chore: Validate envs and secrets during build time

[Cal-L]

Description

This safeguard is a follow up to catch malformed envs and secrets during build time to prevent issues similar to incident 1578. If any issues are detected during build time, the Build Mobile App workflow will fail with a message listing the offending value

Changelog

CHANGELOG entry:

Related issues

Fixes: https://consensyssoftware.atlassian.net/browse/MCWP-564

Manual testing steps

Feature: my feature name

  Scenario: user [verb for user action]
    Given [describe expected initial app state]

    When user [verb for user action]
    Then [describe expected outcome]

Screenshots/Recordings

Before

After

Pre-merge author checklist

• I've followed MetaMask Contributor Docs and MetaMask Mobile Coding Standards.
• I've completed the PR template to the best of my ability
• I've included tests if applicable
• I've documented my code using JSDoc format if applicable
• I've applied the right labels on the PR (see labeling guidelines). Not required for external contributors.

Performance checks (if applicable)

• I've tested on Android
  • Ideally on a mid-range device; emulator is acceptable
• I've tested with a power user scenario
  • Use these power-user SRPs to import wallets with many accounts and tokens
• I've instrumented key operations with Sentry traces for production performance metrics
  • See trace() for usage and addToken for an example

For performance guidelines and tooling, see the Performance Guide.

Pre-merge reviewer checklist

• I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed).
• I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.

---

Note

^{Cursor Bugbot is generating a summary for commit 3547f68. Configure here.}

[github-actions]

CLA Signature Action: All authors have signed the CLA. You may need to manually re-run the blocking PR check if it doesn't pass in a few minutes.

[github-actions]

🔍 Smart E2E Test Selection

• Selected E2E tags: None (no tests recommended)
• Selected Performance tags: None (no tests recommended)
• Risk Level: low
• AI Confidence: 98%

click to see 🤖 AI reasoning details

E2E Test Selection:
All 4 changed files are purely build/CI validation scripts in the scripts/ directory:

1. scripts/lib/validate-value.js - New shared utility for hygiene-checking CI-injected values (secrets, env vars). Detects trailing whitespace, control chars, invisible Unicode, etc. Pure Node.js utility with no app code dependency.

2. scripts/lib/validate-value.test.js - Unit tests for the above utility. Jest tests for the script, not Detox E2E tests.

3. scripts/validate-build-config.js - Modified to use checkValue for validating builds.yml env entries. Build-time validation only.

4. scripts/validate-secrets-from-config.js - Refactored to use checkValue for richer secret validation with GitHub Actions annotations. CI pre-build step only.

None of these changes touch:

• App source code (no app/ directory changes)
• E2E test infrastructure (no tests/ directory changes)
• CI workflow files (no .github/workflows/ changes)
• Any controllers, Engine, or UI components
• Navigation, modals, or any user-facing flows

These are purely build-time CI validation scripts that run before the app is compiled. They have zero impact on app behavior, user flows, or E2E test execution. No E2E tests need to run to validate these changes — they are validated by their own unit tests (validate-value.test.js).

Performance Test Selection:
No performance-relevant changes. All modifications are to build/CI validation scripts with no impact on app rendering, data loading, state management, or any user-facing flows.

View GitHub Actions results

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 3547f68. Configure here.}

[cursor]

Offset messages mix character indices with byte lengths

Low Severity

len is computed via Buffer.byteLength(str, 'utf8') (byte count), but crIndex, nulIndex, ctrlMatch.index, and zwMatch.index are JavaScript string character indices. The error messages combine them as offset ${index}/${len}, presenting a character position alongside a byte total. For any non-ASCII content these are different units, making the diagnostic output misleading — e.g., a \r at character index 4 in "café\r" would read offset 4/6 because é is two bytes in UTF-8.

Additional Locations (2)

• scripts/lib/validate-value.js#L129-L130
• scripts/lib/validate-value.js#L142-L143

 

^{Reviewed by Cursor Bugbot for commit 3547f68. Configure here.}

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud