chore: Signing certificates config for build with gh actions (no impact to any existing flow)

[tommasini]

Description

signing certificates configuration;
main-dev working; script to generate build secrets into the build yml, could be optimised hopefully;
action to configure signing certificates;
set secrets from config script;
apply build config excepts secrets script

Changelog

CHANGELOG entry:

Related issues

Fixes:

Manual testing steps

Feature: my feature name

  Scenario: user [verb for user action]
    Given [describe expected initial app state]

    When user [verb for user action]
    Then [describe expected outcome]

Screenshots/Recordings

Before

After

Pre-merge author checklist

• I've followed MetaMask Contributor Docs and MetaMask Mobile Coding Standards.
• I've completed the PR template to the best of my ability
• I've included tests if applicable
• I've documented my code using JSDoc format if applicable
• I've applied the right labels on the PR (see labeling guidelines). Not required for external contributors.

Pre-merge reviewer checklist

• I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed).
• I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.

---

Note

Medium Risk
Updates CI build and signing flows, including fetching and injecting signing materials/secrets at runtime, so misconfiguration could break releases or leak/omit required env vars despite the changes being mostly workflow/scripts.

Overview
Build configuration is moved and expanded. .github/builds.yml is removed and replaced by a root-level builds.yml, now including an explicit signing section (AWS role/secret + Android keystore path) and a new main-beta build variant, plus updated GitHub Environment mappings for UAT/flask builds.

GitHub Actions build pipeline now supports AWS-based code signing and more reliable env propagation. The build.yml workflow reads config from root builds.yml, persists applied config into GITHUB_ENV, replaces the previous keystore action with a new composite action (.github/actions/configure-signing) that assumes an AWS role and pulls signing material from AWS Secrets Manager (Android keystore + iOS cert/profile/keychain), and adds retries/timeouts plus Android CI Gradle properties and an updated iOS simulator artifact path.

Secret/config tooling is refactored to match the new workflow requirements. apply-build-config.js, validate-build-config.js, and verify-build-config.js are updated to use root builds.yml, apply-build-config.js adds --export-github-env, set-secrets-from-config.js now writes mapped secrets into GITHUB_ENV (with multiline support), and a new maintenance script generate-build-workflow-secrets-env.js (wired via yarn build:workflow:update-secrets) regenerates the workflow’s explicit secret env list. Docs/CODEOWNERS are updated accordingly.

^{Written by Cursor Bugbot for commit 77a734b. This will update automatically on new commits. Configure here.}

[github-actions]

CLA Signature Action: All authors have signed the CLA. You may need to manually re-run the blocking PR check if it doesn't pass in a few minutes.

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 80.83%. Comparing base (fdc50e0) to head (e55608e).
⚠️ Report is 21 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #25766      +/-   ##
==========================================
+ Coverage   80.70%   80.83%   +0.12%     
==========================================
  Files        4361     4370       +9     
  Lines      113120   113324     +204     
  Branches    24093    24174      +81     
==========================================
+ Hits        91296    91605     +309     
+ Misses      15476    15369     -107     
- Partials     6348     6350       +2     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[sethkfman]

@tommasini Can you run E2E with your branch? I want to make sure we are not breaking any existing CI.

[MarioAslau]

LGTM

[Cal-L]

Lgtm

[github-actions]

🔍 Smart E2E Test Selection

⏭️ Smart E2E selection skipped - skip-smart-e2e-selection label found

All E2E tests pre-selected.

View GitHub Actions results

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud