MetaMask · danjm · May 23, 2024 · Apr 12, 2024 · Apr 15, 2024 · Apr 15, 2024
@@ -1344,7 +1344,7 @@ jobs:
             - test-artifacts
 
   job-publish-prerelease:
-    executor: node-browsers-small
+    executor: node-browsers-medium
     steps:
       - checkout
       - attach_workspace:
@@ -1384,13 +1384,9 @@ jobs:
           path: test-artifacts
           destination: test-artifacts
       # important: generate lavamoat viz AFTER uploading builds as artifacts
-      # Temporarily disabled until we can update to a version of `sesify` with
-      # this fix included: https://github.com/LavaMoat/LavaMoat/pull/121
-      # Disabled 2024-03-25 due to flakiness.
-      #   - see: https://github.com/MetaMask/metamask-extension/issues/23704
-      #- run:
-      #    name: build:lavamoat-viz
-      #    command: ./.circleci/scripts/create-lavamoat-viz.sh
+      - run:
+          name: build:lavamoat-viz
+          command: ./.circleci/scripts/create-lavamoat-viz.sh
       - store_artifacts:
           path: build-artifacts
           destination: build-artifacts

@@ -0,0 +1,32 @@
+#!/usr/bin/env bash
+
+set -e
+set -u
+set -o pipefail
+
+# Takes in 3 args
+# - 1 - Base PR Branch Name
+# - 2 - Commit Hash
+# - 3 - PR Number
+
+BASE_PR_BRANCH_NAME="${1}"
+COMMIT_HASH_TO_CHERRY_PICK="${2}"
+PR_BRANCH_NAME="chore/cherry-pick-${3}"
+PR_TITLE="chore: cherry-pick #${3}"
+PR_BODY="This PR cherry-picks #${3}"
+
+git config user.name "MetaMask Bot"
+git config user.email "metamaskbot@users.noreply.github.com"
+
+git checkout "${BASE_PR_BRANCH_NAME}"
+git pull
+git checkout -b "${PR_BRANCH_NAME}"
+git cherry-pick "${COMMIT_HASH_TO_CHERRY_PICK}"
+
+git push --set-upstream origin "${PR_BRANCH_NAME}"
+
+gh pr create \
+  --draft \
+  --title "${PR_TITLE}" \
+  --body "${PR_BODY}" \
+  --head "${BASE_PR_BRANCH_NAME}"
@@ -10,8 +10,33 @@ BUILD_DEST="./build-artifacts/build-viz/"
 # prepare artifacts dir
 mkdir -p "${BUILD_DEST}"
 
-# generate lavamoat debug config
+# generate lavamoat debug configs
 yarn lavamoat:debug:build
+yarn lavamoat:debug:webapp --parallel=false
 
+# generate entries for all present policy dirs under lavamoat/browserify
+# static entry for build-system
+POLICY_DIR_NAMES=$(find lavamoat/browserify -maxdepth 1 -mindepth 1 -type d -printf '%f ')
+
+POLICY_FILE_PATHS_JSON=$(echo -n "${POLICY_DIR_NAMES}" \
+  | jq --raw-input --slurp --indent 0 '
+    rtrimstr(" ")
+    | split(" ")
+    | map({
+        "key": .,
+        "value": {
+          "debug":  ("lavamoat/browserify/"+.+"/policy-debug.json"),
+          "override":"lavamoat/browserify/policy-override.json",
+          "primary":("lavamoat/browserify/"+.+"/policy.json")
+        }
+      })
+    | from_entries
+    |."build-system"= {
+        "debug":   "lavamoat/build-system/policy-debug.json",
+        "override":"lavamoat/build-system/policy-override.json",
+        "primary": "lavamoat/build-system/policy.json"
+      }'
+)
 # generate viz
-npx lavamoat-viz --dest "${BUILD_DEST}"
+# shellcheck disable=SC2086
+yarn lavamoat-viz --dest "${BUILD_DEST}" --policyNames build-system ${POLICY_DIR_NAMES} --policyFilePathsJson "${POLICY_FILE_PATHS_JSON}"
@@ -54,3 +54,9 @@ privacy-snapshot.json                @MetaMask/extension-privacy-reviewers
 
 # Confirmations UX team to own code for confirmations on UI.
 ui/pages/confirmations               @MetaMask/confirmations-ux @MetaMask/confirmations-system-team
+
+# MMI team is responsible for code related with Institutioanl version of MetaMask
+ui/pages/institutional               @MetaMask/mmi
+ui/components/institutional          @MetaMask/mmi
+ui/ducks/institutional               @MetaMask/mmi
+ui/selectors/institutional           @MetaMask/mmi
@@ -12,7 +12,8 @@ It's essential to ensure that PRs have the appropriate labels before they are co
 - **release-x.y.z**: This label is automatically added to a PR and its linked issues upon the PR's merge. The `x.y.z` in the label represents the version in which the changes from the PR will be included. This label is auto-generated by a [GitHub action](../workflows/add-release-label.yml), which determines the version by incrementing the minor version number from the most recent release. Manual intervention is only required in specific cases. For instance, if a merged PR is cherry-picked into a release branch, typically done to address Release Candidate (RC) bugs, the label would need to be manually updated to reflect the correct version.
 - **regression-prod-x.y.z**: This label is automatically added to a bug report issue at the time of its creation. The `x.y.z` in the label represents the version in which the bug first appeared. This label is auto-generated by a [GitHub action](../workflows/check-template-and-add-labels.yml), which determines the `x.y.z` value based on the version information provided in the bug report issue form. Manual intervention is only necessary under certain circumstances. For example, if a user submits a bug report and specifies the version they are currently using, but the bug was actually introduced in a prior version, the label would need to be manually updated to accurately reflect the version where the bug originated.
 
