ci: use builds.yml as single source of truth for OTA push env config

[weitingsun]

Description

The OTA workflow (push-eas-update.yml) had ~65 hardcoded environment variables in its YAML, duplicating what builds.yml already defines. This caused drift: the exp channel received production API defaults instead of dev/staging, new variables added to builds.yml were missing from OTA, and MM_CHARTING_LIBRARY_URL was incorrectly treated as a secret.

This PR eliminates the duplication by having the OTA workflow read from builds.yml using the same apply-build-config.js + set-secrets-from-config.js pattern that native builds (build.yml) already use.

I've confirmed that we don't need the following env variables for now:
QUICKNODE_BSC_URL
QUICKNODE_SEI_URL

Changelog

• push-eas-update.yml: Added a prepare job that maps channel → build name (e.g. exp → main-exp) and reads builds.yml. The push-update job now uses apply-build-config.js and set-secrets-from-config.js to set env vars and secrets, replacing the 65-line hardcoded env block with 7 OTA-specific vars.
• builds.yml: Added 3 missing secrets that were only in the OTA workflow: QUICKNODE_BSC_URL, QUICKNODE_SEI_URL, EXPO_TOKEN.
• build.sh: Moved loadBuildConfig outside the expo-update guard so OTA builds also load config from builds.yml. Replaced the hardcoded createEnvFile() var list with dynamic reads from builds.yml, eliminating a second source of duplication.

Key fix: OTA updates to the exp channel will now correctly get BRIDGE_USE_DEV_APIS=true, RAMPS_ENVIRONMENT=staging, dev portfolio URLs, etc. — matching what main-exp native builds use.

CHANGELOG entry: null

Related issues

Fixes:

Manual testing steps

Feature: my feature name

  Scenario: user [verb for user action]
    Given [describe expected initial app state]

    When user [verb for user action]
    Then [describe expected outcome]

Screenshots/Recordings

Before

After (should be the same as before)

Pre-merge author checklist

• I've followed MetaMask Contributor Docs and MetaMask Mobile Coding Standards.
• I've completed the PR template to the best of my ability
• I've included tests if applicable
• I've documented my code using JSDoc format if applicable
• I've applied the right labels on the PR (see labeling guidelines). Not required for external contributors.

Pre-merge reviewer checklist

• I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed).
• I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.

---

Note

Medium Risk
Changes CI/release automation for OTA publishing and how secrets/env vars are sourced, so misconfiguration could break updates or target the wrong environment despite limited code-path impact.

Overview
Migrates the OTA publish workflow to use builds.yml as the single source of truth for environment selection, non-secret env vars, and secret mappings, removing the large hardcoded env block from push-eas-update.yml.

Adds a prepare job that maps OTA channel → build name (main-exp/main-rc/main-prod), sets the GitHub Environment dynamically, and passes the build’s secret mapping into push-update, which now applies config via scripts/apply-build-config.js and injects secrets via scripts/set-secrets-from-config.js.

Updates scripts/build.sh so expo-update loads build config from builds.yml and generates .env dynamically from the keys defined in that build’s env + secrets; builds.yml is also extended to include EXPO_TOKEN in the shared secrets mapping.

^{Reviewed by Cursor Bugbot for commit 2fd32c0. Bugbot is set up for automated code reviews on this repo. Configure here.}

[github-actions]

CLA Signature Action: All authors have signed the CLA. You may need to manually re-run the blocking PR check if it doesn't pass in a few minutes.

[cursor]

MM_PERPS_ENABLED dropped from OTA builds without builds.yml entry

Medium Severity

The old workflow explicitly set MM_PERPS_ENABLED: 'true' as a job-level env var, but this PR removes it without adding a corresponding entry to builds.yml's _public_envs. The app code in selectPerpsEnabledFlag uses process.env.MM_PERPS_ENABLED === 'true' as a fallback when the remote feature flag is unavailable or invalid. With the env var now unset, the fallback evaluates to false, silently disabling perps in OTA builds whenever the remote flag service is unreachable or the flag isn't configured. Other perps-related vars like MM_PERPS_HIP3_ENABLED and MM_PERPS_BLOCKED_REGIONS are present in _public_envs, suggesting this omission is unintentional.

Additional Locations (1)

• builds.yml#L22-L49

 

^{Reviewed by Cursor Bugbot for commit c030552. Configure here.}

[weitingsun]

If MM_PERPS_ENABLED isn't in builds.yml we don't have it to begin with so this is fine

[github-actions]

🔍 Smart E2E Test Selection

• Selected E2E tags: None (no tests recommended)
• Selected Performance tags: None (no tests recommended)
• Risk Level: low
• AI Confidence: 95%

click to see 🤖 AI reasoning details

E2E Test Selection:
All three changed files are purely CI/build infrastructure changes with no impact on application runtime code or E2E test flows:

1. .github/workflows/push-eas-update.yml: Refactors the EAS OTA update workflow to dynamically load build config from builds.yml instead of hardcoding environment variables and secrets. Adds a new prepare job for config loading. This is a CI pipeline improvement with no effect on app behavior.

2. builds.yml: Adds EXPO_TOKEN: 'EXPO_TOKEN' to the centralized secrets config anchor. This is a minor config addition to support the workflow refactor.

3. scripts/build.sh: Refactors createEnvFile() to dynamically read env/secret keys from builds.yml instead of a hardcoded array. Also moves loadBuildConfig outside the native-build-only block so it applies to expo-update platform too. This is a build script improvement.

None of these changes touch:

• Application source code (React Native components, controllers, hooks)
• E2E test infrastructure (Detox configs, page objects, fixtures, test files)
• User-facing functionality or UI
• Performance-sensitive code paths

The changes are a build system refactoring to centralize configuration management. No E2E tests need to run to validate these changes — they are validated by the CI pipeline itself running successfully.

Performance Test Selection:
No performance-sensitive code is changed. These are purely CI/build infrastructure changes that do not affect app startup, rendering, data loading, or any user-facing performance characteristics.

View GitHub Actions results

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

There are 2 total unresolved issues (including 1 from previous review).

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 2fd32c0. Configure here.}

[cursor]

BSC and SEI QuickNode secrets missing from builds.yml

High Severity

QUICKNODE_BSC_URL and QUICKNODE_SEI_URL were removed from the OTA workflow's hardcoded env block but never added to the _secrets anchor in builds.yml. The PR changelog claims all three secrets (QUICKNODE_BSC_URL, QUICKNODE_SEI_URL, EXPO_TOKEN) were added, but only EXPO_TOKEN actually appears in the diff. These variables are actively used in production code (app/util/networks/customNetworks.tsx) for BSC and SEI network failover URLs, so OTA updates will silently lose failover capability for those chains.

Additional Locations (1)

• .github/workflows/push-eas-update.yml#L396-L408

 

^{Reviewed by Cursor Bugbot for commit 2fd32c0. Configure here.}

[weitingsun]

I've confirmed with @Prithpal-Sooriya that we don't need QUICKNODE_BSC_URL and QUICKNODE_SEI_URL

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[Cal-L]

Lgtm