chore: Remove PR_TOKEN from build workflows

[Cal-L]

Description

Since PR_TOKEN is rolled by Patroll every 30 mins, the team has been encountering step failures especially post token roll. This PR removes PR_TOKEN from workflows that do not need it, stabilizing workflows such as Nightly builds and uploading build to testflight. We'll rely on github.token instead for branch checkout + deletion steps.

Example failures-

• Nightly builds - https://github.com/MetaMask/metamask-mobile/actions/runs/26015385923/usage
• Build and upload to TestFlight - https://github.com/MetaMask/metamask-mobile/actions/runs/26098154929
• Patroll rolls PR_TOKEN every 30 min, which can make the old token stale especially if workflows are taking longer than 30 mins

@Cal-L - Once this PR is merged into main, we'll verify that the workflows do not need PR_TOKEN and further remove PR_TOKEN dependencies as needed

Changelog

CHANGELOG entry:

Related issues

Fixes: https://consensyssoftware.atlassian.net/browse/MCWP-613

Manual testing steps

Feature: my feature name

  Scenario: user [verb for user action]
    Given [describe expected initial app state]

    When user [verb for user action]
    Then [describe expected outcome]

Screenshots/Recordings

Before

After

Pre-merge author checklist

• I've followed MetaMask Contributor Docs and MetaMask Mobile Coding Standards.
• I've completed the PR template to the best of my ability
• I've included tests if applicable
• I've documented my code using JSDoc format if applicable
• I've applied the right labels on the PR (see labeling guidelines). Not required for external contributors.

Performance checks (if applicable)

• I've tested on Android
  • Ideally on a mid-range device; emulator is acceptable
• I've tested with a power user scenario
  • Use these power-user SRPs to import wallets with many accounts and tokens
• I've instrumented key operations with Sentry traces for production performance metrics
  • See trace() for usage and addToken for an example

For performance guidelines and tooling, see the Performance Guide.

Pre-merge reviewer checklist

• I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed).
• I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.

---

Note

Medium Risk
Moderate risk because it changes authentication/permissions used by CI workflows that create and delete ephemeral build branches, which could break nightly/TestFlight pipelines if github.token lacks required access in some contexts.

Overview
Removes reliance on the rotating PR_TOKEN in build-related GitHub Actions by switching checkouts in branch-creation and cleanup jobs to use github.token instead.

Also makes the PR_TOKEN secret optional in update-latest-build-version.yml (while still falling back to github.token for checkout/push), reducing required secret wiring for callers.

^{Reviewed by Cursor Bugbot for commit fb7d7a1. Bugbot is set up for automated code reviews on this repo. Configure here.}

[github-actions]

CLA Signature Action: All authors have signed the CLA. You may need to manually re-run the blocking PR check if it doesn't pass in a few minutes.

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 4a2744c. Configure here.}

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud