chore(ci): migrate iOS CI runners from macOS Sequoia to Tahoe for Xcode 26.x support (#28433)

---

## **Description**

<!--
Write a short description of the changes included in this pull request,
also include relevant motivation and context. Have in mind the following
questions:
1. What is the reason for the change?
2. What is the improvement/solution?
-->

Apple requires all iOS and iPadOS apps to be built with the iOS 26 SDK
(Xcode 26 or later) starting April 28, 2026. A previous commit (#27726)
bumped the pinned Xcode version from `16.3` to `26.3`, but all iOS CI
runner images were still pointing to macOS Sequoia (`sequoia` /
`sequoia-xl`). The Sequoia images only ship with Xcode 16.x, so `xcodes
select 26.3` (or `xcode-select -s /Applications/Xcode_26.3.app`) would
fail with "invalid developer directory".

This PR migrates every iOS CI runner image from
`ghcr.io/cirruslabs/macos-runner:sequoia[-xl]` to
`ghcr.io/cirruslabs/macos-runner:tahoe[-xl]`, which ships with the 3
latest Xcode versions including 26.3 and the `xcodes` CLI tool. The
Xcode selection step in `build.yml` is also updated to use `xcodes
select 26.3` per the [Cirrus Labs recommended
approach](https://cirrus-runners.app/setup/) for their multi-Xcode
runner images. The `actionlint.yaml` runner allowlist is updated
accordingly to prevent false lint failures.

**Files changed:**
- `.github/actionlint.yaml` — update self-hosted runner allowlist to
`tahoe` / `tahoe-xl`
- `.github/workflows/build.yml` — runner `sequoia-xl` → `tahoe-xl`;
Xcode selection updated to `xcodes select 26.3`
- `.github/workflows/setup-node-modules.yml` — runner `sequoia-xl` →
`tahoe-xl` (must match build consumer for native dep symlinks)
- `.github/workflows/build-ios-e2e.yml` — runner `sequoia-xl` →
`tahoe-xl`
- `.github/workflows/run-e2e-smoke-tests-ios-flask.yml` — runner
`sequoia` → `tahoe`
- `.github/workflows/run-e2e-workflow.yml` — runner `sequoia` → `tahoe`
- `.github/workflows/update-e2e-fixtures.yml` — runner `sequoia` →
`tahoe`
- `.github/workflows/upload-to-testflight.yml` — runner `sequoia-xl` →
`tahoe-xl`

## **Changelog**

<!--
If this PR is not End-User-Facing and should not show up in the
CHANGELOG, you can choose to either:
1. Write `CHANGELOG entry: null`
2. Label with `no-changelog`
-->

CHANGELOG entry: null

## **Related issues**

Fixes:

## **Manual testing steps**

N/A

## **Screenshots/Recordings**

### **Before**

N/A

### **After**

N/A

## **Pre-merge author checklist**

- [x] I've followed [MetaMask Contributor
Docs](https://github.com/MetaMask/contributor-docs) and [MetaMask Mobile
Coding
Standards](https://github.com/MetaMask/metamask-mobile/blob/main/.github/guidelines/CODING_GUIDELINES.md).
- [x] I've completed the PR template to the best of my ability
- [x] I've included tests if applicable
- [x] I've documented my code using [JSDoc](https://jsdoc.app/) format
if applicable
- [x] I've applied the right labels on the PR (see [labeling
guidelines](https://github.com/MetaMask/metamask-mobile/blob/main/.github/guidelines/LABELING_GUIDELINES.md)).
Not required for external contributors.

## **Pre-merge reviewer checklist**

- [ ] I've manually tested the PR (e.g. pull and build branch, run the
app, test code being changed).
- [ ] I confirm that this PR addresses all acceptance criteria described
in the ticket it closes and includes the necessary testing evidence such
as recordings and or screenshots.

<!-- Generated with the help of the pr-description AI skill -->

Made with [Cursor](https://cursor.com)

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> **Medium Risk**
> Medium risk because it changes CI runner images and Xcode selection
logic across multiple iOS build/E2E workflows; misconfiguration could
break iOS builds/tests despite minimal product-code impact.
> 
> **Overview**
> **Migrates iOS CI execution to Cirrus Labs `tahoe`/`tahoe-xl`
runners** across build, TestFlight upload, E2E, and fixture-update
workflows to ensure Xcode 26.x availability.
> 
> **Standardizes Xcode selection** by switching the iOS build workflow
to `xcodes select 26.3`.
> 
> **Brings E2E setup in-repo** by adding a composite action
`./.github/actions/setup-e2e-env` and updating workflows to use it, and
updates Detox’s default iOS simulator from `iPhone 15 Pro` to `iPhone 16
Pro` (plus matching docs).
> 
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
4cea412. Bugbot is set up for automated
code reviews on this repo. Configure
[here](https://www.cursor.com/dashboard/bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

Author: tommasini

.detoxrc.js

@@ -82,7 +82,7 @@ module.exports = {
     'ios.simulator': {
       type: 'ios.simulator',
       device: {
-        type: 'iPhone 15 Pro',
+        type: 'iPhone 16 Pro',
       },
     },
     'android.emulator': {

.github/actionlint.yaml

@@ -9,8 +9,8 @@ self-hosted-runner:
     - "gha-mm-scale-set-ubuntu-22.04-amd64-small"
     - "gha-mm-scale-set-ubuntu-22.04-amd64-med"
     - "macos-15"
-    - "ghcr.io/cirruslabs/macos-runner:sequoia"
-    - "ghcr.io/cirruslabs/macos-runner:sequoia-xl"
+    - "ghcr.io/cirruslabs/macos-runner:tahoe"
+    - "ghcr.io/cirruslabs/macos-runner:tahoe-xl"
     - "ghcr.io/cirruslabs/ubuntu-runner-amd64:24.04-md"
     - "ghcr.io/cirruslabs/ubuntu-runner-amd64:24.04-lg"
     - "ghcr.io/cirruslabs/ubuntu-runner-amd64:24.04-xl"

.github/actions/setup-e2e-env/action.yml

@@ -0,0 +1,362 @@
+name: 'Setup E2E Test Environment'
+description: 'Sets up the environment for running E2E tests'
+
+inputs:
+  platform:
+    description: 'Platform (ios or android)'
+    required: true
+  node-version:
+    description: 'Node.js version'
+    required: false
+    default: '20.18.0'
+  yarn-version:
+    description: Yarn version to use with Corepack
+    required: false
+    default: '3.8.7'
+  setup-simulator:
+    description: 'Whether to setup simulator/emulator'
+    required: false
+    default: 'false'
+  bundler-version:
+    description: 'Bundler version to use (only for iOS)'
+    required: false
+    default: '2.5.8'
+  cache-prefix:
+    description: 'Cache key prefix'
+    required: false
+    default: 'e2e'
+  ruby-version:
+    description: Ruby version to use (only for iOS)
+    required: false
+    default: '3.2.9'
+  xcode-version:
+    description: 'Xcode version to select (e.g., 26.3). Uses xcodes CLI on Cirrus Labs runners, falls back to xcode-select on GitHub-hosted runners.'
+    required: false
+    default: '26.3'
+  jdk-version:
+    description: JDK version to use (only for Android)
+    required: false
+    default: '17'
+  jdk-distribution:
+    description: JDK distribution to use (only for Android)
+    required: false
+    default: 'temurin'
+  foundry-version:
+    description: Foundry version to install
+    required: false
+    default: 'v0.3.0'
+  android-avd-name:
+    description: 'Name of AVD to create and boot (for Android)'
+    required: false
+    default: 'test_e2e_avd'
+  android-device:
+    description: 'AVD device profile (e.g. "pixel_5", "pixel", "Nexus 6")'
+    required: false
+    default: 'pixel_5'
+  android-api-level:
+    description: 'Android API level to use (e.g. "34")'
+    required: false
+    default: '34'
+  android-abi:
+    description: 'System architecture ABI for the Android system image (e.g. x86_64, arm64-v8a, armeabi-v7a)'
+    required: false
+    default: 'x86_64'
+  android-tag:
+    description: 'Android system image tag (e.g. google_apis, default)'
+    required: false
+    default: 'google_apis'
+  android-sdcard-size:
+    description: 'SD card size for AVD (e.g. 8092M)'
+    required: false
+    default: '8092M'
+  configure-keystores:
+    description: 'Whether to configure keystores for E2E tests'
+    required: false
+    default: 'true'
+  keystore-role-to-assume:
+    description: 'AWS IAM role to assume for keystore configuration'
+    required: false
+    default: 'arn:aws:iam::363762752069:role/metamask-mobile-build-signer-qa'
+  target:
+    description: 'Target for which the keystore is being configured (e.g., qa, flask, main)'
+    required: false
+    default: 'qa'
+
+runs:
+  using: 'composite'
+  steps:
+    ## Common Setup ##
+    - run: echo "Setup E2E Environment started"
+      shell: bash
+
+    ## Android Setup (early for fail-fast) ##
+
+    # Set Android environment variables (self-hosted runner has SDK pre-installed)
+    - name: Set Android environment variables
+      if: ${{ inputs.platform == 'android' }}
+      run: |
+        echo "ANDROID_HOME=/opt/android-sdk" >> "$GITHUB_ENV"
+        echo "ANDROID_SDK_ROOT=/opt/android-sdk" >> "$GITHUB_ENV"
+      shell: bash
+
+    - name: Configure Android Signing Certificates
+      if: ${{ inputs.platform == 'android' && inputs.configure-keystores == 'true' }}
+      uses: MetaMask/github-tools/.github/actions/configure-keystore@0259e8a920318b02a8860e178d79796eaa08de02
+      with:
+        aws-role-to-assume: ${{ inputs.keystore-role-to-assume }}
+        aws-region: 'us-east-2'
+        platform: 'android'
+        target: ${{ inputs.target }}
+
+    ## JDK Setup
+    - name: Setup Java
+      if: ${{ inputs.platform == 'android' }}
+      uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00
+      with:
+        java-version: ${{ inputs.jdk-version }}
+        distribution: ${{ inputs.jdk-distribution }}
+
+    - name: Install required emulator dependencies
+      if: ${{ inputs.platform == 'android' && runner.os == 'Linux' }}
+      run: |
+        sudo apt-get update
+        sudo apt-get install -y \
+          libpulse0 \
+          libglu1-mesa \
+          libnss3 \
+          libxss1
+
+        echo "✅ Linux dependencies installed successfully"
+      shell: bash
+
+    ## Android SDK Setup (SDK pre-installed in container)
+
+    - name: Install additional Android SDK components if needed
+      if: ${{ inputs.platform == 'android' && (inputs.android-api-level != '34' || inputs.android-abi != 'x86_64') }}
+      env:
+        ANDROID_API_LEVEL: ${{ inputs.android-api-level }}
+        ANDROID_ABI: ${{ inputs.android-abi }}
+      run: |
+        IMAGE="system-images;android-$ANDROID_API_LEVEL;google_apis;$ANDROID_ABI"
+        echo "Installing additional system image: $IMAGE"
+        echo "y" | "/opt/android-sdk/cmdline-tools/latest/bin/sdkmanager" "$IMAGE"
+      shell: bash
+
+    ## Launch AVD
+
+    - name: Set ANDROID_AVD_HOME for downstream steps
+      if: ${{ inputs.platform == 'android'}}
+      shell: bash
+      run: |
+        echo "ANDROID_AVD_HOME=$HOME/.android/avd" >> "$GITHUB_ENV"
+        mkdir -p "$HOME/.android/avd"
+
+    - name: Create Android Virtual Device (AVD)
+      if: ${{ inputs.platform == 'android'}}
+      env:
+        ANDROID_API_LEVEL: ${{ inputs.android-api-level }}
+        ANDROID_TAG: ${{ inputs.android-tag }}
+        ANDROID_ABI: ${{ inputs.android-abi }}
+        ANDROID_AVD_NAME: ${{ inputs.android-avd-name }}
+        ANDROID_DEVICE: ${{ inputs.android-device }}
+        ANDROID_SDCARD_SIZE: ${{ inputs.android-sdcard-size }}
+      run: |
+        IMAGE="system-images;android-$ANDROID_API_LEVEL;$ANDROID_TAG;$ANDROID_ABI"
+        echo "Creating AVD with image: $IMAGE"
+        "/opt/android-sdk/cmdline-tools/latest/bin/avdmanager" --verbose create avd \
+          --force \
+          --name "$ANDROID_AVD_NAME" \
+          --package "$IMAGE" \
+          --device "$ANDROID_DEVICE" \
+          --tag "$ANDROID_TAG" \
+          --abi "$ANDROID_ABI" \
+          --sdcard "$ANDROID_SDCARD_SIZE"
+      shell: bash
+
+    ## iOS Platform Setup ##
+
+    - name: Configure iOS Signing Certificates
+      if: ${{ inputs.platform == 'ios' && inputs.configure-keystores == 'true' }}
+      uses: MetaMask/github-tools/.github/actions/configure-keystore@0259e8a920318b02a8860e178d79796eaa08de02
+      with:
+        aws-role-to-assume: ${{ inputs.keystore-role-to-assume }}
+        aws-region: 'us-east-2'
+        platform: 'ios'
+        target: ${{ inputs.target }}
+
+    ## Node.js & JavaScript Dependencies Setup ##
+
+    - name: Setup Node.js
+      uses: actions/setup-node@v6
+      with:
+        node-version: ${{ inputs.node-version }}
+
+    ## Yarn Setup & Cache Management
+
+    - name: Get Corepack install command
+      id: get-corepack-command
+      env:
+        YARN_VERSION: ${{ inputs.yarn-version }}
+      shell: bash
+      run: |
+        echo "COREPACK_COMMAND=corepack enable && corepack prepare yarn@$YARN_VERSION --activate" >> "$GITHUB_OUTPUT"
+
+    - name: Corepack
+      id: corepack
+      uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 #v3.0.2
+      with:
+        timeout_minutes: 15
+        max_attempts: 3
+        retry_wait_seconds: 30
+        command: ${{ steps.get-corepack-command.outputs.COREPACK_COMMAND }}
+
+    - name: Restore Yarn cache
+      uses: actions/cache@v4
+      with:
+        path: |
+          node_modules
+        key: ${{ inputs.cache-prefix }}-yarn-${{ inputs.platform }}-${{ runner.os }}-${{ hashFiles('yarn.lock') }}
+
+    - name: Install JavaScript dependencies with retry
+      id: yarn-install
+      uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 #v3.0.2
+      with:
+        timeout_minutes: 15
+        max_attempts: 3
+        retry_wait_seconds: 30
+        command: yarn install --immutable
+      env:
+        NODE_OPTIONS: --max-old-space-size=4096
+        YARN_ENABLE_GLOBAL_CACHE: 'true'
+
+    - name: Install Foundry
+      shell: bash
+      env:
+        FOUNDRY_VERSION: ${{ inputs.foundry-version }}
+      run: |
+        echo "Installing Foundry via foundryup..."
+
+        export FOUNDRY_DIR="${XDG_CONFIG_HOME:-$HOME/.config}/.foundry"
+        export FOUNDRY_BIN="$FOUNDRY_DIR/bin"
+
+        mkdir -p "$FOUNDRY_BIN"
+
+        curl -sL https://raw.githubusercontent.com/foundry-rs/foundry/master/foundryup/foundryup -o "$FOUNDRY_BIN/foundryup"
+        chmod +x "$FOUNDRY_BIN/foundryup"
+
+        echo "$FOUNDRY_BIN" >> "$GITHUB_PATH"
+
+        "$FOUNDRY_BIN/foundryup" -i "$FOUNDRY_VERSION"
+
+    ## iOS Setup ##
+
+    ## Ruby Setup & Cache Management
+    - name: Setup Ruby
+      if: ${{ inputs.platform == 'ios' }}
+      uses: ruby/setup-ruby@09a7688d3b55cf0e976497ff046b70949eeaccfd
+      with:
+        ruby-version: ${{ inputs.ruby-version }}
+
+    - name: Install bundler
+      if: ${{ inputs.platform == 'ios' }}
+      run: gem install bundler -v ${{ inputs.bundler-version }}
+      working-directory: ios
+      shell: bash
+
+    - name: Restore Bundler cache
+      if: ${{ inputs.platform == 'ios' }}
+      uses: actions/cache@v4
+      with:
+        path: ios/vendor/bundle
+        key: ${{ inputs.cache-prefix }}-bundler-${{ inputs.platform }}-${{ runner.os }}-${{ hashFiles('ios/Gemfile.lock') }}
+        restore-keys: |
+          ${{ inputs.cache-prefix }}-bundler-${{ inputs.platform }}-${{ runner.os }}-
+
+    - name: Configure bundler install path
+      if: ${{ inputs.platform == 'ios' }}
+      run: bundle config set path 'vendor/bundle'
+      working-directory: ios
+      shell: bash
+
+    - name: Install Ruby gems via bundler
+      if: ${{ inputs.platform == 'ios' }}
+      run: bundle install
+      working-directory: ios
+      shell: bash
+
+    - name: Generate binstubs for CocoaPods
+      if: ${{ inputs.platform == 'ios' }}
+      run: bundle binstubs cocoapods --force --path=vendor/bundle/bin
+      working-directory: ios
+      shell: bash
+
+    - name: Add binstubs to PATH
+      if: ${{ inputs.platform == 'ios' }}
+      run: echo "$(pwd)/ios/vendor/bundle/bin" >> "$GITHUB_PATH"
+      shell: bash
+
+    - name: Verify CocoaPods
+      if: ${{ inputs.platform == 'ios' }}
+      run: |
+        bundle show cocoapods || (echo "❌ CocoaPods not installed from ios/Gemfile" && exit 1)
+        bundle exec pod --version
+      working-directory: ios
+      shell: bash
+
+    - name: Verify CocoaPods BinStub
+      if: ${{ inputs.platform == 'ios' }}
+      run: |
+        bundle show cocoapods || (echo "❌ CocoaPods not installed from ios/Gemfile" && exit 1)
+        pod --version
+      working-directory: ios
+      shell: bash
+
+    - name: Select Xcode ${{ inputs.xcode-version }}
+      if: ${{ inputs.platform == 'ios' }}
+      env:
+        XCODE_VERSION: ${{ inputs.xcode-version }}
+      run: |
+        sudo xcodes select "$XCODE_VERSION"
+        xcodebuild -version
+      shell: bash
+
+    - name: Restore CocoaPods specs cache
+      if: ${{ inputs.platform == 'ios' }}
+      id: cocoapods-specs-cache
+      uses: actions/cache@v4
+      with:
+        path: ~/.cocoapods/repos
+        key: ${{ runner.os }}-cocoapods-specs-${{ hashFiles('ios/Podfile.lock') }}
+        restore-keys: |
+          ${{ runner.os }}-cocoapods-specs-
+      continue-on-error: true
+
+    - name: Clear CocoaPods trunk to prevent stale specs
+      if: ${{ inputs.platform == 'ios' }}
+      run: pod repo remove trunk || true
+      shell: bash
+
+    - name: Install CocoaPods via bundler
+      if: ${{ inputs.platform == 'ios'}}
+      uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 #v3.0.2
+      with:
+        timeout_minutes: 15
+        max_attempts: 2
+        retry_wait_seconds: 30
+        command: cd ios && bundle exec pod install --repo-update
+
+    - name: Install applesimutils
+      if: ${{ inputs.platform == 'ios' }}
+      run: |
+        if ! brew list applesimutils &>/dev/null; then
+          brew tap wix/brew
+          brew install applesimutils
+        else
+          echo "applesimutils is already installed, skipping..."
+        fi
+      shell: bash
+
+    - name: Check simutils
+      if: ${{ inputs.platform == 'ios' }}
+      run: xcrun simctl list devices
+      shell: bash

.github/workflows/build-android-e2e.yml

@@ -58,7 +58,7 @@ jobs:
 
       - name: Setup Android Build Environment
         timeout-minutes: 15
-        uses: MetaMask/github-tools/.github/actions/setup-e2e-env@v1.7.0
+        uses: ./.github/actions/setup-e2e-env
         with:
           platform: android
           setup-simulator: false