Merge remote-tracking branch 'origin/chore/temp-nightly' into wsun/temp-nightly-ota-v4

Author: weitingsun

.github/actions/cursor-cli-setup/action.yml

@@ -0,0 +1,66 @@
+# Version: 1.0.0
+name: 'Cursor CLI Setup'
+description: 'Sets up Cursor CLI with permissions and fetches issue details'
+
+inputs:
+  cursor-api-key:
+    description: 'Cursor API key for authentication'
+    required: true
+  issue-number:
+    description: 'GitHub issue number'
+    required: true
+  repository:
+    description: 'GitHub repository (owner/repo)'
+    required: true
+  github-token:
+    description: 'GitHub token for API calls'
+    required: true
+  read-only:
+    description: 'If true, configure read-only permissions (no write access)'
+    required: false
+    default: 'true'
+
+outputs:
+  issue-content:
+    description: 'Base64-encoded issue content (JSON with title, body, comments, labels)'
+    value: ${{ steps.issue.outputs.content }}
+
+runs:
+  using: 'composite'
+  steps:
+    - name: Configure Cursor permissions (read-only)
+      if: inputs.read-only == 'true'
+      shell: bash
+      run: |
+        # Strict allowlist: only read source code, deny everything else
+        mkdir -p .cursor
+        printf '%s\n' '{"permissions":{"allow":["Read(app/**/*)","Read(src/**/*)","Read(e2e/**/*)","Read(docs/**/*)","Read(*.md)","Read(*.json)","Read(*.ts)","Read(*.tsx)","Read(*.js)"],"deny":["Shell(*)","Write(*)","Read(.env*)","Read(**/.env*)","Read(**/secrets/**)","Read(**/*.pem)","Read(**/*.key)","Read(**/*.secret)","Read(.git/**)","Read(node_modules/**)"]}}' > .cursor/permissions.json
+
+    - name: Configure Cursor permissions (read-write)
+      if: inputs.read-only == 'false'
+      shell: bash
+      run: |
+        # Allow reads and writes to source code, deny sensitive files
+        mkdir -p .cursor
+        printf '%s\n' '{"permissions":{"allow":["Read(app/**/*)","Read(src/**/*)","Read(e2e/**/*)","Read(docs/**/*)","Read(*.md)","Read(*.json)","Read(*.ts)","Read(*.tsx)","Read(*.js)","Write(app/**/*)","Write(src/**/*)","Write(e2e/**/*)","Write(docs/**/*)","Write(*.md)","Write(*.json)","Write(*.ts)","Write(*.tsx)","Write(*.js)","Shell(yarn *)","Shell(git *)"],"deny":["Read(.env*)","Read(**/.env*)","Read(**/secrets/**)","Read(**/*.pem)","Read(**/*.key)","Read(**/*.secret)","Read(node_modules/**)","Write(.env*)","Write(**/.env*)","Write(**/secrets/**)","Write(**/*.pem)","Write(**/*.key)","Write(**/*.secret)","Shell(curl *)","Shell(wget *)","Shell(npm *)","Shell(npx *)"]}}' > .cursor/permissions.json
+
+    - name: Install Cursor CLI
+      shell: bash
+      run: |
+        curl https://cursor.com/install -fsS | bash
+        echo "$HOME/.cursor/bin" >> "$GITHUB_PATH"
+
+    - name: Fetch issue details
+      id: issue
+      shell: bash
+      env:
+        GH_TOKEN: ${{ inputs.github-token }}
+        ISSUE_NUMBER: ${{ inputs.issue-number }}
+        REPO: ${{ inputs.repository }}
+      run: |
+        # Use env vars to prevent shell injection
+        ISSUE_CONTENT=$(gh issue view "$ISSUE_NUMBER" --repo "$REPO" --json title,body,comments,labels)
+
+        # Base64 encode to safely pass through GitHub Actions outputs
+        ENCODED=$(printf '%s' "$ISSUE_CONTENT" | base64 -w 0)
+        echo "content=$ENCODED" >> "$GITHUB_OUTPUT"

.github/cursor/prompts/implement-issue.md

@@ -0,0 +1,27 @@
+You are implementing a GitHub issue for the MetaMask Mobile repository.
+
+## Your Task
+
+1. **Understand the Issue**: Read the issue details carefully to understand what needs to be done
+2. **Analyze the Codebase**: Search for relevant files and understand the existing patterns
+3. **Implement the Solution**: Make the necessary code changes following the project's conventions
+4. **Write Tests**: Add unit tests for any new functionality (follow the testing guidelines)
+5. **Verify**: Ensure your changes don't break existing functionality
+
+## Guidelines
+
+- Follow the existing code style and patterns in the repository
+- Use TypeScript - no `any` types allowed
+- Use the design system components from `@metamask/design-system-react-native`
+- Add appropriate comments where needed
+- Keep changes focused on the issue scope - don't over-engineer
+
+## Output
+
+After implementing, provide a summary of:
+
+1. Files changed and why
+2. Key implementation decisions
+3. Any potential risks or considerations for reviewers
+
+Do NOT create the pull request yourself - the workflow will handle that.

.github/workflows/build-android-e2e.yml

@@ -98,35 +98,78 @@ jobs:
             exit 1
           fi
 
-      - name: Check and restore cached APKs if Fingerprint is found
+      - name: Restore APKs matching fingerprint from branch cache
         id: apk-cache-restore
+        # This action automatically updates the cache at the end of the workflow
         uses: cirruslabs/cache@bba69c6578b863ad0398ad40567bd2ef70290fe0 # v4
         with:
           path: |
             ${{ steps.determine-target-paths.outputs.apk-target-path }}/${{ steps.determine-target-paths.outputs.artifact_name }}.apk
             ${{ steps.determine-target-paths.outputs.test-apk-target-path }}/${{ steps.determine-target-paths.outputs.artifact_name }}-androidTest.apk
           # Include Gradle properties in key to force rebuild when properties change
           # Keep the `hashFiles` call for Gradle config in-sync with these steps:
-          # - "Cache Gradle dependencies"
-          # - "Cache build artifacts"
-          key: android-apk-${{ inputs.build_type }}-${{ env.CACHE_GENERATION }}-${{ steps.generate-fingerprint.outputs.fingerprint }}-${{ hashFiles('**/*.gradle*', '**/gradle-wrapper.properties') }}
+          # - "Restore APKs matching fingerprint from branch cache"
+          # - "Restore APKs matching fingerprint from main cache"
+          # - "Restore Gradle dependencies from branch cache"
+          # - "Restore Gradle dependencies from main cache"
+          key: android-apk-${{ github.ref_name }}-${{ inputs.build_type }}-${{ env.CACHE_GENERATION }}-${{ steps.generate-fingerprint.outputs.fingerprint }}-${{ hashFiles('**/*.gradle*', '**/gradle-wrapper.properties') }}
 
-      - name: Cache Gradle dependencies
+      - name: Restore APKs matching fingerprint from main cache
+        if: ${{ steps.apk-cache-restore.outputs.cache-hit != 'true' && github.ref_name != 'main' }}
+        id: apk-cache-restore-main
+        # This will only restore the cache, not update it
+        uses: cirruslabs/cache/restore@bba69c6578b863ad0398ad40567bd2ef70290fe0 # v4
+        with:
+          path: |
+            ${{ steps.determine-target-paths.outputs.apk-target-path }}/${{ steps.determine-target-paths.outputs.artifact_name }}.apk
+            ${{ steps.determine-target-paths.outputs.test-apk-target-path }}/${{ steps.determine-target-paths.outputs.artifact_name }}-androidTest.apk
+          # Include Gradle properties in key to force rebuild when properties change
+          # Keep the `hashFiles` call for Gradle config in-sync with these steps:
+          # - "Restore APKs matching fingerprint from branch cache"
+          # - "Restore APKs matching fingerprint from main cache"
+          # - "Restore Gradle dependencies from branch cache"
+          # - "Restore Gradle dependencies from main cache"
+          key: android-apk-main-${{ inputs.build_type }}-${{ env.CACHE_GENERATION }}-${{ steps.generate-fingerprint.outputs.fingerprint }}-${{ hashFiles('**/*.gradle*', '**/gradle-wrapper.properties') }}
+
+      - name: Restore Gradle dependencies from branch cache
+        id: gradle-cache-restore
+        # This action automatically updates the cache at the end of the workflow
         uses: cirruslabs/cache@bba69c6578b863ad0398ad40567bd2ef70290fe0 # v4
-        if: ${{ steps.apk-cache-restore.outputs.cache-hit != 'true' }}
+        if: ${{ steps.apk-cache-restore.outputs.cache-hit != 'true' && steps.apk-cache-restore-main.outputs.cache-hit != 'true' }}
+        env:
+          GRADLE_CACHE_VERSION: 1
+        with:
+          path: |
+            ~/_work/.gradle/caches
+            ~/_work/.gradle/wrapper
+          # Include Gradle properties in key to force rebuild when properties change
+          # Keep the `hashFiles` call for Gradle config in-sync with these steps:
+          # - "Restore APKs matching fingerprint from branch cache"
+          # - "Restore APKs matching fingerprint from main cache"
+          # - "Restore Gradle dependencies from branch cache"
+          # - "Restore Gradle dependencies from main cache"
+          key: gradle-${{ github.ref_name }}-${{ env.GRADLE_CACHE_VERSION }}-${{ runner.os }}-${{ hashFiles('**/*.gradle*', '**/gradle-wrapper.properties') }}
+
+      - name: Restore Gradle dependencies from main cache
+        # This will only restore the cache, not update it
+        uses: cirruslabs/cache/restore@bba69c6578b863ad0398ad40567bd2ef70290fe0 # v4
+        if: ${{ steps.apk-cache-restore.outputs.cache-hit != 'true' && steps.apk-cache-restore-main.outputs.cache-hit != 'true' && steps.gradle-cache-restore.outputs.cache-hit != 'true' && github.ref_name != 'main' }}
         env:
           GRADLE_CACHE_VERSION: 1
         with:
           path: |
             ~/_work/.gradle/caches
             ~/_work/.gradle/wrapper
+          # Include Gradle properties in key to force rebuild when properties change
           # Keep the `hashFiles` call for Gradle config in-sync with these steps:
-          # - "Check and restore cached APKs if Fingerprint is found"
-          # - "Cache build artifacts"
-          key: gradle-${{ env.GRADLE_CACHE_VERSION }}-${{ runner.os }}-${{ hashFiles('**/*.gradle*', '**/gradle-wrapper.properties') }}
+          # - "Restore APKs matching fingerprint from branch cache"
+          # - "Restore APKs matching fingerprint from main cache"
+          # - "Restore Gradle dependencies from branch cache"
+          # - "Restore Gradle dependencies from main cache"
+          key: gradle-main-${{ env.GRADLE_CACHE_VERSION }}-${{ runner.os }}-${{ hashFiles('**/*.gradle*', '**/gradle-wrapper.properties') }}
 
       - name: Build Android E2E APKs
-        if: ${{ steps.apk-cache-restore.outputs.cache-hit != 'true' }}
+        if: ${{ steps.apk-cache-restore.outputs.cache-hit != 'true' && steps.apk-cache-restore-main.outputs.cache-hit != 'true' }}
         run: |
           echo "🏗 Building Android E2E APKs..."
           export NODE_OPTIONS="--max-old-space-size=4096"
@@ -179,7 +222,7 @@ jobs:
           MM_PREDICT_GTM_MODAL_ENABLED: 'false'
 
       - name: Repack APK with JS updates using @expo/repack-app
-        if: ${{ steps.apk-cache-restore.outputs.cache-hit == 'true' }}
+        if: ${{ steps.apk-cache-restore.outputs.cache-hit == 'true' || steps.apk-cache-restore-main.outputs.cache-hit == 'true' }}
         run: |
           echo "📦 Repacking APK with updated JavaScript bundle using @expo/repack-app..."
           # Use the optimized repack script which uses @expo/repack-app
@@ -228,19 +271,6 @@ jobs:
           GOOGLE_SERVICES_B64_ANDROID: ${{ secrets.GOOGLE_SERVICES_B64_ANDROID }}
           MM_INFURA_PROJECT_ID: ${{ secrets.MM_INFURA_PROJECT_ID }}
 
-      # Cache build artifacts with the pre-build fingerprint
-      - name: Cache build artifacts
-        if: ${{ steps.apk-cache-restore.outputs.cache-hit != 'true' }}
-        uses: cirruslabs/cache@bba69c6578b863ad0398ad40567bd2ef70290fe0 # v4
-        with:
-          path: |
-            ${{ steps.determine-target-paths.outputs.apk-target-path }}/${{ steps.determine-target-paths.outputs.artifact_name }}.apk
-            ${{ steps.determine-target-paths.outputs.test-apk-target-path }}/${{ steps.determine-target-paths.outputs.artifact_name }}-androidTest.apk
-          # Keep the `hashFiles` call for Gradle config in-sync with these steps:
-          # - "Check and restore cached APKs if Fingerprint is found"
-          # - "Cache Gradle dependencies"
-          key: android-apk-${{ inputs.build_type }}-${{ env.CACHE_GENERATION }}-${{ steps.generate-fingerprint.outputs.fingerprint }}-${{ hashFiles('**/*.gradle*', '**/gradle-wrapper.properties') }}
-
       - name: Upload Android APK
         id: upload-apk
         uses: actions/upload-artifact@v4

.github/workflows/build-ios-e2e.yml

@@ -57,15 +57,30 @@ jobs:
       - name: Checkout repo
         uses: actions/checkout@v4
 
-      - name: Cache Xcode derived data
+      - name: Restore Xcode derived data from branch cache
+        id: xcode-restore-cache
+        # This action automatically updates the cache at the end of the workflow
         uses: cirruslabs/cache@bba69c6578b863ad0398ad40567bd2ef70290fe0 # v4
         env:
           XCODE_CACHE_VERSION: 1
         with:
           path: |
             ~/Library/Developer/Xcode/DerivedData
             ios/build
-          key: ${{ runner.os }}-xcode-${{ env.XCODE_CACHE_VERSION }}-${{ hashFiles('ios/**/*.{h,m,mm,swift}', 'ios/**/Podfile.lock', 'yarn.lock') }}
+          key: ${{ runner.os }}-xcode-${{ github.ref_name }}-${{ env.XCODE_CACHE_VERSION }}-${{ hashFiles('ios/**/*.{h,m,mm,swift}', 'ios/**/Podfile.lock', 'yarn.lock') }}
+
+      - name: Restore Xcode derived data from main cache
+        if: ${{ steps.xcode-restore-cache.outputs.cache-hit != 'true' && github.ref_name != 'main' }}
+        id: xcode-restore-cache-main
+        # This will only restore the cache, not update it
+        uses: cirruslabs/cache/restore@bba69c6578b863ad0398ad40567bd2ef70290fe0 # v4
+        env:
+          XCODE_CACHE_VERSION: 1
+        with:
+          path: |
+            ~/Library/Developer/Xcode/DerivedData
+            ios/build
+          key: ${{ runner.os }}-xcode-main-${{ env.XCODE_CACHE_VERSION }}-${{ hashFiles('ios/**/*.{h,m,mm,swift}', 'ios/**/Podfile.lock', 'yarn.lock') }}
 
       # Install Node.js, Xcode tools, and other iOS development dependencies
       - name: Installing iOS Environment Setup
@@ -112,17 +127,28 @@ jobs:
           echo "fingerprint=$FINGERPRINT" >> "$GITHUB_OUTPUT"
           echo "Current fingerprint: ${FINGERPRINT}"
 
-      - name: Check and restore cached iOS app if Fingerprint is found
+      - name: Restore iOS app matching fingerprint from branch cache
         id: cache-restore
+        # This action automatically updates the cache at the end of the workflow
         uses: cirruslabs/cache@bba69c6578b863ad0398ad40567bd2ef70290fe0 # v4
         with:
           path: |
             ios/build/Build/Products/Release-iphonesimulator/MetaMask.app
-          key: ios-app-${{ steps.generate-fingerprint.outputs.fingerprint }}
+          key: ios-app-${{ github.ref_name }}-${{ steps.generate-fingerprint.outputs.fingerprint }}
+
+      - name: Restore iOS app matching fingerprint from main cache
+        if: ${{ steps.cache-restore.outputs.cache-hit != 'true' && github.ref_name != 'main' }}
+        id: cache-restore-main
+        # This will only restore the cache, not update it
+        uses: cirruslabs/cache/restore@bba69c6578b863ad0398ad40567bd2ef70290fe0 # v4
+        with:
+          path: |
+            ios/build/Build/Products/Release-iphonesimulator/MetaMask.app
+          key: ios-app-main-${{ steps.generate-fingerprint.outputs.fingerprint }}
 
       # Build the iOS E2E app for simulator
       - name: Build iOS E2E App
-        if: ${{ steps.cache-restore.outputs.cache-hit != 'true' }}
+        if: ${{ steps.cache-restore.outputs.cache-hit != 'true' && steps.cache-restore-main.outputs.cache-hit != 'true' }}
         run: |
           echo "🏗 Building iOS E2E App..."
           export NODE_OPTIONS="--max-old-space-size=8192"
@@ -157,7 +183,7 @@ jobs:
           GOOGLE_SERVICES_B64_ANDROID: ${{ secrets.GOOGLE_SERVICES_B64_ANDROID }}
 
       - name: Repack iOS app with JS updates using @expo/repack-app
-        if: ${{ steps.cache-restore.outputs.cache-hit == 'true' }}
+        if: ${{ steps.cache-restore.outputs.cache-hit == 'true' || steps.cache-restore-main.outputs.cache-hit == 'true' }}
         run: |
           echo "📦 Repacking iOS app with updated JavaScript bundle using @expo/repack-app..."
           # Use the optimized repack script which uses @expo/repack-app
@@ -195,15 +221,6 @@ jobs:
           GOOGLE_SERVICES_B64_ANDROID: ${{ secrets.GOOGLE_SERVICES_B64_ANDROID }}
           MM_INFURA_PROJECT_ID: ${{ secrets.MM_INFURA_PROJECT_ID }}
 
