ci: extract ephemeral build branch into reusable workflow and refactor nightly builds

[tommasini]

Description

The nightly build workflow relied on a persistent chore/temp-nightly branch (synced daily by nightly-temp-branch-sync.yml) and duplicated the TestFlight upload logic that already existed in upload-to-testflight.yml. Meanwhile, upload-to-testflight.yml couldn't push version-bump commits to protected branches like main.

This PR:

1. Extracts the ephemeral branch logic into a reusable create-build-branch.yml workflow that creates build/<source>-<timestamp> branches on demand
2. Makes upload-to-testflight.yml callable by adding a workflow_call trigger alongside workflow_dispatch, so other workflows (like nightly) can reuse the full build+upload pipeline
3. Rewrites nightly-build.yml to run on a cron schedule (4 AM UTC) instead of push-triggered, calling upload-to-testflight.yml for iOS exp/rc and create-build-branch.yml + build.yml for Android exp/rc
4. Surfaces the build number in the TestFlight upload summary for testers

With these changes, nightly-temp-branch-sync.yml and scripts/create-temp-nightly-branch.sh can be retired in a follow-up.

Changelog

CHANGELOG entry: null

Related issues

Fixes:

Manual testing steps

N/A — CI workflow changes only. Verify by:

1. Triggering "Upload to TestFlight" manually with source_branch: main and confirming the ephemeral branch is created, build succeeds, and branch is cleaned up
2. Triggering "Nightly Build" via workflow_dispatch and confirming both iOS (via upload-to-testflight) and Android (via build.yml) streams complete

Screenshots/Recordings

Before

N/A

After

N/A

Pre-merge author checklist

• I've followed MetaMask Contributor Docs and MetaMask Mobile Coding Standards.
• I've completed the PR template to the best of my ability
• I've included tests if applicable
• I've documented my code using JSDoc format if applicable
• I've applied the right labels on the PR (see labeling guidelines). Not required for external contributors.

Pre-merge reviewer checklist

• I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed).
• I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.

Made with Cursor

---

Note

Medium Risk
Medium risk because it refactors GitHub Actions build/release automation (branch creation, version bumps, and TestFlight uploads), where small misconfigurations can break nightly delivery or leave stray branches behind.

Overview
Nightly build automation is reworked to avoid pushing version-bump commits to protected branches and to reduce duplicated CI logic. A new reusable workflow create-build-branch.yml creates build/<source>-<timestamp> branches on demand and is used by both iOS and Android build pipelines.

nightly-build.yml is converted from a push-driven temp-branch approach to a 4 AM UTC scheduled workflow, running iOS exp/rc via the reusable upload-to-testflight.yml pipeline and Android exp/rc via create-build-branch.yml + build.yml, with explicit cleanup of Android ephemeral branches. upload-to-testflight.yml is made callable (workflow_call), now builds from an ephemeral branch and cleans it up afterward, and its step summary now includes the computed build number. CODEOWNERS is updated to include the new workflow.

^{Written by Cursor Bugbot for commit f546ead. This will update automatically on new commits. Configure here.}

[github-actions]

CLA Signature Action: All authors have signed the CLA. You may need to manually re-run the blocking PR check if it doesn't pass in a few minutes.

[github-actions]

✅ E2E Fixture Validation — Schema is up to date
17 value mismatches detected (expected — fixture represents an existing user).
View details

[github-actions]

🔍 Smart E2E Test Selection

• Selected E2E tags: None (no tests recommended)
• Selected Performance tags: None (no tests recommended)
• Risk Level: low
• AI Confidence: 97%

click to see 🤖 AI reasoning details

E2E Test Selection:
All 4 changed files are purely CI/CD infrastructure changes with no impact on application source code or test infrastructure:

1. create-build-branch.yml (NEW): A new reusable GitHub Actions workflow that creates ephemeral build/<source>-<timestamp> branches to avoid pushing version-bump commits to protected branches. Pure CI orchestration logic.

2. nightly-build.yml (REFACTORED): Trigger changed from branch push to scheduled cron (0 4 * * *). iOS builds delegated to upload-to-testflight.yml, Android builds use new create-build-branch.yml + build.yml. Removed inline version-bump logic. Added cleanup job for ephemeral branches. No app code touched.

3. upload-to-testflight.yml (EXTENDED): Added workflow_call support to make it reusable, added prepare-build-branch and cleanup-build-branch jobs. Summary display improvements. No app code touched.

4. CODEOWNERS (MINOR): Added ownership entry for the new create-build-branch.yml workflow file.

None of these changes affect:

• Application source code (no app/, src/ changes)
• E2E test infrastructure (no tests/, wdio/, Detox config changes)
• Build configuration affecting the app bundle (no package.json, metro.config.js, babel.config.js, .detoxrc.js)
• Any user-facing functionality or component

These are purely build/release pipeline improvements. Running E2E tests would provide zero validation value for these changes.

Performance Test Selection:
All changes are CI/CD workflow files with no impact on application code, UI rendering, data loading, state management, or any other performance-sensitive area. Performance tests are not warranted.

View GitHub Actions results

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.}

[cursor]

Build number extracted from wrong file, always wrong

Medium Severity

BUILD_NUMBER is extracted from package.json version (7.73.0) via .split('.').pop(), which always yields the semver patch number (e.g. 0), not the actual build number. The real build number (e.g. 4138) is written by set-build-version.sh into bitrise.yml, build.gradle, and project.pbxproj — but never into package.json. The summary table will display a misleading value for testers.

 

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud