feat: modify OTA workflow

[weitingsun]

Description

In the current workflow, the OTA PR needs to point to a base that is the same as the branch that we are applying the OTA to. However, this does not work because when we have a release branch, since the base is always stable so we will need to change the base branch whenever we run OTA update.

In this PR:

• Get rid of hash commit input. We don't really need it because we will remove the approval if a new commit is pushed and we will always use the latest commit
• We get the latest commit hash in the OTA PR and output it in the workflow
• Remove the restriction on the OTA base branch. In the OTA PR, it shouldn't matter which base branch it's pointing to. We will compare the fingerprint to the actual release tag that the OTA is applying (which is one of the inputs when triggering the workflow)

workflow run: https://github.com/MetaMask/metamask-mobile/actions/runs/23026234415

Changelog

CHANGELOG entry: Removed OTA workflow commit hash input

Related issues

Fixes:

Manual testing steps

Feature: my feature name

  Scenario: user [verb for user action]
    Given [describe expected initial app state]

    When user [verb for user action]
    Then [describe expected outcome]

Screenshots/Recordings

Before

After

Pre-merge author checklist

• I've followed MetaMask Contributor Docs and MetaMask Mobile Coding Standards.
• I've completed the PR template to the best of my ability
• I've included tests if applicable
• I've documented my code using JSDoc format if applicable
• I've applied the right labels on the PR (see labeling guidelines). Not required for external contributors.

Pre-merge reviewer checklist

• I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed).
• I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.

---

Note

Medium Risk
Medium risk because it changes the OTA release workflow’s source-of-truth for what gets built/published and removes prior base-branch/commit validation, which could result in publishing an unintended revision if PR context is wrong.

Overview
Updates the OTA push-eas-update workflow to publish from a PR’s current HEAD commit rather than a user-supplied commit SHA.

Reworks .github/scripts/validate-pr-commit.sh to resolve and output commit_sha for a given PR_NUMBER (no longer validates COMMIT_HASH or BASE_BRANCH), and wires this new output through checkout, dependency setup, fingerprint comparison, and the final push step; the manual commit_hash input and the old “validate PR contains commit” job are removed.

^{Written by Cursor Bugbot for commit 2d9dcd1. This will update automatically on new commits. Configure here.}

[github-actions]

CLA Signature Action: All authors have signed the CLA. You may need to manually re-run the blocking PR check if it doesn't pass in a few minutes.

[github-actions]

🔍 Smart E2E Test Selection

• Selected E2E tags: None (no tests recommended)
• Selected Performance tags: None (no tests recommended)
• Risk Level: low
• AI Confidence: 85%

click to see 🤖 AI reasoning details

E2E Test Selection:
The changes are limited to CI infrastructure files: .github/workflows/push-eas-update.yml and .github/scripts/validate-pr-commit.sh. There are no modifications to application source code, controllers, UI components, navigation, state management, or test infrastructure related to Detox E2E flows.

• push-eas-update.yml affects the EAS update workflow (deployment pipeline), not runtime app behavior.
• validate-pr-commit.sh is a PR commit validation script and does not impact app logic or user flows.

Since no wallet features, controllers, confirmations, network logic, account management, trading flows, snaps, or performance-sensitive areas were modified, running E2E feature test suites would not provide additional safety value for this PR.

There is also no indication that Detox configuration, test runners, or E2E workflow execution logic was modified.

Therefore, no E2E tags are required for functional validation of this change set.

Performance Test Selection:
No application runtime code, UI rendering logic, controller state management, asset loading, or startup logic was modified. The changes are limited to CI workflow and validation scripts, which have no impact on app performance characteristics. Therefore, performance tests are not required.

View GitHub Actions results

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[Cal-L]

Lgtm