-      # Cache build artifacts with the pre-build fingerprint
-      - name: Cache build artifacts
-        if: ${{ steps.cache-restore.outputs.cache-hit != 'true' }}
-        uses: cirruslabs/cache@bba69c6578b863ad0398ad40567bd2ef70290fe0 # v4
-        with:
-          path: |
-            ios/build/Build/Products/Release-iphonesimulator/MetaMask.app
-          key: ios-app-${{ steps.generate-fingerprint.outputs.fingerprint }}
-
       # Upload the iOS .app file that works in simulators
       - name: Upload iOS APP Artifact (Simulator)
         id: upload-app
@@ -219,7 +236,7 @@ jobs:
       # Only runs when repack step runs (cache hit), as that's when sourcemap is generated
       - name: Upload iOS Source Map
         id: upload-sourcemap
-        if: ${{ steps.cache-restore.outputs.cache-hit == 'true' }}
+        if: ${{ steps.cache-restore.outputs.cache-hit == 'true' || steps.cache-restore-main.outputs.cache-hit == 'true' }}
         uses: actions/upload-artifact@v4
         with:
           name: index.js.map

.github/workflows/cursor-issue-analysis.yml

@@ -1,4 +1,4 @@
-# Version: 0.3.0
+# Version: 0.4.0
 name: Cursor Issue Analysis
 
 on:
@@ -42,40 +42,23 @@ jobs:
         if: steps.check-comment.outputs.exists != 'true'
         uses: actions/checkout@v4
 
-      - name: Configure Cursor permissions
+      - name: Setup Cursor CLI
         if: steps.check-comment.outputs.exists != 'true'
-        run: |
-          # Strict allowlist: only read source code, deny everything else
-          mkdir -p .cursor
-          printf '%s\n' '{"permissions":{"allow":["Read(app/**/*)","Read(src/**/*)","Read(e2e/**/*)","Read(docs/**/*)","Read(*.md)","Read(*.json)","Read(*.ts)","Read(*.tsx)","Read(*.js)"],"deny":["Shell(*)","Write(*)","Read(.env*)","Read(**/.env*)","Read(**/secrets/**)","Read(**/*.pem)","Read(**/*.key)","Read(**/*.secret)","Read(.git/**)","Read(node_modules/**)"]}}' > .cursor/permissions.json
-
-      - name: Install Cursor CLI
-        if: steps.check-comment.outputs.exists != 'true'
-        run: |
-          curl https://cursor.com/install -fsS | bash
-          echo "$HOME/.cursor/bin" >> "$GITHUB_PATH"
-
-      - name: Fetch issue details
-        if: steps.check-comment.outputs.exists != 'true'
-        id: issue
-        env:
-          GH_TOKEN: ${{ github.token }}
-          ISSUE_NUMBER: ${{ github.event.issue.number }}
-          REPO: ${{ github.repository }}
-        run: |
-          # Use env vars to prevent shell injection
-          ISSUE_CONTENT=$(gh issue view "$ISSUE_NUMBER" --repo "$REPO" --json title,body,comments,labels)
-
-          # Base64 encode to safely pass through GitHub Actions outputs
-          ENCODED=$(printf '%s' "$ISSUE_CONTENT" | base64 -w 0)
-          echo "content=$ENCODED" >> "$GITHUB_OUTPUT"
+        id: cursor-setup
+        uses: ./.github/actions/cursor-cli-setup
+        with:
+          cursor-api-key: ${{ secrets.CURSOR_API_KEY }}
+          issue-number: ${{ github.event.issue.number }}
+          repository: ${{ github.repository }}
+          github-token: ${{ github.token }}
+          read-only: 'true'
 
       - name: Run Cursor Analysis
         if: steps.check-comment.outputs.exists != 'true'
         id: analysis
         env:
           CURSOR_API_KEY: ${{ secrets.CURSOR_API_KEY }}
-          ISSUE_CONTENT_B64: ${{ steps.issue.outputs.content }}
+          ISSUE_CONTENT_B64: ${{ steps.cursor-setup.outputs.issue-content }}
         run: |
           # Decode issue content from base64
           # Note: Variable expansion in double quotes does NOT execute command substitutions