feat: Proposal 2 - YAML anchors (native YAML feature)

- Add shared.yml with YAML anchors for shared configuration
- Add environment configs (prod, rc, exp) using anchor references
- Add load-yaml-config.js script to resolve cross-file anchors
- Add build.yml workflow that uses YAML anchor-based configs
- Add README explaining YAML anchor approach and limitations

This proposal uses native YAML anchors and merge keys (<<) to share
configuration across environments. Anchors are defined in shared.yml
and referenced in environment configs using *anchorName syntax.

Note: Standard YAML doesn't support cross-file anchors, so a custom
loader script is needed to resolve anchors from shared.yml into
environment configs.

Co-authored-by: tomas.santos <[email protected]>

Author: cursoragent

.github/workflows/build.yml

@@ -0,0 +1,152 @@
+name: Build Mobile App
+
+on:
+  workflow_call:
+    inputs:
+      environment:
+        required: true
+        type: string
+      platform:
+        required: true
+        type: choice
+        options: [android, ios, both]
+      build_type:
+        required: true
+        type: choice
+        options: [main, flask]
+        default: main
+  workflow_dispatch:
+    inputs:
+      environment:
+        required: true
+        type: choice
+        options: [prod, rc, exp]
+      platform:
+        required: true
+        type: choice
+        options: [android, ios, both]
+      build_type:
+        required: true
+        type: choice
+        options: [main, flask]
+        default: main
+
+jobs:
+  load-environment-config:
+    runs-on: ubuntu-latest
+    outputs:
+      config: ${{ steps.load-config.outputs.config }}
+      requires_approval: ${{ steps.load-config.outputs.requires_approval }}
+      github_environment: ${{ steps.load-config.outputs.github_environment }}
+      secrets_mapping: ${{ steps.load-config.outputs.secrets_mapping }}
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+
+      - name: Install dependencies
+        run: yarn install --immutable
+
+      - name: Load environment configuration (YAML anchors)
+        id: load-config
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const { loadConfigWithAnchors } = require('./scripts/load-yaml-config.js');
+            const env = '${{ inputs.environment }}';
+            const config = loadConfigWithAnchors(env);
+
+            // Extract secrets mapping
+            const secretsMapping = JSON.stringify(config.secrets || {});
+
+            return {
+              config: JSON.stringify(config),
+              requires_approval: config.environment.requires_approval,
+              github_environment: config.environment.github_environment,
+              secrets_mapping: secretsMapping
+            };
+
+  approval:
+    if: needs.load-environment-config.outputs.requires_approval == 'true'
+    needs: load-environment-config
+    runs-on: ubuntu-latest
+    environment: ${{ needs.load-environment-config.outputs.github_environment }}
+    steps:
+      - name: Wait for approval
+        run: echo "Approval required for ${{ inputs.environment }} builds"
+
+  build:
+    needs:
+      - load-environment-config
+      - approval
+    if: always() && (needs.approval.result == 'success' || needs.approval.result == 'skipped')
+    strategy:
+      matrix:
+        platform: ${{ inputs.platform == 'both' && fromJSON('["android", "ios"]') || fromJSON(format('["{0}"]', inputs.platform)) }}
+    runs-on: ${{ matrix.platform == 'ios' && 'macos-latest' || 'ubuntu-latest' }}
+    environment: ${{ needs.load-environment-config.outputs.github_environment }}
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+          cache: 'yarn'
+
+      - name: Install dependencies
+        run: yarn install --immutable
+
+      - name: Setup project
+        run: yarn setup:github-ci
+
+      - name: Apply environment configuration
+        id: apply-config
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const { loadConfigWithAnchors } = require('./scripts/load-yaml-config.js');
+            const env = '${{ inputs.environment }}';
+            const config = loadConfigWithAnchors(env);
+
+            // Set non-secret environment variables from merged config
+            const outputs = {};
+
+            // Server URLs
+            Object.entries(config.servers).forEach(([key, value]) => {
+              const envVar = key.toUpperCase();
+              outputs[envVar] = value;
+              core.exportVariable(envVar, value);
+            });
+
+            // Feature flags
+            Object.entries(config.features).forEach(([key, value]) => {
+              const envVar = key.toUpperCase();
+              outputs[envVar] = value.toString();
+              core.exportVariable(envVar, value.toString());
+            });
+
+            // Build configuration
+            core.exportVariable('METAMASK_ENVIRONMENT', config.environment.name);
+            core.exportVariable('METAMASK_BUILD_TYPE', '${{ inputs.build_type }}');
+
+            // Output for other steps
+            Object.entries(outputs).forEach(([key, value]) => {
+              core.setOutput(key.toLowerCase().replace(/_/g, '_'), value);
+            });
+
+      - name: Set secrets as environment variables
+        env:
+          CONFIG_SECRETS: ${{ needs.load-environment-config.outputs.secrets_mapping }}
+        run: |
+          # Note: GitHub Actions doesn't allow dynamic secret access
+          # Secrets must be configured in the GitHub environment and accessed directly
+          echo "Secrets mapping loaded. Secrets should be configured in GitHub environment settings."
+          echo "$CONFIG_SECRETS" | jq -r 'to_entries[] | "export \(.key)=\"${{ secrets.\(.value) }}\""' || true
+
+      - name: Build ${{ matrix.platform }}
+        run: |
+          ./scripts/build.sh ${{ matrix.platform }} ${{ inputs.build_type }} ${{ inputs.environment }}

build/environments/README.md

@@ -0,0 +1,84 @@
+# Environment Configuration Management (YAML Anchors)
+
+This directory contains YAML configuration files using native YAML anchors feature.
+
+## Structure
+
+- `shared.yml` - Defines YAML anchors for shared configuration
+- `prod/config.yml` - Production configuration using anchors
+- `rc/config.yml` - Release Candidate configuration using anchors
+- `exp/config.yml` - Experimental configuration using anchors
+
+## How It Works
+
+1. **Shared Anchors**: `shared.yml` defines anchors (using `x-` prefix) for:
+   - `x-servers` → `*servers`
+   - `x-features` → `*features`
+   - `x-build-base` → `*build-base`
+   - `x-common-secrets` → `*common-secrets`
+
+2. **Environment Configs**: Each environment config references anchors using `*anchorName` syntax
+3. **Merge Keys**: Use `<<: *anchorName` to merge anchor content into objects
+4. **Loading**: The `scripts/load-yaml-config.js` script loads and resolves anchors
+
+## Usage
+
+### Load configuration
+
+```bash
+node scripts/load-yaml-config.js <environment>
+```
+
+Example:
+```bash
+node scripts/load-yaml-config.js prod
+```
+
+This outputs the resolved JSON configuration with all anchors expanded.
+
+### In GitHub Actions
+
+The workflow would use `load-yaml-config.js` to load the configuration, similar to Proposal 1.
+
+## YAML Anchor Syntax
+
+### Defining Anchors (in shared.yml)
+```yaml
+x-servers: &servers
+  portfolio_api: "https://..."
+  auth_service: "https://..."
+```
+
+### Using Anchors (in config.yml)
+```yaml
+# Direct reference
+servers: *servers
+
+# Merge into object
+secrets:
+  <<: *common-secrets
+  # Additional secrets here
+```
+
+## Benefits
+
+- **Native YAML**: Uses standard YAML features (anchors and merge keys)
+- **No Custom Scripts**: Leverages YAML parser's built-in anchor support
+- **DRY**: Shared values defined once as anchors
+- **Clear**: Anchor references make dependencies explicit
+
+## Limitations
+
+- **Cross-file Anchors**: Standard YAML doesn't support anchors across files
+  - Solution: `load-yaml-config.js` loads both files and resolves anchors
+- **Complexity**: Anchor resolution can be complex for deeply nested structures
+- **Tool Support**: Some YAML tools may not fully support merge keys (`<<`)
+
+## Comparison with Proposal 1
+
+| Feature | Proposal 1 (Base Config) | Proposal 2 (Anchors) |
+|---------|-------------------------|----------------------|
+| Standard YAML | ✅ Yes | ⚠️ Requires cross-file support |
+| Custom Script | ✅ Simple merge | ⚠️ Anchor resolution needed |
+| Clarity | ✅ Very clear | ⚠️ Can be complex |
+| Maintenance | ✅ Easy | ⚠️ Moderate |

build/environments/exp/config.yml

@@ -0,0 +1,38 @@
+# Experimental configuration using YAML anchors
+# References anchors from shared.yml
+
+# Use anchors from shared.yml
+servers: *servers
+features: *features
+
+environment:
+  name: exp
+  display_name: Experimental
+  requires_approval: false
+  approval_team: null
+  github_environment: build-exp
+
+# Extend build-base anchor with Exp-specific overrides
+build:
+  <<: *build-base
+  android:
+    <<: *build-base.android
+    keystore: "mainExp"
+    signing_config: "mainExp"
+
+# Merge common secrets with Exp-specific secrets
+secrets:
+  <<: *common-secrets
+  # Exp-specific overrides
+  SEGMENT_WRITE_KEY: "SEGMENT_WRITE_KEY_QA"
+  SEGMENT_PROXY_URL: "SEGMENT_PROXY_URL_QA"
+  SEGMENT_DELETE_API_SOURCE_ID: "SEGMENT_DELETE_API_SOURCE_ID_QA"
+  SEGMENT_REGULATIONS_ENDPOINT: "SEGMENT_REGULATIONS_ENDPOINT_QA"
+  MM_SENTRY_DSN: "MM_SENTRY_DSN_TEST"
+  IOS_GOOGLE_CLIENT_ID: "MAIN_IOS_GOOGLE_CLIENT_ID_UAT"
+  IOS_GOOGLE_REDIRECT_URI: "MAIN_IOS_GOOGLE_REDIRECT_URI_UAT"
+  ANDROID_APPLE_CLIENT_ID: "MAIN_ANDROID_APPLE_CLIENT_ID_UAT"
+  ANDROID_GOOGLE_CLIENT_ID: "MAIN_ANDROID_GOOGLE_CLIENT_ID_UAT"
+  ANDROID_GOOGLE_SERVER_CLIENT_ID: "MAIN_ANDROID_GOOGLE_SERVER_CLIENT_ID_UAT"
+  WEB3AUTH_NETWORK: "MAIN_WEB3AUTH_NETWORK_PROD"
+  MM_CARD_BAANX_API_CLIENT_KEY: "MM_CARD_BAANX_API_CLIENT_KEY_UAT"

build/environments/prod/config.yml

@@ -0,0 +1,39 @@
+# Production configuration using YAML anchors
+# References anchors from shared.yml
+
+# Use anchors from shared.yml
+servers: *servers
+features: *features
+
+environment:
+  name: production
+  display_name: Production
+  requires_approval: true
+  approval_team: mobile-platform
+  github_environment: build-production
+
+# Extend build-base anchor with production-specific overrides
+build:
+  <<: *build-base
+  android:
+    <<: *build-base.android
+    keystore: "mainProd"
+    signing_config: "mainProd"
+    package_name: "io.metamask"  # Explicit override
+
+# Merge common secrets with production-specific secrets
+secrets:
+  <<: *common-secrets
+  # Production-specific overrides
+  SEGMENT_WRITE_KEY: "SEGMENT_WRITE_KEY"
+  SEGMENT_PROXY_URL: "SEGMENT_PROXY_URL"
+  SEGMENT_DELETE_API_SOURCE_ID: "SEGMENT_DELETE_API_SOURCE_ID"
+  SEGMENT_REGULATIONS_ENDPOINT: "SEGMENT_REGULATIONS_ENDPOINT"
+  MM_SENTRY_DSN: "MM_SENTRY_DSN"
+  IOS_GOOGLE_CLIENT_ID: "IOS_GOOGLE_CLIENT_ID"
+  IOS_GOOGLE_REDIRECT_URI: "IOS_GOOGLE_REDIRECT_URI"
+  ANDROID_APPLE_CLIENT_ID: "ANDROID_APPLE_CLIENT_ID"
+  ANDROID_GOOGLE_CLIENT_ID: "ANDROID_GOOGLE_CLIENT_ID"
+  ANDROID_GOOGLE_SERVER_CLIENT_ID: "ANDROID_GOOGLE_SERVER_CLIENT_ID"
+  MM_BRANCH_KEY_LIVE: "MM_BRANCH_KEY_LIVE"
+  MM_CARD_BAANX_API_CLIENT_KEY: "MM_CARD_BAANX_API_CLIENT_KEY"

build/environments/rc/config.yml

@@ -0,0 +1,37 @@
+# Release Candidate configuration using YAML anchors
+# References anchors from shared.yml
+
+# Use anchors from shared.yml
+servers: *servers
+features: *features
+
+environment:
+  name: rc
+  display_name: Release Candidate
+  requires_approval: false
+  approval_team: null
+  github_environment: build-rc
+
+# Extend build-base anchor with RC-specific overrides
+build:
+  <<: *build-base
+  android:
+    <<: *build-base.android
+    keystore: "mainRc"
+    signing_config: "mainRc"
+
+# Merge common secrets with RC-specific secrets
+secrets:
+  <<: *common-secrets
+  # RC-specific overrides
+  SEGMENT_WRITE_KEY: "SEGMENT_WRITE_KEY_QA"
+  SEGMENT_PROXY_URL: "SEGMENT_PROXY_URL_QA"
+  SEGMENT_DELETE_API_SOURCE_ID: "SEGMENT_DELETE_API_SOURCE_ID_QA"
+  SEGMENT_REGULATIONS_ENDPOINT: "SEGMENT_REGULATIONS_ENDPOINT_QA"
+  MM_SENTRY_DSN: "MM_SENTRY_DSN_TEST"
+  IOS_GOOGLE_CLIENT_ID: "MAIN_IOS_GOOGLE_CLIENT_ID_PROD"
+  IOS_GOOGLE_REDIRECT_URI: "MAIN_IOS_GOOGLE_REDIRECT_URI_PROD"
+  ANDROID_APPLE_CLIENT_ID: "MAIN_ANDROID_APPLE_CLIENT_ID_PROD"
+  ANDROID_GOOGLE_CLIENT_ID: "MAIN_ANDROID_GOOGLE_CLIENT_ID_PROD"
+  ANDROID_GOOGLE_SERVER_CLIENT_ID: "MAIN_ANDROID_GOOGLE_SERVER_CLIENT_ID_PROD"
+  MM_CARD_BAANX_API_CLIENT_KEY: "MM_CARD_BAANX_API_CLIENT_KEY_PROD"