Skip to content

fix: Use environment variables for script inputs in all workflows #162

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 5 commits into from
Nov 19, 2025
Merged

fix: Use environment variables for script inputs in all workflows #162

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
a9cf1ed
Use environment variables for script inputs in all workflows
Mrtenz Nov 19, 2025
44e66fa
Fix broken command
Mrtenz Nov 19, 2025
20a3288
Fix lint workflow
Mrtenz Nov 19, 2025
8bc5b9c
Add missing ID
Mrtenz Nov 19, 2025
895a557
Add `--activate` back
Mrtenz Nov 19, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 4 additions & 2 deletions .github/actions/checkout-and-setup/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,10 +28,12 @@ runs:
steps:
# The "required: true" field is not enforced by GitHub, so we need to check it manually
- name: Enforce required input is either "true" or "false"
env:
IS_HIGH_RISK_ENVIRONMENT: ${{ inputs.is-high-risk-environment }}
run: |
if [[ "${{ inputs.is-high-risk-environment }}" == "true" ]]; then
if [[ "$IS_HIGH_RISK_ENVIRONMENT" == "true" ]]; then
echo 'High-risk environment detected. Disabling cache for security.'
elif [[ "${{ inputs.is-high-risk-environment }}" == "false" ]]; then
elif [[ "$IS_HIGH_RISK_ENVIRONMENT" == "false" ]]; then
echo 'Low-risk environment detected. Enabling cache for optimized performance.'
else
echo "::error::Invalid value for 'is-high-risk-environment'. Must be 'true' (secure, no cache) or 'false' (faster, cache enabled)."
Expand Down
10 changes: 7 additions & 3 deletions .github/actions/configure-keystore/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,8 +20,10 @@ runs:
steps:
- name: Determine signing secret name
shell: bash
env:
TARGET: ${{ inputs.target }}
run: |
case "${{ inputs.target }}" in
case "$TARGET" in
qa)
SECRET_NAME="metamask-mobile-qa-signing-certificates"
;;
Expand All @@ -32,7 +34,7 @@ runs:
SECRET_NAME="metamask-mobile-main-signing-certificates"
;;
*)
echo "❌ Unknown target: ${{ inputs.target }}"
echo "❌ Unknown target: $TARGET"
exit 1
;;
esac
Expand All @@ -46,10 +48,12 @@ runs:

- name: Fetch secret and export as environment variables
shell: bash
env:
AWS_REGION: ${{ inputs.aws-region }}
run: |
echo "🔐 Fetching secret from Secrets Manager..."
secret_json=$(aws secretsmanager get-secret-value \
--region "${{ inputs.aws-region }}" \
--region "$AWS_REGION" \
--secret-id "${AWS_SIGNING_CERT_SECRET_NAME}" \
--query SecretString \
--output text)
Expand Down
55 changes: 31 additions & 24 deletions .github/actions/setup-e2e-env/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -133,9 +133,12 @@ runs:

- name: Install additional Android SDK components if needed
if: ${{ inputs.platform == 'android' && (inputs.android-api-level != '34' || inputs.android-abi != 'x86_64') }}
env:
ANDROID_API_LEVEL: ${{ inputs.android-api-level }}
ANDROID_ABI: ${{ inputs.android-abi }}
run: |
# Only install if different from pre-installed defaults (API 34, x86_64)
IMAGE="system-images;android-${{ inputs.android-api-level }};google_apis;${{ inputs.android-abi }}"
IMAGE="system-images;android-$ANDROID_API_LEVEL;google_apis;$ANDROID_ABI"
echo "Installing additional system image: $IMAGE"
echo "y" | "/opt/android-sdk/cmdline-tools/latest/bin/sdkmanager" "$IMAGE"
shell: bash
Expand All @@ -151,17 +154,24 @@ runs:

