ci: reuse native E2E builds across commits and PRs (#29247)

<!--
Please submit this PR as a draft initially.

Do not mark it as "Ready for review" until this PR meets the canonical
Definition of Ready For Review in `docs/readme/ready-for-review.md`.

In short: the template must be materially complete (not just section
titles
present), all status checks must be currently passing, and the only
expected
follow-up commits must be reviewer-driven.
-->

## **Description**

Replaces the branch-keyed `cirruslabs/cache` reuse layer for native E2E
builds with a content-addressable cross-run lookup, driven by a
`build-source-hash` commit status that is computed once on a stable
runner.

### How it works

```mermaid
flowchart TD
    A["post-build-source-hash<br/>(ubuntu-latest, pinned to PR head SHA)<br/>fingerprint = yarn fingerprint:generate"] -->|posts build-source-hash status<br/>+ exposes as job output| B["Build iOS / Android job"]
    B --> C{"check-force-builds<br/>label OR [force-builds] in commit?"}
    C -- yes --> H["Heavy native-build path<br/>setup-e2e-env + Gradle/Xcode + compile"]
    C -- no --> D["find-reusable-build<br/>(GitHub Actions REST API)"]
    D --> D1["Tier 1: same-branch runs"]
    D1 -- miss --> D2["Tier 2: base-branch (main) runs"]
    D2 -- miss --> D3["Tier 3: cross-PR runs<br/>(event=pull_request, no branch filter)"]
    D1 -- hit --> E["actions/download-artifact@v4<br/>by run-id"]
    D2 -- hit --> E
    D3 -- hit --> E
    D3 -- miss --> H
    E --> F["Lean repack path<br/>Node + yarn install + repack:{ios,android}"]
    H --> I["Upload .app / release.apk / androidTest.apk"]
    F --> I
    I -.->|feeds future runs| D
```

The probe runs **before** any heavy setup. On a hit, iOS skips
Ruby/Bundler/CocoaPods/`pod install`; Android skips
`setup-e2e-env`/Gradle. Only the JS bundle is rebuilt and re-packed into
the cached native shell.

### Benefits vs the previous `cirruslabs/cache` layer

| | Before | After (this PR) |
|---|---|---|
| **Reuse keyspace** | `${ref_name}` baked into key → every PR isolated;
only `main → PR` fallback crossed branches | Content-addressable by
fingerprint; any PR can reuse any other PR's build |
| **When the lookup runs** | *After* `setup-e2e-env` (cache key needs
`node_modules` to compute fingerprint) | Before any heavy setup |
| **Fingerprint stability** | Recomputed per runner → drifts across
macOS / Linux build / Linux CI runners; shifts on every `main` push |
Computed once on `ubuntu-latest`, pinned to `pull_request.head.sha` |
| **iOS reuse-hit wall time** | ~6m setup + ~5m repack | ~30-60s setup +
~1-2m repack |
| **Android reuse-hit wall time** | ~5m23s | ~1-2m warm / ~2-3m
cold-cache |
| **Cold build (no reuse)** | ~20-25m | unchanged |

### What changed

- **`ci.yml`** — new `post-build-source-hash` job emits the canonical
fingerprint and exposes it as a job output consumed by both build jobs.
- **New composite actions** — `find-reusable-build` (3-tier scan),
`check-force-builds` (label + `[force-builds]` commit-message escape
hatch; reads commit message via REST API to survive shallow checkout),
`post-build-source-hash` (factored out for reuse).
- **`build-{ios,android}-e2e.yml`** — probe → gate → lean-repack vs
heavy-native paths. Lean paths skip the work `yarn build:repack:*`
doesn't need.
- **`setup-e2e-env`** — new `install-foundry` input (default `true`,
opt-out for build workflows where `yarn setup:github-ci` already runs
`install:foundryup`).
- **Repack throughput** — `METRO_MAX_WORKERS` bumped `2 → 6` on the lean
path (no Gradle/Xcode competing for RAM).
- **Removed** — branch- and main-scoped `cirruslabs/cache` for
`MetaMask.app` / `release.apk` / `release-androidTest.apk`. Gradle,
Xcode DerivedData, and `.metamask` caches kept (gated to the heavy
path).

### Safety

- Fingerprint job failure or forked PR (no `statuses: write`) → empty
`source-fingerprint` → all reuse steps skipped → fresh build runs. Never
"no build".
- The same `build-source-hash` status gates the OTA path in
`push-eas-update.yml`, so a JS-only OTA cannot ship after native code
changes.
- Full architecture, decision tables, and failure-mode catalog:
`docs/ci-build-reuse.md` (new in this PR).

## **Changelog**

CHANGELOG entry: null

## **Related issues**

Refs: Prior art in MetaMask extension —
MetaMask/metamask-extension#41435

No issue: CI infrastructure improvement; no Jira ticket.

## **Manual testing steps**

```gherkin
Feature: Reusable native E2E builds on CI

  Scenario: Fresh run populates the reuse pool
    Given this branch has no prior completed CI run with a matching fingerprint
    When CI runs on the latest commit
    Then post-build-source-hash posts a build-source-hash commit status on the PR head SHA
    And Build iOS E2E Apps runs setup-e2e-env and the full Xcode native compile
    And Build Android E2E APKs runs setup-e2e-env and the full Gradle build
    And both jobs upload artifacts named ${build_type}-${env}-MetaMask.app, ${build_type}-${env}-release.apk, and ${build_type}-${env}-release-androidTest.apk

  Scenario: Empty commit reuses the prior native build (same-branch tier)
    Given the branch has a prior successful run with non-expired artifacts
    When an empty commit is pushed
    Then post-build-source-hash computes and posts the same fingerprint as before
    And find-reusable-build reports a hit via the same-branch tier
    And Build iOS E2E Apps skips Ruby/Bundler/CocoaPods/Xcode setup and only runs yarn build:repack:ios
    And Build Android E2E APKs skips setup-e2e-env and only runs yarn build:repack:android
    And E2E tests run against the repacked artifacts

  Scenario: Cross-PR reuse finds an unrelated PR with matching fingerprint
    Given PR A on branch feature-a completed a fresh native build and uploaded artifacts
    And PR B on branch feature-b touches only JS/tests/docs (no native-affecting files)
    When PR B's CI runs
    Then find-reusable-build misses the same-branch tier (feature-b runs)
    And misses the base-branch tier (no recent main run with the matching fingerprint)
    And matches PR A's run via the cross-PR tier (event=pull_request, no branch filter)
    And PR B downloads PR A's artifacts by run-id and runs yarn build:repack:*

  Scenario: force-builds label bypasses reuse
    Given a PR that would otherwise hit the reuse path
    When the force-builds label is added and CI re-runs
    Then check-force-builds reports force=true
    And find-reusable-build does not run
    And both iOS and Android run a fresh native compile
    And when the label is removed and CI re-runs, reuse resumes normally

  Scenario: [force-builds] commit tag bypasses reuse under shallow checkout
    Given a PR whose head commit message contains [force-builds]
    When CI runs
    Then check-force-builds reads the commit message via the GitHub REST API (not git show)
    And reports force=true even with actions/checkout's default fetch-depth: 1
    And both iOS and Android run a fresh native compile

  Scenario: Fingerprint job failure degrades gracefully to fresh build
    Given post-build-source-hash fails (e.g. broken fingerprint.config.js, transient yarn install error, or missing statuses: write on a fork)
    When the build workflows run
    Then inputs.source-fingerprint is empty
    And every fingerprint-keyed step is skipped
    And both iOS and Android run a fresh native compile
    And no E2E build is blocked

  Scenario: Metro transform cache persists across repack runs
    Given a reuse hit on the repack path
    When yarn build:repack:{ios,android} runs
    Then Metro uses METRO_CACHE_DIR as its FileStore root
    And the persisted transform cache is honored (no --reset-cache)
    And the E2E build runs with updates disabled (no app.manifest generation)
```

## **Screenshots/Recordings**

### **Before**

N/A — CI-only change; no UI impact.

### **After**

N/A — CI-only change; no UI impact.

## **Pre-merge author checklist**

- [x] I've followed [MetaMask Contributor
Docs](https://github.com/MetaMask/contributor-docs) and [MetaMask Mobile
Coding
Standards](https://github.com/MetaMask/metamask-mobile/blob/main/.github/guidelines/CODING_GUIDELINES.md).
- [x] I've completed the PR template to the best of my ability
- [x] I've included tests if applicable
- [x] I've documented my code using [JSDoc](https://jsdoc.app/) format
if applicable
- [x] I've applied the right labels on the PR (see [labeling
guidelines](https://github.com/MetaMask/metamask-mobile/blob/main/.github/guidelines/LABELING_GUIDELINES.md)).
Not required for external contributors.

#### Performance checks (if applicable)

- [x] I've tested on Android
- [x] I've tested with a power user scenario
- [x] I've instrumented key operations with Sentry traces for production
performance metrics

For performance guidelines and tooling, see the [Performance
Guide](https://consensyssoftware.atlassian.net/wiki/spaces/TL1/pages/400085549067/Performance+Guide+for+Engineers).

## **Pre-merge reviewer checklist**

- [ ] I've manually tested the PR (e.g. pull and build branch, run the
app, test code being changed).
- [ ] I confirm that this PR addresses all acceptance criteria described
in the ticket it closes and includes the necessary testing evidence such
as recordings and or screenshots.

<!-- Generated with the help of the pr-description AI skill -->

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> **Medium Risk**
> Changes CI build/reuse logic and caching paths for iOS/Android E2E
artifacts, which could cause unexpected stale/invalid artifacts or
missed rebuilds if the fingerprint/status or artifact lookup is wrong.
Scoped to CI/workflows, but failures can block or slow builds across
PRs.
> 
> **Overview**
> Enables **cross-run, cross-PR reuse** of native E2E build artifacts by
introducing a canonical `@expo/fingerprint` published as a
`build-source-hash` commit status and using it to locate/download
matching artifacts from prior workflow runs.
> 
> Build workflows now **gate between a full native build vs a lean
repack path**: they first check a `force-builds` override (PR label or
`[force-builds]` commit token), then attempt to find/download reusable
artifacts; on a hit they skip heavy setup (Gradle/Xcode) and only run
repack + lightweight dependency setup.
> 
> CI wiring is updated to add the `post-build-source-hash` job and pass
`source-fingerprint` into iOS/Android build jobs (with added
`actions/statuses/pull-requests` read permissions), `setup-e2e-env`
gains an `install-foundry` toggle to avoid redundant installs, and
repack throughput is tuned (e.g., `METRO_MAX_WORKERS` increased on reuse
paths) with clearer guidance when repack detects a broken cached iOS
app.
> 
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
89e6bc5. Bugbot is set up for automated
code reviews on this repo. Configure
[here](https://www.cursor.com/dashboard/bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

Author: tommasini

.github/actions/check-force-builds/action.yml

@@ -0,0 +1,81 @@
+name: 'Check force-builds override'
+description: >-
+  Detects whether the current workflow run should bypass native build reuse
+  (both the GHA cache and the cross-run artifact lookup) and always compile
+  fresh. The override is honored on `pull_request` events via a `force-builds`
+  label OR a `[force-builds]` token in the head commit message. It is
+  intentionally ignored on `merge_group` and `push` events so the merge queue
+  always uses hash-verified reuse.
+
+inputs:
+  github-token:
+    description: >-
+      GitHub token with `pull-requests: read` (for label lookup) and
+      `contents: read` (to fetch the head commit message via the REST API).
+    required: true
+  label-name:
+    description: 'PR label that, when present, forces fresh builds'
+    required: false
+    default: 'force-builds'
+  commit-tag:
+    description: 'Case-sensitive substring in the head commit message that forces fresh builds'
+    required: false
+    default: '[force-builds]'
+
+outputs:
+  force:
+    description: "'true' when fresh builds should be forced, otherwise 'false'"
+    value: ${{ steps.compute.outputs.force }}
+
+runs:
+  using: 'composite'
+  steps:
+    - name: Compute force-builds flag
+      id: compute
+      shell: bash
+      env:
+        GH_TOKEN: ${{ inputs.github-token }}
+        LABEL_NAME: ${{ inputs.label-name }}
+        COMMIT_TAG: ${{ inputs.commit-tag }}
+        EVENT_NAME: ${{ github.event_name }}
+        HEAD_COMMIT_HASH: ${{ github.event.pull_request.head.sha }}
+        PR_NUMBER: ${{ github.event.pull_request.number }}
+        REPOSITORY: ${{ github.repository }}
+      run: |
+        FORCE="false"
+
+        if [[ "$EVENT_NAME" != "pull_request" ]]; then
+          echo "Event is $EVENT_NAME; force-builds override is ignored outside pull_request events."
+          echo "force=$FORCE" >> "$GITHUB_OUTPUT"
+          exit 0
+        fi
+
+        # Commit-message tag.
+        COMMIT_MESSAGE=""
+        if COMMIT_MESSAGE=$(gh api \
+            "repos/$REPOSITORY/commits/$HEAD_COMMIT_HASH" \
+            --jq '.commit.message' 2>/dev/null); then
+          if printf '%s' "$COMMIT_MESSAGE" \
+              | grep --fixed-strings --quiet "$COMMIT_TAG"; then
+            echo "-> force=true because '$COMMIT_TAG' was found in commit message of $HEAD_COMMIT_HASH"
+            FORCE="true"
+          fi
+        else
+          echo "::warning::Failed to fetch commit message for $HEAD_COMMIT_HASH via GitHub API; commit-tag force-builds check skipped for this run (the '$LABEL_NAME' label path still works)."
+        fi
+
+        # PR label
+        if [[ -n "$PR_NUMBER" ]]; then
+          if gh pr view "$PR_NUMBER" --repo "$REPOSITORY" \
+              --json labels --jq '.labels[].name' \
+              | grep --fixed-strings --line-regexp --quiet "$LABEL_NAME"; then
+            echo "-> force=true because '$LABEL_NAME' label is applied to PR #$PR_NUMBER"
+            FORCE="true"
+          fi
+        fi
+
+        if [[ "$FORCE" == "false" ]]; then
+          echo "No force-builds override active."
+        fi
+
+        echo "force=$FORCE" >> "$GITHUB_OUTPUT"

.github/actions/find-reusable-build/action.yml

@@ -0,0 +1,255 @@
+name: 'Find reusable build from prior run'
+description: >-
+  Searches recent workflow runs across three tiers (same branch, base branch,
+  then any open PR branch) for a run whose `build-source-hash` commit status
+  matches the current fingerprint AND whose required build artifacts are still
+  available. If a match is found, outputs the run id so a subsequent
+  `actions/download-artifact` step can pull the artifacts directly instead of
+  triggering a fresh native build.
+
+  The third (cross-PR) tier is required because GitHub's `listWorkflowRuns`
+  `branch` parameter filters against `head_branch` — the PR source branch for
+  `pull_request` events — so branch-scoped lookups can never discover other
+  PRs' runs. The cross-PR tier drops the branch filter and instead uses
+  `event: pull_request` to let the fingerprint itself act as the cross-PR
+  deduplication key.
+
+inputs:
+  fingerprint:
+    description: 'The @expo/fingerprint hash the candidate must match'
+    required: true
+  artifact-names:
+    description: 'JSON array of artifact names that must all be present on the candidate run'
+    required: true
+  github-token:
+    description: 'GitHub token with `actions: read` and `statuses: read` permissions'
+    required: true
+  workflow-file:
+    description: 'Workflow filename whose runs will be searched'
+    required: false
+    default: 'ci.yml'
+  base-branch:
+    description: 'Fallback branch when no same-branch match is found'
+    required: false
+    default: 'main'
+  status-context:
+    description: 'Commit status context that carries the fingerprint'
+    required: false
+    default: 'build-source-hash'
+  max-candidates-per-branch:
+    description: 'How many recent runs to inspect per branch-scoped tier (same-branch, base-branch)'
+    required: false
+    default: '10'
+  max-candidates-cross-pr:
+    description: >-
+      How many recent `pull_request`-event runs (across all branches) to inspect
+      in the cross-PR tier. The fingerprint filter is highly discriminating, so
+      the practical cost is one `getCombinedStatusForRef` call per candidate
+      until a match is found.
+    required: false
+    default: '30'
+
+outputs:
+  found:
+    description: "'true' when a reusable run was found"
+    value: ${{ steps.lookup.outputs.found }}
+  run-id:
+    description: 'Workflow run id that produced the reusable artifacts'
+    value: ${{ steps.lookup.outputs.run-id }}
+  source-sha:
+    description: 'Commit SHA of the reusable run'
+    value: ${{ steps.lookup.outputs.source-sha }}
+  source-branch:
+    description: 'Branch of the reusable run (same-branch or base-branch)'
+    value: ${{ steps.lookup.outputs.source-branch }}
+
+runs:
+  using: 'composite'
+  steps:
+    - name: Search prior runs for matching fingerprint
+      id: lookup
+      uses: actions/github-script@v7
+      continue-on-error: true
+      env:
+        TARGET_FINGERPRINT: ${{ inputs.fingerprint }}
+        ARTIFACT_NAMES_JSON: ${{ inputs.artifact-names }}
+        WORKFLOW_FILE: ${{ inputs.workflow-file }}
+        BASE_BRANCH: ${{ inputs.base-branch }}
+        STATUS_CONTEXT: ${{ inputs.status-context }}
+        MAX_CANDIDATES: ${{ inputs.max-candidates-per-branch }}
+        MAX_CANDIDATES_CROSS_PR: ${{ inputs.max-candidates-cross-pr }}
+        HEAD_BRANCH: ${{ github.head_ref || github.ref_name }}
+        HEAD_SHA: ${{ github.event.pull_request.head.sha || github.sha }}
+        CURRENT_RUN_ID: ${{ github.run_id }}
+      with:
+        github-token: ${{ inputs.github-token }}
+        script: |
+          const {
+            TARGET_FINGERPRINT,
+            ARTIFACT_NAMES_JSON,
+            WORKFLOW_FILE,
+            BASE_BRANCH,
+            STATUS_CONTEXT,
+            MAX_CANDIDATES,
+            MAX_CANDIDATES_CROSS_PR,
+            HEAD_BRANCH,
+            HEAD_SHA,
+            CURRENT_RUN_ID,
+          } = process.env;
+
+          const setNotFound = () => {
+            core.setOutput('found', 'false');
+            core.setOutput('run-id', '');
+            core.setOutput('source-sha', '');
+            core.setOutput('source-branch', '');
+          };
+
+          if (!TARGET_FINGERPRINT) {
+            core.warning('No fingerprint provided; skipping lookup');
+            setNotFound();
+            return;
+          }
+
+          let requiredArtifacts;
+          try {
+            requiredArtifacts = JSON.parse(ARTIFACT_NAMES_JSON);
+          } catch (err) {
+            core.warning(`Could not parse artifact-names input: ${err.message}`);
+            setNotFound();
+            return;
+          }
+          if (!Array.isArray(requiredArtifacts) || requiredArtifacts.length === 0) {
+            core.warning('artifact-names must be a non-empty JSON array');
+            setNotFound();
+            return;
+          }
+
+          const maxCandidates = Number(MAX_CANDIDATES) || 10;
+          const maxCandidatesCrossPr = Number(MAX_CANDIDATES_CROSS_PR) || 30;
+          const currentRunId = String(CURRENT_RUN_ID);
+
+          // Three-tier discovery:
+          //   1. same-branch  — fastest path, catches retries and new commits
+          //                     on the current PR.
+          //   2. base-branch  — catches post-merge CI runs on `main`. Only
+          //                     matches `push`-event runs (pull_request runs
+          //                     have head_branch=<source branch>, not main).
+          //   3. cross-pr     — searches recent `pull_request` runs across
+          //                     ALL source branches so two unrelated PRs with
+          //                     the same fingerprint can reuse each other's
+          //                     artifacts. This tier deliberately drops the
+          //                     `branch` filter; without it, branch-scoped
+          //                     lookups can never discover another PR's run
+          //                     (GitHub filters `branch` against head_branch,
+          //                     which is the PR source branch).
+          const tiers = [
+            {
+              label: `same-branch (branch=${HEAD_BRANCH})`,
+              params: { branch: HEAD_BRANCH, per_page: maxCandidates },
+            },
+          ];
+          if (BASE_BRANCH && BASE_BRANCH !== HEAD_BRANCH) {
+            tiers.push({
+              label: `base-branch (branch=${BASE_BRANCH})`,
+              params: { branch: BASE_BRANCH, per_page: maxCandidates },
+            });
+          }
+          tiers.push({
+            label: `cross-pr (event=pull_request, any branch, last ${maxCandidatesCrossPr} runs)`,
+            params: { event: 'pull_request', per_page: maxCandidatesCrossPr },
+            // Skip runs already visited by the same-branch tier to avoid
+            // wasting API calls on duplicates.
+            skipHeadBranch: HEAD_BRANCH,
+          });
+
+          async function getFingerprintForSha(sha) {
+            try {
+              const { data } = await github.rest.repos.getCombinedStatusForRef({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                ref: sha,
+                per_page: 100,
+              });
+              const status = data.statuses.find((s) => s.context === STATUS_CONTEXT);
+              return status ? status.description : null;
+            } catch (err) {
+              core.info(`getCombinedStatusForRef failed for ${sha}: ${err.message}`);
+              return null;
+            }
+          }
+
+          async function hasAllArtifacts(runId) {
+            try {
+              const artifacts = await github.paginate(
+                github.rest.actions.listWorkflowRunArtifacts,
+                {
+                  owner: context.repo.owner,
+                  repo: context.repo.repo,
+                  run_id: runId,
+                  per_page: 100,
+                },
+              );
+              const available = new Set(
+                artifacts
+                  .filter((a) => !a.expired)
+                  .map((a) => a.name),
+              );
+              const missing = requiredArtifacts.filter((n) => !available.has(n));
+              if (missing.length > 0) {
+                core.info(`Run ${runId} missing artifacts: ${missing.join(', ')}`);
+                return false;
+              }
+              return true;
+            } catch (err) {
+              core.info(`listWorkflowRunArtifacts failed for ${runId}: ${err.message}`);
+              return false;
+            }
+          }
+
+          const seenRunIds = new Set();
+          seenRunIds.add(currentRunId);
+
+          for (const tier of tiers) {
+            core.info(`Searching tier: ${tier.label}`);
+            let runs;
+            try {
+              const { data } = await github.rest.actions.listWorkflowRuns({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                workflow_id: WORKFLOW_FILE,
+                ...tier.params,
+              });
+              runs = data.workflow_runs || [];
+            } catch (err) {
+              core.warning(`listWorkflowRuns failed for tier "${tier.label}": ${err.message}`);
+              continue;
+            }
+
+            for (const run of runs) {
+              const runIdStr = String(run.id);
+              if (seenRunIds.has(runIdStr)) continue;
+              seenRunIds.add(runIdStr);
+
+              if (tier.skipHeadBranch && run.head_branch === tier.skipHeadBranch) continue;
+              
+              if (run.status !== 'completed' && run.status !== 'in_progress') continue;
+
+              const fingerprint = await getFingerprintForSha(run.head_sha);
+              if (!fingerprint) continue;
+              if (fingerprint !== TARGET_FINGERPRINT) continue;
+
+              if (!(await hasAllArtifacts(run.id))) continue;
+
+              core.info(
+                `Match: tier="${tier.label}" run=${run.id} sha=${run.head_sha} branch=${run.head_branch} url=${run.html_url}`,
+              );
+              core.setOutput('found', 'true');
+              core.setOutput('run-id', runIdStr);
+              core.setOutput('source-sha', run.head_sha);
+              core.setOutput('source-branch', run.head_branch || '');
+              return;
+            }
+          }
+
+          core.info('No reusable build found across any tier');
+          setNotFound();