chore: decouple yarn install from build job

[weitingsun]

Description

Summary
Splits dependency installation and project setup into a dedicated setup-dependencies job and passes node_modules (and related artifacts) to the build job via workflow artifacts. This keeps setup (no secrets) separate from the build (secrets, signing) and allows setup to run with retries and clear verification before the build consumes the artifact.

Test workflows:
flask-test: https://github.com/MetaMask/metamask-mobile/actions/runs/22597598384
main-exp: https://github.com/MetaMask/metamask-mobile/actions/runs/22597580993
main-test: https://github.com/MetaMask/metamask-mobile/actions/runs/22597573374
main-rc: https://github.com/MetaMask/metamask-mobile/actions/runs/22597559233
main-beta: https://github.com/MetaMask/metamask-mobile/actions/runs/22597549406

OTA workflow: https://github.com/MetaMask/metamask-mobile/actions/runs/22636342972/job/65602623716

Changelog

CHANGELOG entry: Separated yarn install from build job in build.yml

Related issues

Fixes:

Manual testing steps

Feature: my feature name

  Scenario: user [verb for user action]
    Given [describe expected initial app state]

    When user [verb for user action]
    Then [describe expected outcome]

Screenshots/Recordings

Before

After

Pre-merge author checklist

• I've followed MetaMask Contributor Docs and MetaMask Mobile Coding Standards.
• I've completed the PR template to the best of my ability
• I've included tests if applicable
• I've documented my code using JSDoc format if applicable
• I've applied the right labels on the PR (see labeling guidelines). Not required for external contributors.

Pre-merge reviewer checklist

• I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed).
• I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.

---

Note

Medium Risk
Restructures the GitHub Actions build pipeline to rely on cross-job artifacts and platform-specific runners, which can impact build reliability (especially around native deps/symlinks and iOS pod generation). No app runtime logic changes, but failures would block release builds.

Overview
CI build pipeline now separates dependency setup from signing/build. build.yml adds a per-platform setup-dependencies job that runs yarn install/yarn setup:github-ci (with retries) and uploads a tarballed node_modules artifact; the build job no longer runs yarn install and instead downloads, extracts, and verifies the artifact (including symlink checks) before building.

Platform-specific build prep was adjusted. iOS now explicitly sets up Ruby/Xcode, installs CocoaPods in the build job (to match the runner), writes ios/.xcode.env.local for Xcode scripts, and cleans up any existing signing keychain before configuring signing.

Reusable setup workflow expanded. setup-node-modules.yml gains inputs for platform, build_name, submodule checkout, and tarball vs zip uploads; it runs on platform-specific runners when requested, applies build config for correct generated artifacts, and preserves symlinks via tarball uploads.

builds.yml removes the QUICKNODE_BSC_URL and QUICKNODE_SEI_URL secret mappings.

^{Written by Cursor Bugbot for commit 6986e5b. This will update automatically on new commits. Configure here.}

[github-actions]

CLA Signature Action: All authors have signed the CLA. You may need to manually re-run the blocking PR check if it doesn't pass in a few minutes.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[tommasini]

This seems to be duplicated, I don't think setup-node-modules.yml file needs to setup ios environment, although I'm not 100% sure

[tommasini]

We should use v1.7

Suggested change

	uses: MetaMask/github-tools/.github/actions/setup-e2e-env@v1
	uses: MetaMask/github-tools/.github/actions/setup-e2e-env@v1.7

[tommasini]

Is it really needed since we run yarn setup:github-ci?

[weitingsun]

removed and only add setup node and setup Ruby, will retest OTA

[tommasini]

Argh, it seems that it should be 1.7.0

[tommasini]

Is this something that could cache a build, and in the future bring the wrong build to the artifact? If yes, maybe it's a risk not worth taken, to speed up Xcode builds

[tommasini]

Why paths wouldn't be or couldn't be correct here that we would need to re install pods?

[weitingsun]

we don't run pod install in setup-node-modules because it has to be on the same runner when we build iOS. I've modified the comment.

[tommasini]

Suggested change

	uses: MetaMask/github-tools/.github/actions/setup-e2e-env@v1
	uses: MetaMask/github-tools/.github/actions/setup-e2e-env@v1.7

[tommasini]

Wondering if running yarn install on this action make us vulnerable to post install scripts attacks

[weitingsun]

Good catching, replacing it with Ruby + CocoaPods + Xcode

[github-actions]

🔍 Smart E2E Test Selection

• Selected E2E tags: None (no tests recommended)
• Selected Performance tags: None (no tests recommended)
• Risk Level: low
• AI Confidence: 90%

click to see 🤖 AI reasoning details

E2E Test Selection:
The changes in this PR are purely CI/CD infrastructure changes affecting the production build workflow (build.yml) and the reusable node_modules setup workflow (setup-node-modules.yml), plus a minor removal of two secrets from builds.yml.

Key findings:

1. build.yml changes: Refactored to use a new setup-dependencies job that creates node_modules tarballs, changed from hardcoded Node.js v20 to .nvmrc, restructured iOS setup steps (Ruby, Xcode, CocoaPods), added keychain cleanup. These are build optimization changes.

2. setup-node-modules.yml changes: Added new inputs (platform, build_name, use-tarball, checkout-submodules), platform-specific runners, tarball creation to preserve symlinks. This is a reusable workflow enhancement.

3. builds.yml changes: Removed QUICKNODE_BSC_URL and QUICKNODE_SEI_URL secrets - infrastructure secrets not used in E2E tests.

Why no E2E tests needed:

• The E2E test workflows (run-e2e-workflow.yml, run-e2e-smoke-tests-*.yml) do NOT use setup-node-modules.yml - they have their own setup using MetaMask/github-tools/.github/actions/setup-e2e-env
• No application code is changed
• No test code or test infrastructure is changed
• The changes are focused on optimizing the production build process, not the E2E test pipeline
• The build workflow changes will be validated by the build workflow itself when it runs

These CI/CD changes don't require E2E test validation as they don't affect the app functionality or the E2E test execution path.

Performance Test Selection:
These changes are purely CI/CD infrastructure changes affecting build workflows (build.yml, setup-node-modules.yml) and build configuration (builds.yml). No application code is changed that could impact app performance. The changes optimize the build process (tarball artifacts, platform-specific runners) but don't affect runtime performance of the app. No performance tests are needed.

View GitHub Actions results