- name: Create Android Virtual Device (AVD)
if: ${{ inputs.platform == 'android'}}
env:
ANDROID_API_LEVEL: ${{ inputs.android-api-level }}
ANDROID_TAG: ${{ inputs.android-tag }}
ANDROID_ABI: ${{ inputs.android-abi }}
ANDROID_AVD_NAME: ${{ inputs.android-avd-name }}
ANDROID_DEVICE: ${{ inputs.android-device }}
ANDROID_SDCARD_SIZE: ${{ inputs.android-sdcard-size }}
run: |
IMAGE="system-images;android-${{ inputs.android-api-level }};${{ inputs.android-tag }};${{ inputs.android-abi }}"
IMAGE="system-images;android-$ANDROID_API_LEVEL;$ANDROID_TAG;$ANDROID_ABI"
echo "Creating AVD with image: $IMAGE"
"/opt/android-sdk/cmdline-tools/latest/bin/avdmanager" --verbose create avd \
--force \
--name "${{ inputs.android-avd-name }}" \
--name "$ANDROID_AVD_NAME" \
--package "$IMAGE" \
--device "${{ inputs.android-device }}" \
--tag "${{ inputs.android-tag }}" \
--abi "${{ inputs.android-abi }}" \
--sdcard "${{ inputs.android-sdcard-size }}"
--device "$ANDROID_DEVICE" \
--tag "$ANDROID_TAG" \
--abi "$ANDROID_ABI" \
--sdcard "$ANDROID_SDCARD_SIZE"
shell: bash

## iOS Platform Setup ##
Expand All @@ -184,10 +194,13 @@ runs:

## Yarn Setup & Cache Management

# - name: Corepack
# id: corepack
# run: corepack enable && corepack prepare yarn@${{ inputs.yarn-version }} --activate
# shell: bash
- name: Get Corepack install command
id: get-corepack-command
env:
YARN_VERSION: ${{ inputs.yarn-version }}
shell: bash
run: |
echo "COREPACK_COMMAND=corepack enable && corepack prepare yarn@$YARN_VERSION --activate" >> "$GITHUB_OUTPUT"

- name: Corepack
id: corepack
Expand All @@ -196,7 +209,7 @@ runs:
timeout_minutes: 15
max_attempts: 3
retry_wait_seconds: 30
command: corepack enable && corepack prepare yarn@${{ inputs.yarn-version }} --activate
command: ${{ steps.get-corepack-command.outputs.COREPACK_COMMAND }}

- name: Restore Yarn cache
uses: actions/cache@v4
Expand All @@ -220,6 +233,8 @@ runs:

- name: Install Foundry
shell: bash
env:
FOUNDRY_VERSION: ${{ inputs.foundry-version }}
run: |
echo "Installing Foundry via foundryup..."

Expand All @@ -233,7 +248,7 @@ runs:

echo "$FOUNDRY_BIN" >> "$GITHUB_PATH"

"$FOUNDRY_BIN/foundryup" -i "${{ inputs.foundry-version }}"
"$FOUNDRY_BIN/foundryup" -i "$FOUNDRY_VERSION"

## IOS Setup ##

Expand Down Expand Up @@ -308,19 +323,11 @@ runs:
# Select Xcode version
- name: Select Xcode version
if: ${{ inputs.platform == 'ios' }}
run: sudo xcode-select -s /Applications/Xcode_${{ inputs.xcode-version }}.app
env:
XCODE_VERSION: ${{ inputs.xcode-version }}
run: sudo xcode-select -s "/Applications/Xcode_$XCODE_VERSION.app"
shell: bash

# Restore CocoaPods cache
# - name: Restore CocoaPods cache
# if: ${{ inputs.platform == 'ios'}}
# uses: actions/cache@v4
# with:
# path: ios/Pods
# key: ${{ inputs.cache-prefix }}-pods-${{ inputs.platform }}-${{ runner.os }}-${{ hashFiles('ios/Podfile.lock') }}
# restore-keys: |
# ${{ inputs.cache-prefix }}-pods-${{ inputs.platform }}-${{ runner.os }}-

# Install CocoaPods w/ cached bundler environment
- name: Install CocoaPods via bundler
if: ${{ inputs.platform == 'ios'}}
Expand Down
10 changes: 7 additions & 3 deletions .github/actions/upload-s3/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,10 +26,14 @@ runs:
role-to-assume: ${{ inputs.role-to-assume }}

- name: Upload to S3
env:
UPLOAD_PATH: ${{ inputs.path }}
S3_BUCKET: ${{ inputs.s3-bucket }}

run: |
if [ -d "${{ inputs.path }}" ]; then
aws s3 cp "${{ inputs.path }}" "s3://${{ inputs.s3-bucket }}" --recursive
if [ -d "$UPLOAD_PATH" ]; then
aws s3 cp "$UPLOAD_PATH" "s3://$S3_BUCKET" --recursive
else
aws s3 cp "${{ inputs.path }}" "s3://${{ inputs.s3-bucket }}"
aws s3 cp "$UPLOAD_PATH" "s3://$S3_BUCKET"
fi
shell: bash
60 changes: 40 additions & 20 deletions .github/workflows/create-release-pr.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -101,24 +101,38 @@ jobs:

# Step 4: Print Input Values
- name: Print Input Values
env:
PLATFORM: ${{ inputs.platform }}
CHECKOUT_BASE_BRANCH: ${{ inputs.checkout-base-branch }}
RELEASE_PR_BASE_BRANCH: ${{ inputs.release-pr-base-branch }}
SEMVER_VERSION: ${{ inputs.semver-version }}
PREVIOUS_VERSION_REF: ${{ inputs.previous-version-ref }}
TEST_ONLY: ${{ inputs.test-only }}
MOBILE_BUILD_VERSION: ${{ inputs.mobile-build-version }}
MOBILE_TEMPLATE_SHEET_ID: ${{ inputs.mobile-template-sheet-id }}
EXTENSION_TEMPLATE_SHEET_ID: ${{ inputs.extension-template-sheet-id }}
RELEASE_SHEET_GOOGLE_DOCUMENT_ID: ${{ inputs.release-sheet-google-document-id }}
GITHUB_TOOLS_VERSION: ${{ inputs.github-tools-version }}
GIT_USER_NAME: ${{ inputs.git-user-name }}
GIT_USER_EMAIL: ${{ inputs.git-user-email }}
run: |
echo "Input Values:"
echo "-------------"
echo "Platform: ${{ inputs.platform }}"
echo "Checkout Base Branch: ${{ inputs.checkout-base-branch }}"
echo "Release PR Base Branch: ${{ inputs.release-pr-base-branch }}"
echo "Semver Version: ${{ inputs.semver-version }}"
echo "Previous Version Reference: ${{ inputs.previous-version-ref }}"
echo "Test Only Mode: ${{ inputs.test-only }}"
if [[ "${{ inputs.platform }}" == "mobile" ]]; then
echo "Mobile Build Version: ${{ inputs.mobile-build-version }}"
echo "Platform: $PLATFORM"
echo "Checkout Base Branch: $CHECKOUT_BASE_BRANCH"
echo "Release PR Base Branch: $RELEASE_PR_BASE_BRANCH"
echo "Semver Version: $SEMVER_VERSION"
echo "Previous Version Reference: $PREVIOUS_VERSION_REF"
echo "Test Only Mode: $TEST_ONLY"
if [[ "$PLATFORM" == "mobile" ]]; then
echo "Mobile Build Version: $MOBILE_BUILD_VERSION"
fi
echo "Mobile Template Sheet ID: ${{ inputs.mobile-template-sheet-id }}"
echo "Extension Template Sheet ID: ${{ inputs.extension-template-sheet-id }}"
echo "Release Sheet Google Document ID: ${{ inputs.release-sheet-google-document-id }}"
echo "GitHub Tools Version: ${{ inputs.github-tools-version }}"
echo "Git User Name: ${{ inputs.git-user-name }}"
echo "Git User Email: ${{ inputs.git-user-email }}"
echo "Mobile Template Sheet ID: $MOBILE_TEMPLATE_SHEET_ID"
echo "Extension Template Sheet ID: $EXTENSION_TEMPLATE_SHEET_ID"
echo "Release Sheet Google Document ID: $RELEASE_SHEET_GOOGLE_DOCUMENT_ID"
echo "GitHub Tools Version: $GITHUB_TOOLS_VERSION"
echo "Git User Name: $GIT_USER_NAME"
echo "Git User Email: $GIT_USER_EMAIL"
echo "-------------"

# Step 5: Create Release PR
Expand All @@ -135,16 +149,22 @@ jobs:
NEW_VERSION: ${{ inputs.semver-version }}
MOBILE_TEMPLATE_SHEET_ID: ${{ inputs.mobile-template-sheet-id }}
EXTENSION_TEMPLATE_SHEET_ID: ${{ inputs.extension-template-sheet-id }}
PLATFORM: ${{ inputs.platform }}
PREVIOUS_VERSION_REF: ${{ inputs.previous-version-ref }}
SEMVER_VERSION: ${{ inputs.semver-version }}
MOBILE_BUILD_VERSION: ${{ inputs.mobile-build-version }}
GIT_USER_NAME: ${{ inputs.git-user-name }}
GIT_USER_EMAIL: ${{ inputs.git-user-email }}
working-directory: ${{ github.workspace }}
run: |
# Execute the script from github-tools
./github-tools/.github/scripts/create-platform-release-pr.sh \
"${{ inputs.platform }}" \
"${{ inputs.previous-version-ref }}" \
"${{ inputs.semver-version }}" \
"${{ inputs.mobile-build-version }}" \
"${{ inputs.git-user-name }}" \
"${{ inputs.git-user-email }}"
"$PLATFORM" \
"$PREVIOUS_VERSION_REF" \
"$SEMVER_VERSION" \
"$MOBILE_BUILD_VERSION" \
"$GIT_USER_NAME" \
"$GIT_USER_EMAIL"

# Step 6: Upload commits.csv as artifact (if generated)
- name: Upload commits.csv artifact
Expand Down
5 changes: 4 additions & 1 deletion .github/workflows/lint-workflows.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,9 @@ jobs:
shell: bash

- name: Lint workflow files
env:
EXECUTABLE: ${{ steps.download-actionlint.outputs.executable }}
# We need to ignore the expected missing inputs in test-checkout-and-setup.yml
run: ${{ steps.download-actionlint.outputs.executable }} -color
run: |
"$EXECUTABLE" -color
shell: bash
5 changes: 3 additions & 2 deletions .github/workflows/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,8 +40,9 @@ jobs:
needs: all-jobs-completed
steps:
- name: Check that all jobs have passed
env:
PASSED: ${{ needs.all-jobs-completed.outputs.PASSED }}
run: |
passed="${{ needs.all-jobs-completed.outputs.PASSED }}"
if [[ $passed != "true" ]]; then
if [[ "$PASSED" != "true" ]]; then
exit 1
fi
61 changes: 35 additions & 26 deletions .github/workflows/pr-line-check.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,24 +46,13 @@ jobs:
- name: Checkout code
uses: actions/checkout@v4

- name: Determine base branch
id: get-base-branch
run: |
# Use the PR base branch if available; otherwise use the default input.
if [ -n "${{ github.event.pull_request.base.ref }}" ]; then
echo "Using PR base branch: ${{ github.event.pull_request.base.ref }}"
echo "base_branch=${{ github.event.pull_request.base.ref }}" >> "$GITHUB_OUTPUT"
else
echo "Using default base branch: ${{ inputs.base_ref }}"
echo "base_branch=${{ inputs.base_ref }}" >> "$GITHUB_OUTPUT"
fi

- name: Calculate changed lines
id: line_count
env:
BASE_BRANCH: ${{ github.event.pull_request.base.ref || inputs.base_ref }}
run: |
set -e

BASE_BRANCH="${{ steps.get-base-branch.outputs.base_branch }}"
echo "Using base branch: $BASE_BRANCH"

# Instead of a full fetch, perform incremental fetches at increasing depth
Expand Down Expand Up @@ -112,18 +101,38 @@ jobs:

- name: Check line count limit
uses: actions/github-script@v7
env:
LINES_CHANGED: ${{ steps.line_count.outputs.lines_changed }}
ADDITIONS: ${{ steps.line_count.outputs.additions }}
DELETIONS: ${{ steps.line_count.outputs.deletions }}
MAX_LINES: ${{ inputs.max_lines }}
XS_MAX_SIZE: ${{ inputs.xs_max_size }}
S_MAX_SIZE: ${{ inputs.s_max_size }}
M_MAX_SIZE: ${{ inputs.m_max_size }}
L_MAX_SIZE: ${{ inputs.l_max_size }}
with:
script: |
const total = parseInt('${{ steps.line_count.outputs.lines_changed }}') || 0;
const additions = parseInt('${{ steps.line_count.outputs.additions }}') || 0;
const deletions = parseInt('${{ steps.line_count.outputs.deletions }}') || 0;
const {
LINES_CHANGED,
ADDITIONS,
DELETIONS,
MAX_LINES,
XS_MAX_SIZE,
S_MAX_SIZE,
M_MAX_SIZE,
L_MAX_SIZE,
} = process.env;

const total = parseInt(LINES_CHANGED, 10) || 0;
const additions = parseInt(ADDITIONS, 10) || 0;
const deletions = parseInt(DELETIONS, 10) || 0;

// Thresholds from inputs with fallback to defaults
const maxLines = parseInt('${{ inputs.max_lines }}') || 1000;
const xsMaxSize = parseInt('${{ inputs.xs_max_size }}') || 10;
const sMaxSize = parseInt('${{ inputs.s_max_size }}') || 100;
const mMaxSize = parseInt('${{ inputs.m_max_size }}') || 500;
const lMaxSize = parseInt('${{ inputs.l_max_size }}') || 1000;
const maxLines = parseInt(MAX_LINES, 10) || 1000;
const xsMaxSize = parseInt(XS_MAX_SIZE, 10) || 10;
const sMaxSize = parseInt(S_MAX_SIZE, 10) || 100;
const mMaxSize = parseInt(M_MAX_SIZE, 10) || 500;
const lMaxSize = parseInt(L_MAX_SIZE, 10) || 1000;

// Print summary
console.log('Summary:');
Expand Down Expand Up @@ -155,21 +164,21 @@ jobs:

try {
const existingSizeLabels = ['size-XS', 'size-S', 'size-M', 'size-L', 'size-XL'];

// Get current labels
const currentLabels = await github.rest.issues.listLabelsOnIssue({
owner,
repo,
issue_number
});

const currentLabelNames = currentLabels.data.map(l => l.name);

// Build new label set: keep non-size labels and add the new size label
const newLabels = currentLabelNames
.filter(name => !existingSizeLabels.includes(name)) // Remove all size labels
.concat(sizeLabel); // Add the correct size label

// Check if labels need updating
const currentSizeLabel = currentLabelNames.find(name => existingSizeLabels.includes(name));
if (currentSizeLabel === sizeLabel && currentLabelNames.length === newLabels.length) {
Expand All @@ -182,7 +191,7 @@ jobs:
issue_number,
labels: newLabels
});

if (currentSizeLabel && currentSizeLabel !== sizeLabel) {
console.log(` - Replaced '${currentSizeLabel}' with '${sizeLabel}'`);
} else if (!currentSizeLabel) {
Expand Down
Loading
Loading