fix: Use environment variables for script inputs in all workflows (#162)

* Use environment variables for script inputs in all workflows

* Fix broken command

* Fix lint workflow

* Add missing ID

* Add `--activate` back

Author: Mrtenz

.github/actions/checkout-and-setup/action.yml

@@ -28,10 +28,12 @@ runs:
   steps:
     # The "required: true" field is not enforced by GitHub, so we need to check it manually
     - name: Enforce required input is either "true" or "false"
+      env:
+        IS_HIGH_RISK_ENVIRONMENT: ${{ inputs.is-high-risk-environment }}
       run: |
-        if [[ "${{ inputs.is-high-risk-environment }}" == "true" ]]; then
+        if [[ "$IS_HIGH_RISK_ENVIRONMENT" == "true" ]]; then
           echo 'High-risk environment detected. Disabling cache for security.'
-        elif [[ "${{ inputs.is-high-risk-environment }}" == "false" ]]; then
+        elif [[ "$IS_HIGH_RISK_ENVIRONMENT" == "false" ]]; then
           echo 'Low-risk environment detected. Enabling cache for optimized performance.'
         else
           echo "::error::Invalid value for 'is-high-risk-environment'. Must be 'true' (secure, no cache) or 'false' (faster, cache enabled)."

.github/actions/configure-keystore/action.yml

@@ -20,8 +20,10 @@ runs:
   steps:
     - name: Determine signing secret name
       shell: bash
+      env:
+        TARGET: ${{ inputs.target }}
       run: |
-        case "${{ inputs.target }}" in
+        case "$TARGET" in
           qa)
             SECRET_NAME="metamask-mobile-qa-signing-certificates"
             ;;
@@ -32,7 +34,7 @@ runs:
             SECRET_NAME="metamask-mobile-main-signing-certificates"
             ;;
           *)
-            echo "❌ Unknown target: ${{ inputs.target }}"
+            echo "❌ Unknown target: $TARGET"
             exit 1
             ;;
         esac
@@ -46,10 +48,12 @@ runs:
 
     - name: Fetch secret and export as environment variables
       shell: bash
+      env:
+        AWS_REGION: ${{ inputs.aws-region }}
       run: |
         echo "🔐 Fetching secret from Secrets Manager..."
         secret_json=$(aws secretsmanager get-secret-value \
-          --region "${{ inputs.aws-region }}" \
+          --region "$AWS_REGION" \
           --secret-id "${AWS_SIGNING_CERT_SECRET_NAME}" \
           --query SecretString \
           --output text)

.github/actions/setup-e2e-env/action.yml

@@ -133,9 +133,12 @@ runs:
 
     - name: Install additional Android SDK components if needed
       if: ${{ inputs.platform == 'android' && (inputs.android-api-level != '34' || inputs.android-abi != 'x86_64') }}
+      env:
+        ANDROID_API_LEVEL: ${{ inputs.android-api-level }}
+        ANDROID_ABI: ${{ inputs.android-abi }}
       run: |
         # Only install if different from pre-installed defaults (API 34, x86_64)
-        IMAGE="system-images;android-${{ inputs.android-api-level }};google_apis;${{ inputs.android-abi }}"
+        IMAGE="system-images;android-$ANDROID_API_LEVEL;google_apis;$ANDROID_ABI"
         echo "Installing additional system image: $IMAGE"
         echo "y" | "/opt/android-sdk/cmdline-tools/latest/bin/sdkmanager" "$IMAGE"
       shell: bash
@@ -151,17 +154,24 @@ runs:
 
     - name: Create Android Virtual Device (AVD)
       if: ${{ inputs.platform == 'android'}}
+      env:
+        ANDROID_API_LEVEL: ${{ inputs.android-api-level }}
+        ANDROID_TAG: ${{ inputs.android-tag }}
+        ANDROID_ABI: ${{ inputs.android-abi }}
+        ANDROID_AVD_NAME: ${{ inputs.android-avd-name }}
+        ANDROID_DEVICE: ${{ inputs.android-device }}
+        ANDROID_SDCARD_SIZE: ${{ inputs.android-sdcard-size }}
       run: |
-        IMAGE="system-images;android-${{ inputs.android-api-level }};${{ inputs.android-tag }};${{ inputs.android-abi }}"
+        IMAGE="system-images;android-$ANDROID_API_LEVEL;$ANDROID_TAG;$ANDROID_ABI"
         echo "Creating AVD with image: $IMAGE"
         "/opt/android-sdk/cmdline-tools/latest/bin/avdmanager" --verbose create avd \
           --force \
-          --name "${{ inputs.android-avd-name }}" \
+          --name "$ANDROID_AVD_NAME" \
           --package "$IMAGE" \
-          --device "${{ inputs.android-device }}" \
-          --tag "${{ inputs.android-tag }}" \
-          --abi "${{ inputs.android-abi }}" \
-          --sdcard "${{ inputs.android-sdcard-size }}"
+          --device "$ANDROID_DEVICE" \
+          --tag "$ANDROID_TAG" \
+          --abi "$ANDROID_ABI" \
+          --sdcard "$ANDROID_SDCARD_SIZE"
       shell: bash
 
     ## iOS Platform Setup ##
@@ -184,10 +194,13 @@ runs:
 
     ## Yarn Setup & Cache Management
 
-    # - name: Corepack
-    #   id: corepack
-    #   run: corepack enable && corepack prepare yarn@${{ inputs.yarn-version }} --activate
-    #   shell: bash
+    - name: Get Corepack install command
+      id: get-corepack-command
+      env:
+        YARN_VERSION: ${{ inputs.yarn-version }}
+      shell: bash
+      run: |
+        echo "COREPACK_COMMAND=corepack enable && corepack prepare yarn@$YARN_VERSION --activate" >> "$GITHUB_OUTPUT"
 
     - name: Corepack
       id: corepack
@@ -196,7 +209,7 @@ runs:
         timeout_minutes: 15
         max_attempts: 3
         retry_wait_seconds: 30
-        command: corepack enable && corepack prepare yarn@${{ inputs.yarn-version }} --activate
+        command: ${{ steps.get-corepack-command.outputs.COREPACK_COMMAND }}
 
     - name: Restore Yarn cache
       uses: actions/cache@v4
@@ -220,6 +233,8 @@ runs:
 
     - name: Install Foundry
       shell: bash
+      env:
+        FOUNDRY_VERSION: ${{ inputs.foundry-version }}
       run: |
         echo "Installing Foundry via foundryup..."
 
@@ -233,7 +248,7 @@ runs:
 
         echo "$FOUNDRY_BIN" >> "$GITHUB_PATH"
 
-        "$FOUNDRY_BIN/foundryup" -i "${{ inputs.foundry-version }}"
+        "$FOUNDRY_BIN/foundryup" -i "$FOUNDRY_VERSION"
 
     ## IOS Setup ##
 
@@ -308,19 +323,11 @@ runs:
     # Select Xcode version
     - name: Select Xcode version
       if: ${{ inputs.platform == 'ios' }}
-      run: sudo xcode-select -s /Applications/Xcode_${{ inputs.xcode-version }}.app
+      env:
+        XCODE_VERSION: ${{ inputs.xcode-version }}
+      run: sudo xcode-select -s "/Applications/Xcode_$XCODE_VERSION.app"
       shell: bash
 
-    # Restore CocoaPods cache
-    # - name: Restore CocoaPods cache
-    #   if: ${{ inputs.platform == 'ios'}}
-    #   uses: actions/cache@v4
-    #   with:
-    #     path: ios/Pods
-    #     key: ${{ inputs.cache-prefix }}-pods-${{ inputs.platform }}-${{ runner.os }}-${{ hashFiles('ios/Podfile.lock') }}
-    #     restore-keys: |
-    #       ${{ inputs.cache-prefix }}-pods-${{ inputs.platform }}-${{ runner.os }}-
-
     # Install CocoaPods w/ cached bundler environment
     - name: Install CocoaPods via bundler
       if: ${{ inputs.platform == 'ios'}}

.github/actions/upload-s3/action.yml

@@ -26,10 +26,14 @@ runs:
         role-to-assume: ${{ inputs.role-to-assume }}
 
     - name: Upload to S3
+      env:
+        UPLOAD_PATH: ${{ inputs.path }}
+        S3_BUCKET: ${{ inputs.s3-bucket }}
+
       run: |
-        if [ -d "${{ inputs.path }}" ]; then
-          aws s3 cp "${{ inputs.path }}" "s3://${{ inputs.s3-bucket }}" --recursive
+        if [ -d "$UPLOAD_PATH" ]; then
+          aws s3 cp "$UPLOAD_PATH" "s3://$S3_BUCKET" --recursive
         else
-          aws s3 cp "${{ inputs.path }}" "s3://${{ inputs.s3-bucket }}"
+          aws s3 cp "$UPLOAD_PATH" "s3://$S3_BUCKET"
         fi
       shell: bash

.github/workflows/create-release-pr.yml

@@ -101,24 +101,38 @@ jobs:
 
       # Step 4: Print Input Values
       - name: Print Input Values
+        env:
+          PLATFORM: ${{ inputs.platform }}
+          CHECKOUT_BASE_BRANCH: ${{ inputs.checkout-base-branch }}
+          RELEASE_PR_BASE_BRANCH: ${{ inputs.release-pr-base-branch }}
+          SEMVER_VERSION: ${{ inputs.semver-version }}
+          PREVIOUS_VERSION_REF: ${{ inputs.previous-version-ref }}
+          TEST_ONLY: ${{ inputs.test-only }}
+          MOBILE_BUILD_VERSION: ${{ inputs.mobile-build-version }}
+          MOBILE_TEMPLATE_SHEET_ID: ${{ inputs.mobile-template-sheet-id }}
+          EXTENSION_TEMPLATE_SHEET_ID: ${{ inputs.extension-template-sheet-id }}
+          RELEASE_SHEET_GOOGLE_DOCUMENT_ID: ${{ inputs.release-sheet-google-document-id }}
+          GITHUB_TOOLS_VERSION: ${{ inputs.github-tools-version }}
+          GIT_USER_NAME: ${{ inputs.git-user-name }}
+          GIT_USER_EMAIL: ${{ inputs.git-user-email }}
         run: |
           echo "Input Values:"
           echo "-------------"
-          echo "Platform: ${{ inputs.platform }}"
-          echo "Checkout Base Branch: ${{ inputs.checkout-base-branch }}"
-          echo "Release PR Base Branch: ${{ inputs.release-pr-base-branch }}"
-          echo "Semver Version: ${{ inputs.semver-version }}"
-          echo "Previous Version Reference: ${{ inputs.previous-version-ref }}"
-          echo "Test Only Mode: ${{ inputs.test-only }}"
-          if [[ "${{ inputs.platform }}" == "mobile" ]]; then
-            echo "Mobile Build Version: ${{ inputs.mobile-build-version }}"
+          echo "Platform: $PLATFORM"
+          echo "Checkout Base Branch: $CHECKOUT_BASE_BRANCH"
+          echo "Release PR Base Branch: $RELEASE_PR_BASE_BRANCH"
+          echo "Semver Version: $SEMVER_VERSION"
+          echo "Previous Version Reference: $PREVIOUS_VERSION_REF"
+          echo "Test Only Mode: $TEST_ONLY"
+          if [[ "$PLATFORM" == "mobile" ]]; then
+            echo "Mobile Build Version: $MOBILE_BUILD_VERSION"
           fi
-          echo "Mobile Template Sheet ID: ${{ inputs.mobile-template-sheet-id }}"
-          echo "Extension Template Sheet ID: ${{ inputs.extension-template-sheet-id }}"
-          echo "Release Sheet Google Document ID: ${{ inputs.release-sheet-google-document-id }}"
-          echo "GitHub Tools Version: ${{ inputs.github-tools-version }}"
-          echo "Git User Name: ${{ inputs.git-user-name }}"
-          echo "Git User Email: ${{ inputs.git-user-email }}"
+          echo "Mobile Template Sheet ID: $MOBILE_TEMPLATE_SHEET_ID"
+          echo "Extension Template Sheet ID: $EXTENSION_TEMPLATE_SHEET_ID"
+          echo "Release Sheet Google Document ID: $RELEASE_SHEET_GOOGLE_DOCUMENT_ID"
+          echo "GitHub Tools Version: $GITHUB_TOOLS_VERSION"
+          echo "Git User Name: $GIT_USER_NAME"
+          echo "Git User Email: $GIT_USER_EMAIL"
           echo "-------------"
 
       # Step 5: Create Release PR
@@ -135,16 +149,22 @@ jobs:
           NEW_VERSION: ${{ inputs.semver-version }}
           MOBILE_TEMPLATE_SHEET_ID: ${{ inputs.mobile-template-sheet-id }}
           EXTENSION_TEMPLATE_SHEET_ID: ${{ inputs.extension-template-sheet-id }}
+          PLATFORM: ${{ inputs.platform }}
+          PREVIOUS_VERSION_REF: ${{ inputs.previous-version-ref }}
+          SEMVER_VERSION: ${{ inputs.semver-version }}
+          MOBILE_BUILD_VERSION: ${{ inputs.mobile-build-version }}
+          GIT_USER_NAME: ${{ inputs.git-user-name }}
+          GIT_USER_EMAIL: ${{ inputs.git-user-email }}
         working-directory: ${{ github.workspace }}
         run: |
           # Execute the script from github-tools
           ./github-tools/.github/scripts/create-platform-release-pr.sh \
-            "${{ inputs.platform }}" \
-            "${{ inputs.previous-version-ref }}" \
-            "${{ inputs.semver-version }}" \
-            "${{ inputs.mobile-build-version }}" \
-            "${{ inputs.git-user-name }}" \
-            "${{ inputs.git-user-email }}"
+            "$PLATFORM" \
+            "$PREVIOUS_VERSION_REF" \
+            "$SEMVER_VERSION" \
+            "$MOBILE_BUILD_VERSION" \
+            "$GIT_USER_NAME" \
+            "$GIT_USER_EMAIL"
 
       # Step 6: Upload commits.csv as artifact (if generated)
       - name: Upload commits.csv artifact

.github/workflows/lint-workflows.yml

@@ -17,6 +17,9 @@ jobs:
         shell: bash
 
       - name: Lint workflow files
+        env:
+          EXECUTABLE: ${{ steps.download-actionlint.outputs.executable }}
         # We need to ignore the expected missing inputs in test-checkout-and-setup.yml
-        run: ${{ steps.download-actionlint.outputs.executable }} -color
+        run: |
+          "$EXECUTABLE" -color
         shell: bash

.github/workflows/main.yml

@@ -40,8 +40,9 @@ jobs:
     needs: all-jobs-completed
     steps:
       - name: Check that all jobs have passed
+        env:
+          PASSED: ${{ needs.all-jobs-completed.outputs.PASSED }}
         run: |
-          passed="${{ needs.all-jobs-completed.outputs.PASSED }}"
-          if [[ $passed != "true" ]]; then
+          if [[ "$PASSED" != "true" ]]; then
             exit 1
           fi

.github/workflows/pr-line-check.yml

@@ -46,24 +46,13 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@v4
 
-      - name: Determine base branch
-        id: get-base-branch
-        run: |
-          # Use the PR base branch if available; otherwise use the default input.
-          if [ -n "${{ github.event.pull_request.base.ref }}" ]; then
-            echo "Using PR base branch: ${{ github.event.pull_request.base.ref }}"
-            echo "base_branch=${{ github.event.pull_request.base.ref }}" >> "$GITHUB_OUTPUT"
-          else
-            echo "Using default base branch: ${{ inputs.base_ref }}"
-            echo "base_branch=${{ inputs.base_ref }}" >> "$GITHUB_OUTPUT"
-          fi
-
       - name: Calculate changed lines
         id: line_count
+        env:
+          BASE_BRANCH: ${{ github.event.pull_request.base.ref || inputs.base_ref }}
         run: |
           set -e
 
-          BASE_BRANCH="${{ steps.get-base-branch.outputs.base_branch }}"
           echo "Using base branch: $BASE_BRANCH"
 
           # Instead of a full fetch, perform incremental fetches at increasing depth
@@ -112,18 +101,38 @@ jobs:
 
       - name: Check line count limit
         uses: actions/github-script@v7
+        env:
+          LINES_CHANGED: ${{ steps.line_count.outputs.lines_changed }}
+          ADDITIONS: ${{ steps.line_count.outputs.additions }}
+          DELETIONS: ${{ steps.line_count.outputs.deletions }}
+          MAX_LINES: ${{ inputs.max_lines }}
+          XS_MAX_SIZE: ${{ inputs.xs_max_size }}
+          S_MAX_SIZE: ${{ inputs.s_max_size }}
+          M_MAX_SIZE: ${{ inputs.m_max_size }}
+          L_MAX_SIZE: ${{ inputs.l_max_size }}
         with:
           script: |
-            const total = parseInt('${{ steps.line_count.outputs.lines_changed }}') || 0;
-            const additions = parseInt('${{ steps.line_count.outputs.additions }}') || 0;
-            const deletions = parseInt('${{ steps.line_count.outputs.deletions }}') || 0;
+            const {
+              LINES_CHANGED,
+              ADDITIONS,
+              DELETIONS,
+              MAX_LINES,
+              XS_MAX_SIZE,
+              S_MAX_SIZE,
+              M_MAX_SIZE,
+              L_MAX_SIZE,
+            } = process.env;
+
+            const total = parseInt(LINES_CHANGED, 10) || 0;
+            const additions = parseInt(ADDITIONS, 10) || 0;
+            const deletions = parseInt(DELETIONS, 10) || 0;
 
             // Thresholds from inputs with fallback to defaults
-            const maxLines = parseInt('${{ inputs.max_lines }}') || 1000;
-            const xsMaxSize = parseInt('${{ inputs.xs_max_size }}') || 10;
-            const sMaxSize = parseInt('${{ inputs.s_max_size }}') || 100;
-            const mMaxSize = parseInt('${{ inputs.m_max_size }}') || 500;
-            const lMaxSize = parseInt('${{ inputs.l_max_size }}') || 1000;
+            const maxLines = parseInt(MAX_LINES, 10) || 1000;
+            const xsMaxSize = parseInt(XS_MAX_SIZE, 10) || 10;
+            const sMaxSize = parseInt(S_MAX_SIZE, 10) || 100;
+            const mMaxSize = parseInt(M_MAX_SIZE, 10) || 500;
+            const lMaxSize = parseInt(L_MAX_SIZE, 10) || 1000;
 
             // Print summary
             console.log('Summary:');
@@ -155,21 +164,21 @@ jobs:
 
             try {
               const existingSizeLabels = ['size-XS', 'size-S', 'size-M', 'size-L', 'size-XL'];
-              
+
               // Get current labels
               const currentLabels = await github.rest.issues.listLabelsOnIssue({
                 owner,
                 repo,
                 issue_number
               });
-              
+
               const currentLabelNames = currentLabels.data.map(l => l.name);
-              
+
               // Build new label set: keep non-size labels and add the new size label
               const newLabels = currentLabelNames
                 .filter(name => !existingSizeLabels.includes(name))  // Remove all size labels
                 .concat(sizeLabel);  // Add the correct size label
-              
+
               // Check if labels need updating
               const currentSizeLabel = currentLabelNames.find(name => existingSizeLabels.includes(name));
               if (currentSizeLabel === sizeLabel && currentLabelNames.length === newLabels.length) {
@@ -182,7 +191,7 @@ jobs:
                   issue_number,
                   labels: newLabels
                 });
-                
+
                 if (currentSizeLabel && currentSizeLabel !== sizeLabel) {
                   console.log(`  - Replaced '${currentSizeLabel}' with '${sizeLabel}'`);
                 } else if (!currentSizeLabel) {