chore: remove PR_TOKEN usage from update-latest-build-version workflow

[tommasini]

Description

PR #30402 removed PR_TOKEN from branch creation and cleanup steps in build workflows, since Patroll rotates it every ~30 minutes and stale tokens were causing intermittent failures. However, update-latest-build-version.yml still used token: ${{ secrets.PR_TOKEN || github.token }} for its checkout and version-bump push steps.

Because PR_TOKEN is captured as a non-empty string at workflow start and then revoked mid-run by Patroll, the || fallback to github.token never triggered — the revoked PAT was silently passed to actions/checkout, causing intermittent:

fatal: could not read Username for 'https://github.com': terminal prompts disabled

This PR completes the cleanup started in #30402:

• update-latest-build-version.yml: Changes token: to always use github.token. The PR_TOKEN secret declaration is kept as required: false (with a deprecation note) so existing callers (build-rc-auto.yml, runway-rc-builds.yml, runway-production-builds.yml) that still pass it explicitly continue to work — GitHub raises a validation error if a caller passes a secret not declared in the called workflow. Those callers can be cleaned up in a follow-up.
• build.yml: Replaces the explicit secrets: { PR_TOKEN: ${{ secrets.PR_TOKEN }} } mapping (which propagated the potentially-stale token) with secrets: inherit, consistent with every other reusable workflow call in the chain.

github.token is immune to Patroll rotation — it is a GitHub App installation token auto-provisioned per-job with a 6-hour TTL, not a PAT stored as a repo secret.

Changelog

CHANGELOG entry: null

Related issues

Fixes: https://consensyssoftware.atlassian.net/browse/MCWP-613

Manual testing steps

N/A

Screenshots/Recordings

Before

N/A

After

N/A

Pre-merge author checklist

• I've followed MetaMask Contributor Docs and MetaMask Mobile Coding Standards.
• I've completed the PR template to the best of my ability
• I've included tests if applicable
• I've documented my code using JSDoc format if applicable
• I've applied the right labels on the PR (see labeling guidelines). Not required for external contributors.

Performance checks (if applicable)

• I've tested on Android
  • Ideally on a mid-range device; emulator is acceptable
• I've tested with a power user scenario
  • Use these power-user SRPs to import wallets with many accounts and tokens
• I've instrumented key operations with Sentry traces for production performance metrics
  • See trace() for usage and addToken for an example

For performance guidelines and tooling, see the Performance Guide.

Pre-merge reviewer checklist

• I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed).
• I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.

[github-actions]

CLA Signature Action: All authors have signed the CLA. You may need to manually re-run the blocking PR check if it doesn't pass in a few minutes.

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 7995b89. Configure here.}

[github-actions]

🔍 Smart E2E Test Selection

• Selected E2E tags: None (no tests recommended)
• Selected Performance tags: None (no tests recommended)
• Risk Level: low
• AI Confidence: 97%

click to see 🤖 AI reasoning details

E2E Test Selection:
The two changed files are purely CI/CD workflow configuration changes:

1. .github/workflows/build.yml: Changed secrets: { PR_TOKEN: ${{ secrets.PR_TOKEN }} } to secrets: inherit when calling the reusable update-latest-build-version.yml workflow. This simplifies secret passing without changing any build behavior.

2. .github/workflows/update-latest-build-version.yml:

   • Deprecated the PR_TOKEN secret input (kept for backwards compatibility with callers)
   • Changed token: ${{ secrets.PR_TOKEN || github.token }} to token: ${{ github.token }} — migrating from a custom PAT to the built-in GitHub Actions token for checkout/push operations.

These changes are purely infrastructure/CI authentication changes. They do not affect:

• Any application source code
• Test infrastructure or test files
• Any user-facing functionality
• Build artifact content or behavior
• E2E test execution paths

No E2E tests need to run for these changes. The risk is low — the change is a straightforward token migration that maintains backwards compatibility.

Performance Test Selection:
These are pure CI workflow authentication changes with no impact on app code, rendering, data loading, or any performance-sensitive paths. No performance tests are needed.

View GitHub Actions results

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud