fix: safeguard whitespaces

[tommasini]

Description

Cherry pick: #29151

Changelog

CHANGELOG entry:

Related issues

Fixes:

Manual testing steps

Feature: my feature name

  Scenario: user [verb for user action]
    Given [describe expected initial app state]

    When user [verb for user action]
    Then [describe expected outcome]

Screenshots/Recordings

Before

After

Pre-merge author checklist

• I've followed MetaMask Contributor Docs and MetaMask Mobile Coding Standards.
• I've completed the PR template to the best of my ability
• I've included tests if applicable
• I've documented my code using JSDoc format if applicable
• I've applied the right labels on the PR (see labeling guidelines). Not required for external contributors.

Performance checks (if applicable)

• I've tested on Android
  • Ideally on a mid-range device; emulator is acceptable
• I've tested with a power user scenario
  • Use these power-user SRPs to import wallets with many accounts and tokens
• I've instrumented key operations with Sentry traces for production performance metrics
  • See trace() for usage and addToken for an example

For performance guidelines and tooling, see the Performance Guide.

Pre-merge reviewer checklist

• I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed).
• I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.

---

Note

Medium Risk
Touches CI secret injection and env-var remapping used during builds; a mistake could break build pipelines or alter expected secret values, though changes are limited to trimming surrounding whitespace and adding validation.

Overview
Build workflows now defensively strip leading/trailing whitespace from CI secrets before exporting them to the build environment, and warn when trimming occurs.

GitHub Actions builds additionally fail fast if any mapped env var still contains surrounding whitespace via a new scripts/check-env-whitespace.js step after set-secrets-from-config.js, reducing the chance of shipping binaries with broken OAuth/API keys caused by trailing newlines.

^{Reviewed by Cursor Bugbot for commit 216761d. Bugbot is set up for automated code reviews on this repo. Configure here.}

[github-actions]

CLA Signature Action: All authors have signed the CLA. You may need to manually re-run the blocking PR check if it doesn't pass in a few minutes.

[github-actions]

🔍 Smart E2E Test Selection

• Selected E2E tags: None (no tests recommended)
• Selected Performance tags: None (no tests recommended)
• Risk Level: low
• AI Confidence: 97%

click to see 🤖 AI reasoning details

E2E Test Selection:
All 4 changed files are purely CI/build infrastructure:

1. .github/workflows/build.yml: Adds a new CI step to run check-env-whitespace.js after secrets are applied. This is a build pipeline validation step only.

2. scripts/build.sh: Adds defensive whitespace trimming in the remapEnvVariable function. This only affects how environment variables are set during the build process — no app code is changed.

3. scripts/check-env-whitespace.js: A new validation script that checks environment variables for leading/trailing whitespace. Runs at build time only, never shipped to the app.

4. scripts/set-secrets-from-config.js: Enhanced to trim whitespace from secret values before writing to GITHUB_ENV, with improved warning messages.

None of these changes affect:

• Any application source code or UI components
• Any controllers, Engine, or state management
• Any E2E test infrastructure (page objects, fixtures, test files)
• Any navigation, modals, confirmations, or user flows

These are purely defensive build-time improvements to prevent malformed secrets (with trailing newlines) from being baked into the JS bundle. The changes are semantically no-ops for well-formed secrets and only add protective validation. No E2E tests need to run to validate these changes, and there is no performance impact.

Performance Test Selection:
All changes are build-time CI scripts and workflow steps. No application code, rendering logic, state management, or user flows are affected. There is zero performance impact on the running app.

View GitHub Actions results