chore: remove explicit secrets list from build workflow using toJSON(secrets)

[tommasini]

Description

The Set secrets step in .github/workflows/build.yml required every GitHub secret to be explicitly listed in the workflow YAML (e.g. SEGMENT_WRITE_KEY: ${{ secrets.SEGMENT_WRITE_KEY }}). This meant that adding or renaming a secret in builds.yml also required running yarn build:workflow:update-secrets to regenerate that list — a manual, easy-to-forget maintenance step.
This PR eliminates that requirement by passing the entire secrets context as a single JSON blob via toJSON(secrets), which set-secrets-from-config.js then parses at runtime. The script already had all the logic to select and remap only the relevant secrets for the active build via CONFIG_SECRETS — it just needed the values delivered differently.
Changes:

• Replace the 44-line explicit secrets env: block in build.yml with ALL_SECRETS: ${{ toJSON(secrets) }}
  Update set-secrets-from-config.js to look up secret values from the parsed ALL_SECRETS object instead of individual env vars
• Delete scripts/generate-build-workflow-secrets-env.js (no longer needed)
  Remove the build:workflow:update-secrets yarn script from package.json

To test: chore/testing-branch

Changelog

CHANGELOG entry:

Related issues

Fixes:

Manual testing steps

Feature: my feature name

  Scenario: user [verb for user action]
    Given [describe expected initial app state]

    When user [verb for user action]
    Then [describe expected outcome]

Screenshots/Recordings

Before

After

Pre-merge author checklist

• I've followed MetaMask Contributor Docs and MetaMask Mobile Coding Standards.
• I've completed the PR template to the best of my ability
• I've included tests if applicable
• I've documented my code using JSDoc format if applicable
• I've applied the right labels on the PR (see labeling guidelines). Not required for external contributors.

Pre-merge reviewer checklist

• I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed).
• I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.

---

Note

Medium Risk
Changes CI secret plumbing for all builds; a mismatch in JSON structure/availability (or missing secrets in the environment) could cause builds to fail or run with unset config.

Overview
Build workflow secret injection is simplified by replacing the long, explicitly enumerated secrets env: block in .github/workflows/build.yml with a single ALL_SECRETS: ${{ toJSON(secrets) }} payload.

scripts/set-secrets-from-config.js now reads secret values from ALL_SECRETS when applying the CONFIG_SECRETS mapping into GITHUB_ENV, and the no-longer-needed maintenance script scripts/generate-build-workflow-secrets-env.js plus the build:workflow:update-secrets yarn script are removed.

^{Written by Cursor Bugbot for commit 14e11c5. This will update automatically on new commits. Configure here.}

[github-actions]

CLA Signature Action: All authors have signed the CLA. You may need to manually re-run the blocking PR check if it doesn't pass in a few minutes.

[github-actions]

🔍 Smart E2E Test Selection

• Selected E2E tags: None (no tests recommended)
• Selected Performance tags: None (no tests recommended)
• Risk Level: low
• AI Confidence: 92%

click to see 🤖 AI reasoning details

E2E Test Selection:
The changes are purely CI/build infrastructure modifications that simplify how GitHub secrets are passed to the build workflow. The key changes are:

1. build.yml: Replaces explicit per-secret environment variable declarations (40+ secrets) with a single ALL_SECRETS: ${{ toJSON(secrets) }} approach
2. set-secrets-from-config.js: Updated to read from the ALL_SECRETS JSON object instead of individual environment variables
3. generate-build-workflow-secrets-env.js: Deleted - this maintenance script is no longer needed
4. package.json: Removes the build:workflow:update-secrets script
5. apply-build-config.js: Minor comment update

These changes:

• Do NOT modify any application code (no components, controllers, screens, or business logic)
• Do NOT affect E2E test infrastructure (no changes to tests/, page objects, or fixtures)
• Do NOT change how the app behaves at runtime
• Only affect the CI build process for how secrets are injected

The build workflow execution itself will validate whether secrets are properly passed. If the secrets injection fails, the build would fail before any E2E tests could run anyway. No E2E tests are needed to validate these CI infrastructure changes.

Performance Test Selection:
These changes are purely CI/build infrastructure modifications that affect how secrets are passed during the GitHub Actions workflow. They do not impact any application code, UI rendering, data loading, state management, or any runtime behavior of the app. No performance tests are needed as there is zero impact on app performance.

View GitHub Actions results

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[Cal-L]

Lgtm