From 4d2666eeb055d0bc9f128703cfa3dc3ea2d4da8c Mon Sep 17 00:00:00 2001 From: Salah-Eddine Saakoun Date: Thu, 26 Feb 2026 01:20:10 +0100 Subject: [PATCH 1/5] feat: use reusable prepare-preview-builds action from github-tools Replace the local prepare-preview-builds script with the new composite action from github-tools. Remove the now-unused scripts and package.json entry. --- .github/workflows/publish-preview.yml | 6 +++- package.json | 1 - scripts/prepare-preview-builds.jq | 9 ----- scripts/prepare-preview-builds.sh | 50 --------------------------- 4 files changed, 5 insertions(+), 61 deletions(-) delete mode 100644 scripts/prepare-preview-builds.jq delete mode 100755 scripts/prepare-preview-builds.sh diff --git a/.github/workflows/publish-preview.yml b/.github/workflows/publish-preview.yml index f591a0b894f..4b3cce08ee6 100644 --- a/.github/workflows/publish-preview.yml +++ b/.github/workflows/publish-preview.yml @@ -39,7 +39,11 @@ jobs: - name: Get commit SHA id: commit-sha run: echo "COMMIT_SHA=$(git rev-parse --short HEAD)" >> "$GITHUB_OUTPUT" - - run: yarn prepare-preview-builds @metamask-previews ${{ steps.commit-sha.outputs.COMMIT_SHA }} + - name: Prepare preview builds + uses: MetaMask/github-tools/.github/actions/prepare-preview-builds@prepare-preview-builds-action + with: + npm-scope: '@metamask-previews' + commit-hash: ${{ steps.commit-sha.outputs.COMMIT_SHA }} - run: yarn build - name: Upload build artifacts uses: actions/upload-artifact@v6 diff --git a/package.json b/package.json index 4078304ca15..a281201bc41 100644 --- a/package.json +++ b/package.json @@ -30,7 +30,6 @@ "lint:misc": "prettier --no-error-on-unmatched-pattern '**/*.json' '**/*.md' '**/*.yml' '!.yarnrc.yml' '!merged-packages/**' --ignore-path .gitignore", "lint:teams": "tsx scripts/lint-teams-json.ts", "prepack": "./scripts/prepack.sh", - "prepare-preview-builds": "./scripts/prepare-preview-builds.sh", "setup": "yarn install", "test": "yarn test:scripts --silent --collectCoverage=false --reporters=jest-silent-reporter && yarn test:packages", "test:clean": "yarn workspaces foreach --all --parallel --verbose run test:clean && yarn test", diff --git a/scripts/prepare-preview-builds.jq b/scripts/prepare-preview-builds.jq deleted file mode 100644 index a523e49fb8d..00000000000 --- a/scripts/prepare-preview-builds.jq +++ /dev/null @@ -1,9 +0,0 @@ -# The name is overwritten, causing the package to get published under a -# different NPM scope than non-preview builds. -.name |= sub("@metamask/"; "\($npm_scope)/") | - -# The prerelease version is overwritten, preserving the non-prerelease portion -# of the version. Technically we'd want to bump the non-prerelease portion as -# well if we wanted this to be SemVer-compliant, but it was simpler not to. -# This is just for testing, it doesn't need to strictly follow SemVer. -.version |= split("-")[0] + "-preview-\($hash)" diff --git a/scripts/prepare-preview-builds.sh b/scripts/prepare-preview-builds.sh deleted file mode 100755 index bae0c32070b..00000000000 --- a/scripts/prepare-preview-builds.sh +++ /dev/null @@ -1,50 +0,0 @@ -#!/usr/bin/env bash - -set -euo pipefail - -# This script prepares a package to be published as a preview build -# to GitHub Packages. - -if [[ $# -eq 0 ]]; then - echo "Missing commit hash." - exit 1 -fi - -# We don't want to assume that preview builds will be published alongside -# "production" versions. There are security- and aesthetic-based advantages to -# keeping them separate. -npm_scope="$1" - -# We use the short commit hash as the prerelease version. This ensures each -# preview build is unique and can be linked to a specific commit. -shorthash="$2" - -prepare-preview-manifest() { - local manifest_file="$1" - - # jq does not support in-place modification of files, so a temporary file is - # used to store the result of the operation. The original file is then - # overwritten with the temporary file. - jq --raw-output --arg npm_scope "$npm_scope" --arg hash "$shorthash" --from-file scripts/prepare-preview-builds.jq "$manifest_file" > temp.json - mv temp.json "$manifest_file" -} - -# Add resolutions to the root manifest so that @metamask/* imports continue -# to resolve from the local workspace after packages are renamed to the -# preview scope. Without this, yarn resolves @metamask/* from the npm -# registry, which causes build failures when workspace packages contain -# type changes not yet published. -echo "Adding workspace resolutions to root manifest..." -resolutions="$(yarn workspaces list --no-private --json \ - | jq --slurp 'reduce .[] as $pkg ({}; .[$pkg.name] = "portal:./" + $pkg.location)')" -jq --argjson resolutions "$resolutions" '.resolutions = ((.resolutions // {}) + $resolutions)' package.json > temp.json -mv temp.json package.json - -echo "Preparing manifests..." -while IFS=$'\t' read -r location name; do - echo "- $name" - prepare-preview-manifest "$location/package.json" -done < <(yarn workspaces list --no-private --json | jq --slurp --raw-output 'map(select(.location != ".")) | map([.location, .name]) | map(@tsv) | .[]') - -echo "Installing dependencies..." -yarn install --no-immutable From 0668d17ec6e26305d51222be43c7cacab4f7b66a Mon Sep 17 00:00:00 2001 From: Salah-Eddine Saakoun Date: Thu, 26 Feb 2026 16:20:59 +0100 Subject: [PATCH 2/5] chore: add temporary workflow to test prepare-preview-builds action --- .../workflows/test-preview-builds-action.yml | 33 +++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 .github/workflows/test-preview-builds-action.yml diff --git a/.github/workflows/test-preview-builds-action.yml b/.github/workflows/test-preview-builds-action.yml new file mode 100644 index 00000000000..d5ddc9fb3fd --- /dev/null +++ b/.github/workflows/test-preview-builds-action.yml @@ -0,0 +1,33 @@ +name: Test prepare-preview-builds action + +on: + workflow_dispatch: + +jobs: + test-prepare-preview-builds: + name: Test prepare preview builds + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v5 + - name: Checkout and setup environment + uses: MetaMask/action-checkout-and-setup@v2 + with: + is-high-risk-environment: true + - name: Get commit SHA + id: commit-sha + run: echo "COMMIT_SHA=$(git rev-parse --short HEAD)" >> "$GITHUB_OUTPUT" + - name: Prepare preview builds + uses: MetaMask/github-tools/.github/actions/prepare-preview-builds@prepare-preview-builds-action + with: + npm-scope: '@metamask-previews' + commit-hash: ${{ steps.commit-sha.outputs.COMMIT_SHA }} + - name: Verify manifests were renamed + run: | + # Check that at least one package was renamed to the preview scope + renamed=$(jq -r '.name' packages/*/package.json | grep '@metamask-previews/' | head -5) + if [[ -z "$renamed" ]]; then + echo "::error::No packages were renamed to @metamask-previews scope" + exit 1 + fi + echo "Renamed packages (sample):" + echo "$renamed" From 5fdebc2abdf6ec5f72bd634e87d3d869371d05ac Mon Sep 17 00:00:00 2001 From: Salah-Eddine Saakoun Date: Thu, 26 Feb 2026 16:26:51 +0100 Subject: [PATCH 3/5] Revert "chore: add temporary workflow to test prepare-preview-builds action" This reverts commit 0668d17ec6e26305d51222be43c7cacab4f7b66a. --- .../workflows/test-preview-builds-action.yml | 33 ------------------- 1 file changed, 33 deletions(-) delete mode 100644 .github/workflows/test-preview-builds-action.yml diff --git a/.github/workflows/test-preview-builds-action.yml b/.github/workflows/test-preview-builds-action.yml deleted file mode 100644 index d5ddc9fb3fd..00000000000 --- a/.github/workflows/test-preview-builds-action.yml +++ /dev/null @@ -1,33 +0,0 @@ -name: Test prepare-preview-builds action - -on: - workflow_dispatch: - -jobs: - test-prepare-preview-builds: - name: Test prepare preview builds - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v5 - - name: Checkout and setup environment - uses: MetaMask/action-checkout-and-setup@v2 - with: - is-high-risk-environment: true - - name: Get commit SHA - id: commit-sha - run: echo "COMMIT_SHA=$(git rev-parse --short HEAD)" >> "$GITHUB_OUTPUT" - - name: Prepare preview builds - uses: MetaMask/github-tools/.github/actions/prepare-preview-builds@prepare-preview-builds-action - with: - npm-scope: '@metamask-previews' - commit-hash: ${{ steps.commit-sha.outputs.COMMIT_SHA }} - - name: Verify manifests were renamed - run: | - # Check that at least one package was renamed to the preview scope - renamed=$(jq -r '.name' packages/*/package.json | grep '@metamask-previews/' | head -5) - if [[ -z "$renamed" ]]; then - echo "::error::No packages were renamed to @metamask-previews scope" - exit 1 - fi - echo "Renamed packages (sample):" - echo "$renamed" From e078b8302c62fee29d65183c991bea224d9a7195 Mon Sep 17 00:00:00 2001 From: Salah-Eddine Saakoun Date: Thu, 26 Feb 2026 16:35:15 +0100 Subject: [PATCH 4/5] chore: point prepare-preview-builds action at v1 tag --- .github/workflows/publish-preview.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/publish-preview.yml b/.github/workflows/publish-preview.yml index 4b3cce08ee6..2b529aa956e 100644 --- a/.github/workflows/publish-preview.yml +++ b/.github/workflows/publish-preview.yml @@ -40,7 +40,7 @@ jobs: id: commit-sha run: echo "COMMIT_SHA=$(git rev-parse --short HEAD)" >> "$GITHUB_OUTPUT" - name: Prepare preview builds - uses: MetaMask/github-tools/.github/actions/prepare-preview-builds@prepare-preview-builds-action + uses: MetaMask/github-tools/.github/actions/prepare-preview-builds@v1 with: npm-scope: '@metamask-previews' commit-hash: ${{ steps.commit-sha.outputs.COMMIT_SHA }} From 39b4fe36a08bdfec9b333e15e58219453cdd1ae0 Mon Sep 17 00:00:00 2001 From: Salah-Eddine Saakoun Date: Fri, 27 Feb 2026 00:31:16 +0100 Subject: [PATCH 5/5] feat: use reusable publish-preview workflow from github-tools --- .github/workflows/publish-preview.yml | 110 ++------------------------ 1 file changed, 7 insertions(+), 103 deletions(-) diff --git a/.github/workflows/publish-preview.yml b/.github/workflows/publish-preview.yml index 2b529aa956e..dbc39f6f5b2 100644 --- a/.github/workflows/publish-preview.yml +++ b/.github/workflows/publish-preview.yml @@ -5,107 +5,11 @@ on: types: created jobs: - is-fork-pull-request: - name: Determine whether this issue comment was on a pull request from a fork - if: ${{ github.event.issue.pull_request && startsWith(github.event.comment.body, '@metamaskbot publish-preview') }} - runs-on: ubuntu-latest - outputs: - IS_FORK: ${{ steps.is-fork.outputs.IS_FORK }} - steps: - - uses: actions/checkout@v5 - - name: Determine whether this PR is from a fork - id: is-fork - run: echo "IS_FORK=$(gh pr view --json isCrossRepository --jq '.isCrossRepository' "${PR_NUMBER}" )" >> "$GITHUB_OUTPUT" - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - PR_NUMBER: ${{ github.event.issue.number }} - - build-preview: - name: Build preview - needs: is-fork-pull-request - if: ${{ needs.is-fork-pull-request.outputs.IS_FORK == 'false' }} - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v5 - - name: Check out pull request - run: gh pr checkout "${PR_NUMBER}" - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - PR_NUMBER: ${{ github.event.issue.number }} - - name: Checkout and setup environment - uses: MetaMask/action-checkout-and-setup@v2 - with: - is-high-risk-environment: true - - name: Get commit SHA - id: commit-sha - run: echo "COMMIT_SHA=$(git rev-parse --short HEAD)" >> "$GITHUB_OUTPUT" - - name: Prepare preview builds - uses: MetaMask/github-tools/.github/actions/prepare-preview-builds@v1 - with: - npm-scope: '@metamask-previews' - commit-hash: ${{ steps.commit-sha.outputs.COMMIT_SHA }} - - run: yarn build - - name: Upload build artifacts - uses: actions/upload-artifact@v6 - with: - name: preview-build-artifacts - include-hidden-files: true - retention-days: 4 - path: | - ./yarn.lock - ./package.json - ./packages/*/ - !./packages/*/node_modules/ - !./packages/*/src/ - !./packages/*/tests/ - !./packages/**/*.test.* - publish-preview: - name: Publish preview - needs: build-preview - permissions: - pull-requests: write - environment: default-branch - runs-on: ubuntu-latest - steps: - - name: Checkout and setup environment - uses: MetaMask/action-checkout-and-setup@v2 - with: - is-high-risk-environment: true - - name: Restore build artifacts - uses: actions/download-artifact@v7 - with: - name: preview-build-artifacts - # The artifact package.json files come from the PR branch. - # A malicious PR could inject lifecycle scripts (prepack/postpack) that - # execute during `yarn npm publish` with the NPM token in the environment - # (enableScripts: false does NOT prevent pack/publish lifecycle scripts). - # It could also override publishConfig.registry to exfiltrate the token. - - name: Validate artifact manifests - run: | - bad=0 - for f in packages/**/package.json; do - if jq -e '.scripts // {} | keys[] | select(test("^(pre|post)(pack|publish)"))' "$f" > /dev/null 2>&1; then - echo "::error::Forbidden lifecycle script in $f" - bad=1 - fi - reg=$(jq -r '.publishConfig.registry // ""' "$f") - if [[ -n "$reg" && "$reg" != "https://registry.npmjs.org/" ]]; then - echo "::error::Unexpected registry in $f: $reg" - bad=1 - fi - done - exit "$bad" - - name: Reconcile workspace state - run: yarn install --no-immutable - - name: Publish preview builds - run: yarn workspaces foreach --no-private --all exec yarn npm publish --tag preview - env: - YARN_NPM_AUTH_TOKEN: ${{ secrets.PUBLISH_PREVIEW_NPM_TOKEN }} - - name: Generate preview build message - run: yarn tsx scripts/generate-preview-build-message.ts - - name: Post build preview in comment - run: gh pr comment "${PR_NUMBER}" --body-file preview-build-message.txt - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - PR_NUMBER: ${{ github.event.issue.number }} + if: ${{ github.event.issue.pull_request && startsWith(github.event.comment.body, '@metamaskbot publish-preview') }} + uses: MetaMask/github-tools/.github/workflows/publish-preview.yml@prepare-preview-builds-action + with: + environment: default-branch + docs-url: 'https://github.com/MetaMask/core/blob/main/docs/processes/preview-builds.md' + secrets: + PUBLISH_PREVIEW_NPM_TOKEN: ${{ secrets.PUBLISH_PREVIEW_NPM_TOKEN }}