Skip to content

chore: point dev to builds.yml #27036

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
weitingsun merged 2 commits into from
Mar 10, 2026
Merged

chore: point dev to builds.yml #27036

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
d7c572f
chore: point dev to build.yml
weitingsun Mar 5, 2026
54fe502
use return 1 instead of exit 1
weitingsun Mar 9, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions app/components/Views/Settings/AppInformation/index.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -244,6 +244,12 @@ class AppInformation extends PureComponent {
<Text style={styles.branchInfo}>
{`Remote Feature Flag Distribution: ${getFeatureFlagAppDistribution()}`}
</Text>
<Text style={styles.branchInfo}>
{`Rewards API URL: ${process.env.REWARDS_API_URL ?? '—'}`}
Copy link
Copy Markdown
Contributor

@tommasini tommasini Mar 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

DO we want to keep the api url at AppInformation?

Copy link
Copy Markdown
Contributor Author

@weitingsun weitingsun Mar 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it'd be good for awhile to test - this is listed in Builds.yml so it should not be a secret

Copy link
Copy Markdown
Contributor Author

@weitingsun weitingsun Mar 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

happy to remove it though if you don't think it's needed

Copy link
Copy Markdown
Contributor

@tommasini tommasini Mar 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sounds good to me!

</Text>
<Text style={styles.branchInfo}>
{`MM_PORTFOLIO_URL: ${process.env.MM_PORTFOLIO_URL ?? '—'}`}
</Text>
<Text style={styles.branchInfo}>
{`OTA Updates enabled: ${String(isOTAUpdatesEnabled)}`}
</Text>
Expand Down
40 changes: 32 additions & 8 deletions scripts/build.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -209,12 +209,18 @@ loadBuildConfig() {
# Legacy env remapping (Bitrise). Used only when GITHUB_ACTIONS is not set.
# GitHub Actions uses loadBuildConfig + builds.yml; secrets are set with canonical names.
# ─────────────────────────────────────────────────────────────────────────────
# Remap Bitrise-style vars (*_DEV, *_QA, *_PROD) to canonical names. Skip when source is unset
# (local / builds.yml use canonical names in .js.env; no _DEV/_QA needed).
# Legacy path (not GHA, not builds.yml): missing source var fails fast. Local: set BUILDS_ENABLED_WITH_GH_ACTIONS_TEMPORARY in .js.env to use builds.yml and skip.
remapEnvVariable() {
local old_var_name="$1"
local new_var_name="$2"
if [ -z "${!old_var_name}" ]; then
echo "Error: $old_var_name does not exist in the environment."
return 1
if [ -z "${GITHUB_ACTIONS:-}" ] && [ "${BUILDS_ENABLED_WITH_GH_ACTIONS_TEMPORARY:-false}" != "true" ]; then
echo "❌ Required Bitrise secret is missing: $old_var_name"
return 1
fi
return 0
Copy link
Copy Markdown
Contributor

@tommasini tommasini Mar 6, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

return 0 is a silent failure risk on Bitrise. If a secret is ever misconfigured there, the build will pass and ship broken instead of failing fast

The proper fix would have been to distinguish Bitrise from local, e.g. using a BITRISE_IO env var (which Bitrise sets automatically):

if [ -z "${GITHUB_ACTIONS:-}" ]; then
    if [ -n "${BITRISE_IO:-}" ]; then
        # On Bitrise: missing source var IS an error
        remapMainProdEnvVariables  # still uses return 1
    fi
    # local: skip remap entirely — .js.env already has canonical names
fi

Or maybe cleaner

# Only Bitrise needs legacy remap
if [ -z "${GITHUB_ACTIONS:-}" ] && [ "${BUILDS_ENABLED_WITH_GH_ACTIONS_TEMPORARY:-false}" != "true" ]; then
    # Bitrise: _DEV/_QA/_PROD vars MUST exist — keep return 1
    remapMainProdEnvVariables
    ...
fi

Comment thread
cursor[bot] marked this conversation as resolved.
fi
export $new_var_name="${!old_var_name}"
unset $old_var_name
Expand Down Expand Up @@ -984,8 +990,10 @@ checkParameters "$@"
printTitle

# ─────────────────────────────────────────────────────────────────────────────
# Load build configuration: GitHub Actions uses builds.yml; Bitrise uses legacy remap.
# Both paths supported until Bitrise is deprecated.
# Load build configuration. Gated by BUILDS_ENABLED_WITH_GH_ACTIONS_TEMPORARY:
# true = GHA (set by workflow) and local (set in .js.env) → use builds.yml
# false = Bitrise (unset) → skip builds.yml, use legacy remap only
# Local: .js.env is applied after loadBuildConfig so it overrides (see below).
# ─────────────────────────────────────────────────────────────────────────────
if [ "$PLATFORM" != "expo-update" ]; then
# Set flags for main builds
Expand All @@ -994,14 +1002,30 @@ if [ "$PLATFORM" != "expo-update" ]; then
export PRE_RELEASE=true # Used mostly for iOS, for Android only deletes old APK and installs new one
fi

if [ -n "${GITHUB_ACTIONS:-}" ]; then
# GitHub Actions: config from builds.yml (Apply build config step sets env; loadBuildConfig fills any gaps)
if ! loadBuildConfig "$METAMASK_BUILD_TYPE" "$METAMASK_ENVIRONMENT"; then
# Non-GHA: source .js.env early so BUILDS_ENABLED_WITH_GH_ACTIONS_TEMPORARY is set for the gate (local can opt in)
if [ -z "${GITHUB_ACTIONS:-}" ] && [ -e "$JS_ENV_FILE" ]; then
source "$JS_ENV_FILE"
Copy link
Copy Markdown
Contributor

@cursor cursor Bot Mar 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Re-sourcing .js.env overwrites command-line build arguments

High Severity

The new source "$JS_ENV_FILE" calls at lines 1007 and 1024 unconditionally overwrite METAMASK_BUILD_TYPE and METAMASK_ENVIRONMENT, which were already correctly set from command-line arguments (MODE/ENVIRONMENT) at lines 34–35. Since .js.env.example exports both variables unconditionally (e.g., export METAMASK_BUILD_TYPE="main"), any developer passing a different build type or environment via CLI (e.g., ./scripts/build.sh ios flask production) will have those values silently replaced by .js.env defaults. This causes loadBuildConfig and the legacy remap to operate on the wrong build configuration.

Additional Locations (1)

Fix in Cursor Fix in Web

Copy link
Copy Markdown
Contributor Author

@weitingsun weitingsun Mar 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it's fine for .js.env to override these values

fi

BUILD_TYPE_FOR_CONFIG=$(echo "$METAMASK_BUILD_TYPE" | tr '[:upper:]' '[:lower:]')
if [ "${BUILDS_ENABLED_WITH_GH_ACTIONS_TEMPORARY:-false}" = "true" ]; then
# builds.yml path: GHA or local with flag.
if ! loadBuildConfig "$BUILD_TYPE_FOR_CONFIG" "$METAMASK_ENVIRONMENT"; then
echo "❌ Build configuration failed. Exiting."
exit 1
fi
else
# Bitrise (or local): legacy env remapping (Bitrise secrets use per-env names, e.g. SEGMENT_WRITE_KEY_PROD)
echo "⚠️ BUILDS_ENABLED_WITH_GH_ACTIONS_TEMPORARY is not true; skipping builds.yml, using legacy remap / .js.env"
echo ""
fi
Comment thread
cursor[bot] marked this conversation as resolved.

# Local builds: .js.env overrides builds.yml (takes precedence)
if [ -z "${GITHUB_ACTIONS:-}" ] && [ -e "$JS_ENV_FILE" ]; then
source "$JS_ENV_FILE"
fi

# Bitrise (or other non-GHA CI): legacy env remapping (secrets use per-env names, e.g. SEGMENT_WRITE_KEY_PROD)
if [ -z "${GITHUB_ACTIONS:-}" ]; then
if [ "$METAMASK_BUILD_TYPE" == "main" ]; then
if [ "$METAMASK_ENVIRONMENT" == "production" ]; then
remapMainProdEnvVariables
Expand Down
Loading