Merge branch 'main' into remove-quick-action-buttons-temp-component

Author: AndyMBridges

.github/workflows/build-and-upload-to-testflight.yml

@@ -24,6 +24,11 @@ on:
         required: false
         type: boolean
         default: false
+      runner_provider:
+        description: Runner provider forwarded from the caller
+        required: false
+        type: string
+        default: current
   workflow_dispatch:
     inputs:
       source_branch:
@@ -54,6 +59,14 @@ on:
         required: false
         type: boolean
         default: false
+      runner_provider:
+        description: Runner provider for this manual trial run
+        required: false
+        type: choice
+        options:
+          - current
+          - namespace
+        default: current
 
 permissions:
   contents: write
@@ -75,6 +88,7 @@ jobs:
       platform: ios
       skip_version_bump: false
       source_branch: ${{ needs.prepare-build-branch.outputs.build_branch }}
+      runner_provider: ${{ inputs.runner_provider }}
     secrets: inherit
 
   upload-ios-testflight:
@@ -90,13 +104,14 @@ jobs:
       build_version: ${{ needs.build.outputs.semantic_version }}
       build_number: ${{ needs.build.outputs.ios_version_code }}
       distribute_external: ${{ inputs.distribute_external }}
+      runner_provider: ${{ inputs.runner_provider }}
     secrets: inherit
 
   cleanup-build-branch:
     name: Cleanup build branch
     needs: [prepare-build-branch, upload-ios-testflight]
     if: always()
-    runs-on: ubuntu-latest
+    runs-on: ${{ inputs.runner_provider == 'namespace' && 'namespace-profile-metamask-ci-linux' || 'ubuntu-latest' }}
     steps:
       - uses: actions/checkout@v4
         with:

.github/workflows/build-ios-e2e.yml

@@ -145,7 +145,7 @@ jobs:
 
       - name: Restore Xcode derived data from branch cache
         id: xcode-restore-cache
-        if: ${{ steps.gate.outputs.needs-native-build == 'true' }}
+        if: ${{ steps.gate.outputs.needs-native-build == 'true' && inputs.runner_provider != 'namespace' }}
         # This action automatically updates the cache at the end of the workflow
         uses: cirruslabs/cache@bba69c6578b863ad0398ad40567bd2ef70290fe0 # v4
         with:
@@ -155,7 +155,7 @@ jobs:
           key: ${{ runner.os }}-xcode-${{ github.ref_name }}-${{ env.XCODE_CACHE_VERSION }}-${{ hashFiles('ios/**/*.{h,m,mm,swift}', 'ios/**/Podfile.lock', 'yarn.lock') }}
 
       - name: Restore Xcode derived data from main cache
-        if: ${{ steps.gate.outputs.needs-native-build == 'true' && steps.xcode-restore-cache.outputs.cache-hit != 'true' && github.ref_name != 'main' }}
+        if: ${{ steps.gate.outputs.needs-native-build == 'true' && steps.xcode-restore-cache.outputs.cache-hit != 'true' && github.ref_name != 'main' && inputs.runner_provider != 'namespace' }}
         id: xcode-restore-cache-main
         # This will only restore the cache, not update it
         uses: cirruslabs/cache/restore@bba69c6578b863ad0398ad40567bd2ef70290fe0 # v4
@@ -165,6 +165,14 @@ jobs:
             ios/build
           key: ${{ runner.os }}-xcode-main-${{ env.XCODE_CACHE_VERSION }}-${{ hashFiles('ios/**/*.{h,m,mm,swift}', 'ios/**/Podfile.lock', 'yarn.lock') }}
 
+      # Namespace's built-in cocoapods preset handles the CocoaPods cache paths upstream.
+      # Validated to work without a separate stale-state clear step (A/B tested 2026-05-11).
+      - name: Configure Namespace iOS cache
+        if: ${{ steps.gate.outputs.needs-native-build == 'true' && inputs.runner_provider == 'namespace' }}
+        uses: namespacelabs/nscloud-cache-action@15799a6b54e5765f85b2aac25b3f0df43ed571c0 # v1.4.3
+        with:
+          cache: cocoapods
+
       # Install Node.js, Xcode tools, and other iOS development dependencies.
       - name: Installing iOS Environment Setup
         if: ${{ steps.gate.outputs.needs-native-build == 'true' }}

.github/workflows/build-ios-upload-to-browserstack.yml

@@ -24,6 +24,11 @@ on:
         type: string
         description: 'Build variant for Bitrise (rc = release, exp = experimental)'
         default: 'rc'
+      runner_provider:
+        description: Runner provider forwarded from the caller
+        required: false
+        type: string
+        default: current
     outputs:
       with-srp-ipa-uploaded:
         description: 'Whether the with-SRP IPA was successfully uploaded'
@@ -49,6 +54,14 @@ on:
         description: 'Optional description for this build run'
         required: false
         type: string
+      runner_provider:
+        description: Runner provider for this manual trial run
+        required: false
+        type: choice
+        options:
+          - current
+          - namespace
+        default: current
 
 permissions:
   contents: read
@@ -65,7 +78,7 @@ env:
 jobs:
   check-builds-needed:
     name: Check if iOS builds are needed
-    runs-on: ubuntu-latest
+    runs-on: ${{ inputs.runner_provider == 'namespace' && 'namespace-profile-metamask-ci-linux' || 'ubuntu-latest' }}
     outputs:
       builds-needed: ${{ steps.check-builds.outputs.builds-needed }}
 
@@ -84,7 +97,7 @@ jobs:
 
   trigger-ios-with-srp-build:
     name: Trigger iOS with-SRP Build on Bitrise
-    runs-on: ubuntu-latest
+    runs-on: ${{ inputs.runner_provider == 'namespace' && 'namespace-profile-metamask-ci-linux' || 'ubuntu-latest' }}
     needs: [check-builds-needed]
     env:
       METAMASK_WORKFLOW: ${{ inputs.build_variant == 'exp' && 'build_ios_main_exp' || 'build_ios_main_rc' }}
@@ -221,7 +234,7 @@ jobs:
 
   trigger-ios-without-srp-build:
     name: Trigger iOS without-SRP Build on Bitrise
-    runs-on: ubuntu-latest
+    runs-on: ${{ inputs.runner_provider == 'namespace' && 'namespace-profile-metamask-ci-linux' || 'ubuntu-latest' }}
     needs: [check-builds-needed]
     env:
       METAMASK_WORKFLOW: ${{ inputs.build_variant == 'exp' && 'build_ios_main_exp' || 'build_ios_main_rc' }}
@@ -345,7 +358,7 @@ jobs:
 
   download-and-upload-to-browserstack:
     name: Download IPAs and Upload to BrowserStack
-    runs-on: ubuntu-latest
+    runs-on: ${{ inputs.runner_provider == 'namespace' && 'namespace-profile-metamask-ci-linux' || 'ubuntu-latest' }}
     needs: [check-builds-needed, trigger-ios-with-srp-build, trigger-ios-without-srp-build]
     if: (needs.trigger-ios-with-srp-build.result == 'success' || needs.trigger-ios-with-srp-build.result == 'partial_success') && (needs.trigger-ios-without-srp-build.result == 'success' || needs.trigger-ios-without-srp-build.result == 'partial_success')
     outputs:

.github/workflows/create-release-pr.yml

@@ -187,7 +187,7 @@ jobs:
 
       - name: Setup Node for changelog tooling
         if: needs.resolve-bases.outputs.is_ota == 'true' && steps.ota_release_pr.outputs.exists != 'true'
-        uses: ./github-tools/.github/actions/checkout-and-setup
+        uses: MetaMask/action-checkout-and-setup@v3
         with:
           is-high-risk-environment: true
 

.github/workflows/run-e2e-api-specs.yml

@@ -5,15 +5,30 @@ name: API Specs E2E Tests
 
 on:
   workflow_call:
+    inputs:
+      runner_provider:
+        description: Runner provider forwarded from the caller
+        required: false
+        type: string
+        default: current
   workflow_dispatch:
+    inputs:
+      runner_provider:
+        description: Runner provider for this manual trial run
+        required: false
+        type: choice
+        options:
+          - current
+          - namespace
+        default: current
   pull_request:
     types: [opened, synchronize]
 
 jobs:
   api-specs-ios:
     name: 'api-specs-ios'
     if: false
-    runs-on: macos-latest-xlarge
+    runs-on: ${{ inputs.runner_provider == 'namespace' && 'namespace-profile-metamask-ios-build' || 'macos-latest-xlarge' }}
     continue-on-error: true
 
     env:

.github/workflows/runway-ota-rc.yml

@@ -60,11 +60,30 @@ jobs:
       platform: all
     secrets: inherit
 
+  derive-slack-semver:
+    name: Derive Slack channel semver
+    needs: push-ota
+    if: success()
+    runs-on: ubuntu-latest
+    outputs:
+      semver: ${{ steps.derive.outputs.semver }}
+    steps:
+      - name: Derive semver from source branch
+        id: derive
+        run: |
+          BRANCH="${{ inputs.source_branch || github.ref_name }}"
+          BRANCH="${BRANCH#refs/heads/}"
+          # release/7.76.3-ota -> 7.76.3-ota
+          SEMVER="${BRANCH#release/}"
+          echo "semver=${SEMVER}" >> "$GITHUB_OUTPUT"
+          echo "Branch: $BRANCH, semver: $SEMVER"
+
   slack-notification:
     name: Slack RC Notification
-    needs: push-ota
+    needs: [push-ota, derive-slack-semver]
     if: success()
     uses: ./.github/workflows/slack-rc-notification.yml
     with:
       source_branch: ${{ inputs.source_branch || github.ref_name }}
+      semver: ${{ needs.derive-slack-semver.outputs.semver }}
     secrets: inherit

.github/workflows/triage-forwarder.yml

@@ -0,0 +1,51 @@
+name: Triage Agent Forwarder
+
+on:
+  issues:
+    types: [labeled]
+
+jobs:
+  forward:
+    runs-on: ubuntu-latest
+    if: github.event.label.name == 'ta-needs-triage'
+    permissions:
+      id-token: write
+    steps:
+      - name: Get OIDC Token
+        id: oidc
+        run: |
+          OIDC_TOKEN=$(curl -sSf -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
+            "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=api://token-exchange-service" | jq -r '.value')
+          echo "::add-mask::$OIDC_TOKEN"
+          echo "oidc_token=$OIDC_TOKEN" >> "$GITHUB_OUTPUT"
+
+      - name: Exchange for Installation Token
+        id: exchange
+        env:
+          OIDC_TOKEN: ${{ steps.oidc.outputs.oidc_token }}
+        run: |
+          RESPONSE=$(curl -sSf -X POST "${{ vars.TOKEN_EXCHANGE_URL }}/api/exchange/token" \
+            -H "Content-Type: application/json" \
+            -d "$(jq -cn \
+              --arg oidcToken "$OIDC_TOKEN" \
+              --arg targetRepo "MetaMask/triage-agent" \
+              '{oidcToken: $oidcToken, targetRepo: $targetRepo, requested_permissions: {contents: "write", metadata: "read"}}')")
+          TOKEN=$(echo "$RESPONSE" | jq -r '.token')
+          echo "::add-mask::$TOKEN"
+          echo "token=$TOKEN" >> "$GITHUB_OUTPUT"
+
+      - name: Dispatch to triage-agent
+        uses: peter-evans/repository-dispatch@v3
+        with:
+          token: ${{ steps.exchange.outputs.token }}
+          repository: MetaMask/triage-agent
+          event-type: triage-issue
+          client-payload: |-
+            {
+              "repo_owner": "${{ github.repository_owner }}",
+              "repo_name": "${{ github.event.repository.name }}",
+              "issue_number": "${{ github.event.issue.number }}",
+              "event_action": "${{ github.event.action }}",
+              "event_label_name": "${{ github.event.label.name }}",
+              "trigger_mode": "label"
+            }

.github/workflows/update-e2e-fixtures.yml

@@ -22,6 +22,14 @@ on:
         description: 'PR number to update fixtures for'
         required: true
         type: string
+      runner_provider:
+        description: Runner provider for this manual trial run
+        required: false
+        type: choice
+        options:
+          - current
+          - namespace
+        default: current
 
 jobs:
   # ── issue_comment dispatcher ──────────────────────────────────────────
@@ -34,7 +42,7 @@ jobs:
         github.event.issue.pull_request &&
         startsWith(github.event.comment.body, '@metamaskbot update-mobile-fixture')
       }}
-    runs-on: ubuntu-latest
+    runs-on: ${{ inputs.runner_provider == 'namespace' && 'namespace-profile-metamask-ci-linux' || 'ubuntu-latest' }}
     timeout-minutes: 5
     permissions:
       actions: write
@@ -76,7 +84,7 @@ jobs:
   is-fork-pull-request:
     name: Validate PR
     if: ${{ github.event_name == 'workflow_dispatch' }}
-    runs-on: ubuntu-latest
+    runs-on: ${{ inputs.runner_provider == 'namespace' && 'namespace-profile-metamask-ci-linux' || 'ubuntu-latest' }}
     timeout-minutes: 5
     outputs:
       IS_FORK: ${{ steps.is-fork.outputs.IS_FORK }}
@@ -93,7 +101,7 @@ jobs:
 