-### Optional QA labels:
+### Optional labels:
+- **regression-develop**: This label can manually be added to a bug report issue at the time of its creation if the bug is present on development branch (i.e. `develop`), but is not yet released in production.
 - **needs-qa**: If the PR includes a new features, complex testing steps, or large refactors, this label must be added to indicated PR requires a full manual QA prior being merged and added to a release.
 
 ### Labels prohibited when PR needs to be merged:

@@ -0,0 +1,48 @@
+name: Notify MMI team via Slack
+
+on:
+  pull_request_target:
+    branches:
+      - develop
+    types:
+      - opened
+      - reopened
+      - synchronize
+      - labeled
+
+jobs:
+  process-label:
+    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
+      contents: write
+    steps:
+      - name: Notify MMI team via Slack
+        if: contains(github.event.pull_request.labels.*.name, 'team-mmi')
+        uses: slackapi/slack-github-action@007b2c3c751a190b6f0f040e47ed024deaa72844
+        with:
+          status: custom
+          fields: repo,message,commit,author,action
+          payload: |
+            {
+              "text": "A PR with label 'team-mmi' was added and requires review: ${{ github.event.pull_request.html_url }} in ${{ github.repository }}",
+              "attachments": [
+                {
+                  "color": "#2eb886",
+                  "fields": [
+                    {
+                      "title": "Repository",
+                      "value": "${{ github.repository }}",
+                      "short": true
+                    },
+                    {
+                      "title": "PR",
+                      "value": "#${{ github.event.pull_request.number }}",
+                      "short": true
+                    }
+                  ]
+                }
+              ]
+            }
+        env:
+          SLACK_WEBHOOK_URL: ${{ secrets.MMI_LABEL_SLACK_WEBHOOK_URL }}
@@ -13,12 +13,12 @@ jobs:
     if: github.event.pull_request.merged == true
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
             fetch-depth: 0 # This is needed to checkout all branches
 
       - name: Set up Node.js
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@v4
         with:
           node-version-file: '.nvmrc'
           cache: yarn

@@ -18,12 +18,12 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
             fetch-depth: 1 # This retrieves only the latest commit.
 
       - name: Set up Node.js
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@v4
         with:
           node-version-file: '.nvmrc'
           cache: yarn

@@ -11,12 +11,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           fetch-depth: 1 # This retrieves only the latest commit.
 
       - name: Set up Node.js
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@v4
         with:
           node-version-file: '.nvmrc'
           cache: yarn

@@ -13,12 +13,12 @@ jobs:
     if: github.event.pull_request.merged == true && startsWith(github.event.pull_request.head.ref, 'Version-v')
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
             fetch-depth: 1 # This retrieves only the latest commit.
 
       - name: Set up Node.js
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@v4
         with:
           node-version-file: '.nvmrc'
           cache: yarn

@@ -38,11 +38,11 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@v4
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2
+      uses: github/codeql-action/init@v3
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -53,7 +53,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v2
+      uses: github/codeql-action/autobuild@v3
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -67,4 +67,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2
+      uses: github/codeql-action/analyze@v3
@@ -0,0 +1,31 @@
+name: Cherry Pick Commit
+
+on:
+  workflow_dispatch:
+    inputs:
+      branch_name:
+        description: 'Branch name you want the cherry-pick branch to be based from'
+        required: true
+      commit_hash:
+        description: 'Commit Hash'
+        required: true
+      PR_number:
+        description: 'PR # Associated with Cherry Pick'
+        required: true
+
+
+jobs:
+  cherry-pick:
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+
+    - name: Create Cherry Pick PR
+      id: create-cherry-pick-pr
+      shell: bash
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      run: |
+        ./scripts/create-cherry-pick-pr.sh ${{ github.event.inputs.branch_name }} ${{ github.event.inputs.commit_hash }} ${{ github.event.inputs.PR_number }}
@@ -18,7 +18,7 @@ jobs:
     steps:
 
     - name: Checkout
-      uses: actions/checkout@v2
+      uses: actions/checkout@v4
 
     - name: crowdin action
       uses: crowdin/github-action@a3160b9e5a9e00739392c23da5e580c6cabe526d

@@ -10,7 +10,7 @@ jobs:
     name: Check workflows
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Download actionlint
         id: download-actionlint
         run: bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/7fdc9630cc360ea1a469eed64ac6d78caeda1234/scripts/download-actionlint.bash) 1.6.23

@@ -4,22 +4,22 @@ on:
     secrets:
       SONAR_TOKEN:
         required: true
-  pull_request:
-    branches:
-      - develop
-    types:
-      - opened
-      - reopened
-      - synchronize
-      - labeled
-      - unlabeled
+#  pull_request:
+#    branches:
+#      - develop
+#    types:
+#      - opened
+#      - reopened
+#      - synchronize
+#      - labeled
+#      - unlabeled
 
 jobs:
   sonarcloud:
     name: SonarCloud
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           fetch-depth: 0  # Shallow clones should be disabled for better relevancy of analysis
       - name: SonarCloud Scan

@@ -12,7 +12,8 @@ jobs:
       issues: write
       pull-requests: write
     steps:
-      - uses: actions/stale@72afbce2b0dbd1d903bb142cebe2d15dc307ae57
+      # this is a hash for actions/stale@v9.0.0
+      - uses: actions/stale@28ca1036281a5e5922ead5184a1bbf96e5fc984e
         with:
           stale-issue-label: 'stale'
           only-issue-labels: 'type-bug'