chore: build main exp

[tommasini]

Description

Changelog

CHANGELOG entry:

Related issues

Fixes:

Manual testing steps

Feature: my feature name

  Scenario: user [verb for user action]
    Given [describe expected initial app state]

    When user [verb for user action]
    Then [describe expected outcome]

Screenshots/Recordings

Before

After

Pre-merge author checklist

• I've followed MetaMask Contributor Docs and MetaMask Mobile Coding Standards.
• I've completed the PR template to the best of my ability
• I've included tests if applicable
• I've documented my code using JSDoc format if applicable
• I've applied the right labels on the PR (see labeling guidelines). Not required for external contributors.

Pre-merge reviewer checklist

• I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed).
• I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.

---

Note

Medium Risk
Changes the CI signing path and runner environment, so misconfigured AWS roles/secrets or keychain/keystore handling could break release/test build pipelines or produce unsigned artifacts.

Overview
Moves CI code signing for Android/iOS builds to AWS Secrets Manager via a new composite action (.github/actions/configure-signing) that assumes an AWS role, exports secret keys into the environment (with masking), and configures either an Android keystore or an iOS keychain + provisioning profile.

Updates builds.yml to add a per-build signing block (role/secret/keystore path) for all non-dev builds, and wires build.yml to read these fields and run signing when present; also switches iOS builds to a Cirrus macOS runner image and adjusts Flask GitHub Environment names. Documentation is updated in builds.README.md to describe the new signing configuration and required secret structure.

^{Written by Cursor Bugbot for commit 5e6f5d0. This will update automatically on new commits. Configure here.}

[github-actions]

CLA Signature Action: All authors have signed the CLA. You may need to manually re-run the blocking PR check if it doesn't pass in a few minutes.

[cursor]

Duplicated AWS secret fetching logic across workflows

Medium Severity

The "Fetch secret and export as environment variables" step (lines 33-52) is nearly identical to existing code in .github/workflows/push-eas-update.yml (lines 384-400). Both implementations use the same AWS Secrets Manager CLI call, jq parsing pattern, masking, and export logic. The new action should be reused by push-eas-update.yml to consolidate this duplicated code.

 

[cursor]

iOS signing lacks validation unlike Android path

Medium Severity

The iOS signing step directly uses IOS_SIGNING_KEYSTORE_PASSWORD, IOS_SIGNING_KEYSTORE, and IOS_SIGNING_PROFILE without validating they are set, unlike the Android step which explicitly checks ANDROID_KEYSTORE and exits with a clear error message (lines 61-64). If these iOS environment variables are missing from the AWS secret, the step will create empty/invalid certificate files and fail later during security import with a cryptic error like "could not decode the blob" instead of a clear "secret not configured" message.

 

[github-actions]

🔍 Smart E2E Test Selection

⏭️ Smart E2E selection skipped - base branch is not main (base: chore/migrate-to-build-with-github-actiong)

All E2E tests pre-selected.

View GitHub Actions results

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.