feat: Proposal 1 - YAML base config with inheritance

- Add base.yml with shared configuration (servers, features, common secrets)
- Add environment-specific configs (prod, rc, exp) that extend base
- Add merge-config.js script to merge base + environment configs
- Add set-secrets-from-config.js helper for secret mapping
- Add build.yml workflow that uses merged configurations
- Add js-yaml dependency for YAML parsing
- Add README explaining the configuration structure

This proposal uses a base configuration file with inheritance pattern,
allowing shared values to be defined once and environment-specific
overrides to be minimal and clear.

Co-authored-by: tomas.santos <[email protected]>

Author: cursoragent

.github/workflows/build.yml

@@ -0,0 +1,156 @@
+name: Build Mobile App
+
+on:
+  workflow_call:
+    inputs:
+      environment:
+        required: true
+        type: string
+      platform:
+        required: true
+        type: choice
+        options: [android, ios, both]
+      build_type:
+        required: true
+        type: choice
+        options: [main, flask]
+        default: main
+  workflow_dispatch:
+    inputs:
+      environment:
+        required: true
+        type: choice
+        options: [prod, rc, exp]
+      platform:
+        required: true
+        type: choice
+        options: [android, ios, both]
+      build_type:
+        required: true
+        type: choice
+        options: [main, flask]
+        default: main
+
+jobs:
+  load-environment-config:
+    runs-on: ubuntu-latest
+    outputs:
+      config: ${{ steps.load-config.outputs.config }}
+      requires_approval: ${{ steps.load-config.outputs.requires_approval }}
+      github_environment: ${{ steps.load-config.outputs.github_environment }}
+      secrets_mapping: ${{ steps.load-config.outputs.secrets_mapping }}
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+
+      - name: Install dependencies
+        run: yarn install --immutable
+
+      - name: Merge and load environment configuration
+        id: load-config
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const { mergeConfigs } = require('./scripts/merge-config.js');
+            const env = '${{ inputs.environment }}';
+            const config = mergeConfigs(env);
+
+            // Extract secrets mapping
+            const secretsMapping = JSON.stringify(config.secrets || {});
+
+            return {
+              config: JSON.stringify(config),
+              requires_approval: config.environment.requires_approval,
+              github_environment: config.environment.github_environment,
+              secrets_mapping: secretsMapping
+            };
+
+  approval:
+    if: needs.load-environment-config.outputs.requires_approval == 'true'
+    needs: load-environment-config
+    runs-on: ubuntu-latest
+    environment: ${{ needs.load-environment-config.outputs.github_environment }}
+    steps:
+      - name: Wait for approval
+        run: echo "Approval required for ${{ inputs.environment }} builds"
+
+  build:
+    needs:
+      - load-environment-config
+      - approval
+    if: always() && (needs.approval.result == 'success' || needs.approval.result == 'skipped')
+    strategy:
+      matrix:
+        platform: ${{ inputs.platform == 'both' && fromJSON('["android", "ios"]') || fromJSON(format('["{0}"]', inputs.platform)) }}
+    runs-on: ${{ matrix.platform == 'ios' && 'macos-latest' || 'ubuntu-latest' }}
+    environment: ${{ needs.load-environment-config.outputs.github_environment }}
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+          cache: 'yarn'
+
+      - name: Install dependencies
+        run: yarn install --immutable
+
+      - name: Setup project
+        run: yarn setup:github-ci
+
+      - name: Apply environment configuration
+        id: apply-config
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const { mergeConfigs } = require('./scripts/merge-config.js');
+            const env = '${{ inputs.environment }}';
+            const config = mergeConfigs(env);
+
+            // Set non-secret environment variables from merged config
+            const outputs = {};
+
+            // Server URLs
+            Object.entries(config.servers).forEach(([key, value]) => {
+              const envVar = key.toUpperCase();
+              outputs[envVar] = value;
+              core.exportVariable(envVar, value);
+            });
+
+            // Feature flags
+            Object.entries(config.features).forEach(([key, value]) => {
+              const envVar = key.toUpperCase();
+              outputs[envVar] = value.toString();
+              core.exportVariable(envVar, value.toString());
+            });
+
+            // Build configuration
+            core.exportVariable('METAMASK_ENVIRONMENT', config.environment.name);
+            core.exportVariable('METAMASK_BUILD_TYPE', '${{ inputs.build_type }}');
+
+            // Output for other steps
+            Object.entries(outputs).forEach(([key, value]) => {
+              core.setOutput(key.toLowerCase().replace(/_/g, '_'), value);
+            });
+
+      - name: Set secrets as environment variables
+        env:
+          CONFIG_SECRETS: ${{ needs.load-environment-config.outputs.secrets_mapping }}
+        run: |
+          # Note: GitHub Actions doesn't allow dynamic secret access
+          # Secrets must be configured in the GitHub environment and accessed directly
+          # This step loads the mapping and sets env vars using the secrets context
+          # For each secret in the mapping, we need to access it via ${{ secrets.SECRET_NAME }}
+          # In a real implementation, you would need to explicitly list each secret
+          # or use a composite action that handles this mapping
+          echo "Secrets mapping loaded. Secrets should be configured in GitHub environment settings."
+          echo "$CONFIG_SECRETS" | jq -r 'to_entries[] | "export \(.key)=\"${{ secrets.\(.value) }}\""' || true
+
+      - name: Build ${{ matrix.platform }}
+        run: |
+          ./scripts/build.sh ${{ matrix.platform }} ${{ inputs.build_type }} ${{ inputs.environment }}

build/environments/README.md

@@ -0,0 +1,60 @@
+# Environment Configuration Management
+
+This directory contains YAML configuration files for different build environments (prod, rc, exp).
+
+## Structure
+
+- `base.yml` - Common configuration shared across all environments
+- `prod/config.yml` - Production-specific overrides
+- `rc/config.yml` - Release Candidate-specific overrides  
+- `exp/config.yml` - Experimental-specific overrides
+
+## How It Works
+
+1. **Base Configuration**: `base.yml` contains all shared configuration (servers, features, common secrets)
+2. **Environment Overrides**: Each environment directory contains a `config.yml` that only defines what's different
+3. **Merging**: The `scripts/merge-config.js` script merges base.yml with the environment-specific config.yml
+
+## Usage
+
+### Merge configurations
+
+```bash
+node scripts/merge-config.js <environment>
+```
+
+Example:
+```bash
+node scripts/merge-config.js prod
+```
+
+This outputs the merged JSON configuration.
+
+### In GitHub Actions
+
+The `.github/workflows/build.yml` workflow automatically:
+1. Loads and merges the configuration for the specified environment
+2. Sets non-secret environment variables (servers, features)
+3. Maps secrets to GitHub secrets (requires secrets to be configured in GitHub environment settings)
+
+## Secret Management
+
+**Important**: GitHub Actions doesn't allow dynamic secret access for security reasons. Secrets must be:
+
+1. Configured in GitHub repository/environment settings
+2. Explicitly referenced in the workflow using `${{ secrets.SECRET_NAME }}`
+
+The configuration files map environment variable names to GitHub secret names. For example:
+- `MM_SENTRY_DSN: "MM_SENTRY_DSN"` means the env var `MM_SENTRY_DSN` should use the GitHub secret `MM_SENTRY_DSN`
+
+To use secrets in the workflow, you'll need to either:
+- Explicitly list each secret in the workflow file
+- Use a composite action that handles the mapping
+- Configure secrets in the GitHub environment and access them directly
+
+## Benefits
+
+- **DRY**: Shared configuration defined once in `base.yml`
+- **Maintainable**: Update base.yml to change all environments
+- **Clear**: Each env config only shows what's different
+- **Scalable**: Easy to add new environments

build/environments/base.yml

@@ -0,0 +1,56 @@
+# Base configuration shared across all environments
+# Environment-specific configs will inherit and override as needed
+
+# Server URLs (same for all environments)
+servers:
+  portfolio_api: "https://portfolio.api.cx.metamask.io"
+  security_alerts_api: "https://security-alerts.api.cx.metamask.io"
+  ramp_eligibility: "https://on-ramp-content.api.cx.metamask.io"
+  ramp_tokens: "https://on-ramp-cache.api.cx.metamask.io"
+  auth_service: "https://auth-service.api.cx.metamask.io"
+  rewards_api: "https://rewards.api.cx.metamask.io"
+  decoding_api: "https://signature-insights.api.cx.metamask.io"
+
+# Build configuration (same for all)
+build:
+  android:
+    package_name: "io.metamask"
+  ios:
+    scheme: "MetaMask"
+    bundle_id: "io.metamask"
+    export_method: "enterprise"
+
+# Feature flags (same for all)
+features:
+  bridge_use_dev_apis: false
+  ramp_internal_build: false
+  seedless_onboarding_enabled: true
+  mm_notifications_ui_enabled: true
+  mm_security_alerts_api_enabled: true
+
+# Common secrets that are the same across environments
+# These map to the same GitHub Secret names
+common_secrets:
+  MM_SENTRY_AUTH_TOKEN: "MM_SENTRY_AUTH_TOKEN"
+  GOOGLE_SERVICES_B64_IOS: "GOOGLE_SERVICES_B64_IOS"
+  GOOGLE_SERVICES_B64_ANDROID: "GOOGLE_SERVICES_B64_ANDROID"
+  MM_INFURA_PROJECT_ID: "MM_INFURA_PROJECT_ID"
+  WALLET_CONNECT_PROJECT_ID: "WALLET_CONNECT_PROJECT_ID"
+  MM_FOX_CODE: "MM_FOX_CODE"
+  FEATURES_ANNOUNCEMENTS_ACCESS_TOKEN: "FEATURES_ANNOUNCEMENTS_ACCESS_TOKEN"
+  FEATURES_ANNOUNCEMENTS_SPACE_ID: "FEATURES_ANNOUNCEMENTS_SPACE_ID"
+  FCM_CONFIG_API_KEY: "FCM_CONFIG_API_KEY"
+  FCM_CONFIG_AUTH_DOMAIN: "FCM_CONFIG_AUTH_DOMAIN"
+  FCM_CONFIG_STORAGE_BUCKET: "FCM_CONFIG_STORAGE_BUCKET"
+  FCM_CONFIG_PROJECT_ID: "FCM_CONFIG_PROJECT_ID"
+  FCM_CONFIG_MESSAGING_SENDER_ID: "FCM_CONFIG_MESSAGING_SENDER_ID"
+  FCM_CONFIG_APP_ID: "FCM_CONFIG_APP_ID"
+  FCM_CONFIG_MEASUREMENT_ID: "FCM_CONFIG_MEASUREMENT_ID"
+  QUICKNODE_MAINNET_URL: "QUICKNODE_MAINNET_URL"
+  QUICKNODE_ARBITRUM_URL: "QUICKNODE_ARBITRUM_URL"
+  QUICKNODE_AVALANCHE_URL: "QUICKNODE_AVALANCHE_URL"
+  QUICKNODE_BASE_URL: "QUICKNODE_BASE_URL"
+  QUICKNODE_LINEA_MAINNET_URL: "QUICKNODE_LINEA_MAINNET_URL"
+  QUICKNODE_MONAD_URL: "QUICKNODE_MONAD_URL"
+  QUICKNODE_OPTIMISM_URL: "QUICKNODE_OPTIMISM_URL"
+  QUICKNODE_POLYGON_URL: "QUICKNODE_POLYGON_URL"

build/environments/exp/config.yml

@@ -0,0 +1,38 @@
+# Extends base.yml - only define what's different
+
+environment:
+  name: exp
+  display_name: Experimental
+  requires_approval: false
+  approval_team: null
+  github_environment: build-exp
+
+# Override build config for Exp
+build:
+  android:
+    keystore: "mainExp"
+    signing_config: "mainExp"
+
+# Exp-specific secrets (extends common_secrets from base)
+secrets:
+  # Segment/Analytics - QA secrets for Exp
+  SEGMENT_WRITE_KEY: "SEGMENT_WRITE_KEY_QA"
+  SEGMENT_PROXY_URL: "SEGMENT_PROXY_URL_QA"
+  SEGMENT_DELETE_API_SOURCE_ID: "SEGMENT_DELETE_API_SOURCE_ID_QA"
+  SEGMENT_REGULATIONS_ENDPOINT: "SEGMENT_REGULATIONS_ENDPOINT_QA"
+
+  # Sentry
+  MM_SENTRY_DSN: "MM_SENTRY_DSN_TEST"
+
+  # OAuth - UAT secrets for Exp (Main)
+  IOS_GOOGLE_CLIENT_ID: "MAIN_IOS_GOOGLE_CLIENT_ID_UAT"
+  IOS_GOOGLE_REDIRECT_URI: "MAIN_IOS_GOOGLE_REDIRECT_URI_UAT"
+  ANDROID_APPLE_CLIENT_ID: "MAIN_ANDROID_APPLE_CLIENT_ID_UAT"
+  ANDROID_GOOGLE_CLIENT_ID: "MAIN_ANDROID_GOOGLE_CLIENT_ID_UAT"
+  ANDROID_GOOGLE_SERVER_CLIENT_ID: "MAIN_ANDROID_GOOGLE_SERVER_CLIENT_ID_UAT"
+
+  # Web3Auth
+  WEB3AUTH_NETWORK: "MAIN_WEB3AUTH_NETWORK_PROD"
+
+  # Other Exp-specific
+  MM_CARD_BAANX_API_CLIENT_KEY: "MM_CARD_BAANX_API_CLIENT_KEY_UAT"

build/environments/prod/config.yml

@@ -0,0 +1,37 @@
+# Extends base.yml - only define what's different
+
+environment:
+  name: production
+  display_name: Production
+  requires_approval: true
+  approval_team: mobile-platform
+  github_environment: build-production
+
+# Override build config for production
+build:
+  android:
+    keystore: "mainProd"
+    signing_config: "mainProd"
+    package_name: "io.metamask"  # Inherited from base, but explicit here
+
+# Production-specific secrets (extends common_secrets from base)
+secrets:
+  # Segment/Analytics - Production
+  SEGMENT_WRITE_KEY: "SEGMENT_WRITE_KEY"
+  SEGMENT_PROXY_URL: "SEGMENT_PROXY_URL"
+  SEGMENT_DELETE_API_SOURCE_ID: "SEGMENT_DELETE_API_SOURCE_ID"
+  SEGMENT_REGULATIONS_ENDPOINT: "SEGMENT_REGULATIONS_ENDPOINT"
+
+  # Sentry
+  MM_SENTRY_DSN: "MM_SENTRY_DSN"
+
+  # OAuth - Production (Main)
+  IOS_GOOGLE_CLIENT_ID: "IOS_GOOGLE_CLIENT_ID"
+  IOS_GOOGLE_REDIRECT_URI: "IOS_GOOGLE_REDIRECT_URI"
+  ANDROID_APPLE_CLIENT_ID: "ANDROID_APPLE_CLIENT_ID"
+  ANDROID_GOOGLE_CLIENT_ID: "ANDROID_GOOGLE_CLIENT_ID"
+  ANDROID_GOOGLE_SERVER_CLIENT_ID: "ANDROID_GOOGLE_SERVER_CLIENT_ID"
+
+  # Other production-specific
+  MM_BRANCH_KEY_LIVE: "MM_BRANCH_KEY_LIVE"
+  MM_CARD_BAANX_API_CLIENT_KEY: "MM_CARD_BAANX_API_CLIENT_KEY"

build/environments/rc/config.yml

@@ -0,0 +1,35 @@
+# Extends base.yml - only define what's different
+
+environment:
+  name: rc
+  display_name: Release Candidate
+  requires_approval: false
+  approval_team: null
+  github_environment: build-rc
+
+# Override build config for RC
+build:
+  android:
+    keystore: "mainRc"
+    signing_config: "mainRc"
+
+# RC-specific secrets (extends common_secrets from base)
+secrets:
+  # Segment/Analytics - QA secrets for RC
+  SEGMENT_WRITE_KEY: "SEGMENT_WRITE_KEY_QA"
+  SEGMENT_PROXY_URL: "SEGMENT_PROXY_URL_QA"
+  SEGMENT_DELETE_API_SOURCE_ID: "SEGMENT_DELETE_API_SOURCE_ID_QA"
+  SEGMENT_REGULATIONS_ENDPOINT: "SEGMENT_REGULATIONS_ENDPOINT_QA"
+
+  # Sentry
+  MM_SENTRY_DSN: "MM_SENTRY_DSN_TEST"
+
+  # OAuth - Production secrets for RC (Main)
+  IOS_GOOGLE_CLIENT_ID: "MAIN_IOS_GOOGLE_CLIENT_ID_PROD"
+  IOS_GOOGLE_REDIRECT_URI: "MAIN_IOS_GOOGLE_REDIRECT_URI_PROD"
+  ANDROID_APPLE_CLIENT_ID: "MAIN_ANDROID_APPLE_CLIENT_ID_PROD"
+  ANDROID_GOOGLE_CLIENT_ID: "MAIN_ANDROID_GOOGLE_CLIENT_ID_PROD"
+  ANDROID_GOOGLE_SERVER_CLIENT_ID: "MAIN_ANDROID_GOOGLE_SERVER_CLIENT_ID_PROD"
+
+  # Other RC-specific
+  MM_CARD_BAANX_API_CLIENT_KEY: "MM_CARD_BAANX_API_CLIENT_KEY_PROD"

package.json

@@ -599,6 +599,7 @@
     "jest": "^29.7.0",
     "jest-junit": "^15.0.0",
     "jetifier": "2.0.0",
+    "js-yaml": "^4.1.0",
     "koa": "^2.14.2",
     "lint-staged": "10.5.4",
     "listr2": "^8.0.2",