   prepare:
     name: Prepare build artifacts
-    runs-on: ubuntu-latest
+    runs-on: ${{ inputs.runner_provider == 'namespace' && 'namespace-profile-metamask-ci-linux' || 'ubuntu-latest' }}
     timeout-minutes: 10
     needs: is-fork-pull-request
     if: ${{ needs.is-fork-pull-request.outputs.IS_FORK == 'false' }}
@@ -172,7 +180,7 @@ jobs:
     name: Export & update fixtures
     needs: [is-fork-pull-request, prepare]
     if: ${{ needs.prepare.result == 'success' && needs.is-fork-pull-request.outputs.IS_FORK == 'false' }}
-    runs-on: ${{ startsWith(github.base_ref, 'release/') && fromJSON('["ghcr.io/cirruslabs/macos-runner:tahoe"]') || fromJSON('["ghcr.io/cirruslabs/macos-runner:tahoe", "low-priority"]') }}
+    runs-on: ${{ inputs.runner_provider == 'namespace' && 'namespace-profile-metamask-ios-e2e' || (startsWith(github.base_ref, 'release/') && fromJSON('["ghcr.io/cirruslabs/macos-runner:tahoe"]') || fromJSON('["ghcr.io/cirruslabs/macos-runner:tahoe", "low-priority"]')) }}
     timeout-minutes: 30
 
     env:
@@ -257,7 +265,7 @@ jobs:
 
   commit-updated-fixtures:
     name: Commit the updated fixtures
-    runs-on: ubuntu-latest
+    runs-on: ${{ inputs.runner_provider == 'namespace' && 'namespace-profile-metamask-ci-linux' || 'ubuntu-latest' }}
     timeout-minutes: 10
     permissions:
       contents: write
@@ -335,7 +343,7 @@ jobs:
 
   check-status:
     name: Check whether the fixture update succeeded
-    runs-on: ubuntu-latest
+    runs-on: ${{ inputs.runner_provider == 'namespace' && 'namespace-profile-metamask-ci-linux' || 'ubuntu-latest' }}
     timeout-minutes: 5
     if: ${{ !cancelled() && needs.is-fork-pull-request.outputs.IS_FORK == 'false' }}
     needs:
@@ -356,7 +364,7 @@ jobs:
   failure-comment:
     name: Comment about the fixture update failure
     if: ${{ !cancelled() && needs.is-fork-pull-request.outputs.IS_FORK == 'false' }}
-    runs-on: ubuntu-latest
+    runs-on: ${{ inputs.runner_provider == 'namespace' && 'namespace-profile-metamask-ci-linux' || 'ubuntu-latest' }}
     timeout-minutes: 5
     permissions:
       contents: read

.github/workflows/update-release-changelog.yml

@@ -68,7 +68,7 @@ jobs:
           ref: v1
 
       - name: Setup Node for changelog tooling
-        uses: ./github-tools/.github/actions/checkout-and-setup
+        uses: MetaMask/action-checkout-and-setup@v3
         with:
           is-high-risk-environment: true
 

.github/workflows/upload-to-testflight.yml

@@ -44,6 +44,11 @@ on:
         required: false
         type: boolean
         default: true
+      runner_provider:
+        description: Runner provider forwarded from the caller
+        required: false
+        type: string
+        default: current
 
 permissions:
   contents: read
@@ -52,7 +57,7 @@ permissions:
 jobs:
   testflight-upload-summary:
     name: TestFlight upload summary
-    runs-on: ubuntu-latest
+    runs-on: ${{ inputs.runner_provider == 'namespace' && 'namespace-profile-metamask-ci-linux' || 'ubuntu-latest' }}
     steps:
       - name: Display TestFlight upload summary
         run: |
@@ -74,7 +79,7 @@ jobs:
   upload-ios-testflight:
     name: Upload iOS to TestFlight
     needs: [testflight-upload-summary]
-    runs-on: ghcr.io/cirruslabs/macos-runner:tahoe-xl
+    runs-on: ${{ inputs.runner_provider == 'namespace' && 'namespace-profile-metamask-ios-build' || 'ghcr.io/cirruslabs/macos-runner:tahoe-xl' }}
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4