REF_NAME: ${{ github.ref_name }}
+          COMMIT_HASH: ${{ needs.bump-version.outputs.commit-hash }}
+          BUILD_NUMBER: ${{ needs.bump-version.outputs.build-version }}
+          BITRISE_APP_ID: ${{ secrets.BITRISE_APP_ID }}
+          BITRISE_BUILD_TRIGGER_TOKEN: ${{ secrets.BITRISE_BUILD_TRIGGER_TOKEN }}
+          BITRISE_API_TOKEN: ${{ secrets.BITRISE_API_TOKEN }}
+        run: ./.github/scripts/rc-builds.sh
diff --git a/.github/workflows/build-rc-create.yml b/.github/workflows/build-rc-create.yml
@@ -0,0 +1,73 @@
+##############################################################################################
+#
+# This Workflow is responsible for triggering release candidate builds (iOS & Android).
+# You need to provide the semantic version of the release and the release branch
+# must exist on the repository
+#
+##############################################################################################
+name: Create RC builds
+
+on:
+  workflow_dispatch:
+    inputs:
+      semver:
+        description: 'release version'
+        required: true
+jobs:
+  validate-input:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Validate semver input
+        env:
+          SEMVER: ${{ inputs.semver }}
+        run: |
+          set -euo pipefail
+
+          echo "Provided semver input: ${SEMVER}"
+          # Validate semver format (X.Y.Z where X, Y, Z are digits)
+          if ! [[ "${SEMVER:-}" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
+            echo "Error: semver must be numeric X.Y.Z format, got: ${SEMVER:-<empty>}" >&2
+            exit 1
+          fi
+
+          BRANCH_NAME="release/${SEMVER}"
+          if [[ "$BRANCH_NAME" =~ [^a-zA-Z0-9._/-] ]]; then
+            echo "Error: semver contains invalid characters for branch name" >&2
+            exit 1
+          fi
+
+          echo "Semver validation passed: ${SEMVER}"
+          echo "Branch name: ${BRANCH_NAME}"
+
+  bump-version:
+    needs: validate-input
+    uses: ./.github/workflows/update-latest-build-version.yml
+    with:
+      base-branch: release/${{ inputs.semver }}
+    secrets:
+      PR_TOKEN: ${{ secrets.PR_TOKEN }}
+    permissions:
+      id-token: write
+      contents: write
+
+  trigger-rc-build:
+    runs-on: ubuntu-latest
+    needs:
+      - validate-input
+      - bump-version
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+          ref: release/${{ inputs.semver }}
+      - name: Trigger RC Build
+        env:
+          SEMVER: ${{ inputs.semver }}
+          GH_REF_NAME: release/${{ inputs.semver }}
+          COMMIT_HASH: ${{ needs.bump-version.outputs.commit-hash }}
+          BUILD_NUMBER: ${{ needs.bump-version.outputs.build-version }}
+          BITRISE_APP_ID: ${{ secrets.BITRISE_APP_ID }}
+          BITRISE_BUILD_TRIGGER_TOKEN: ${{ secrets.BITRISE_BUILD_TRIGGER_TOKEN }}
+          BITRISE_API_TOKEN: ${{ secrets.BITRISE_API_TOKEN }}
+        run: ./.github/scripts/rc-builds.sh
diff --git a/.github/workflows/update-latest-build-version.yml b/.github/workflows/update-latest-build-version.yml
@@ -13,6 +13,24 @@ on:
       base-branch:
         description: 'The base branch, tag, or SHA for git operations and the pull request.'
         required: true
+        type: string
+  workflow_call:
+    inputs:
+      base-branch:
+        description: 'The base branch, tag, or SHA for git operations and the pull request.'
+        required: true
+        type: string
+    secrets:
+      PR_TOKEN:
+        description: 'GitHub token for checkout and push operations.'
+        required: true
+    outputs:
+      build-version:
+        description: 'Generated build version number'
+        value: ${{ jobs.generate-build-version.outputs.build-version }}
+      commit-hash:
+        description: 'Commit hash with build version bumped'
+        value: ${{ jobs.bump-version.outputs.commit-hash }}
 jobs:
   generate-build-version:
     uses: MetaMask/metamask-mobile-build-version/.github/workflows/metamask-mobile-build-version.yml@v0.3.0
@@ -22,24 +40,29 @@ jobs:
   bump-version:
     runs-on: ubuntu-latest
     needs: generate-build-version
+    outputs:
+      commit-hash: ${{ steps.bump-build-version.outputs.commit-hash }}
     steps:
       - uses: actions/checkout@v3
         with:
           fetch-depth: 0
           ref: ${{ inputs.base-branch }}
-          token: ${{ secrets.PR_TOKEN }}
-
-      - name: Bump script
+          token: ${{ secrets.PR_TOKEN || github.token }}
+      - name: Bump build version
+        id: bump-build-version
+        shell: bash
         env:
+          BUILD_NUMBER: ${{ needs.generate-build-version.outputs.build-version }}
           HEAD_REF: ${{ inputs.base-branch }}
         run: |
-          ./scripts/set-build-version.sh ${{ needs.generate-build-version.outputs.build-version }}
+          ./scripts/set-build-version.sh "$BUILD_NUMBER"
           git diff
           git config user.name metamaskbot
           git config user.email metamaskbot@users.noreply.github.com
           git add bitrise.yml
           git add package.json
           git add ios/MetaMask.xcodeproj/project.pbxproj
           git add android/app/build.gradle
-          git commit -m "[skip ci] Bump version number to ${{ needs.generate-build-version.outputs.build-version }}"
+          git commit -m "[skip ci] Bump version number to ${BUILD_NUMBER}"
           git push origin HEAD:"$HEAD_REF" --force-with-lease
+          echo "commit-hash=$(git rev-parse HEAD)" >> "$GITHUB_OUTPUT"
diff --git a/bitrise.yml b/bitrise.yml
