MetaMask · LimitedVERSE · Sep 1, 2025 · Sep 1, 2025 · Sep 1, 2025 · Sep 1, 2025
diff --git a/.github/copilot-instructions.md b/.github/copilot-instructions.md
@@ -0,0 +1,51 @@
+# Copilot AI Agent Instructions for MetaMask Extension
+
+## Project Overview
+- **MetaMask Extension** is a browser extension for Ethereum-based blockchain interactions. It supports Chrome, Firefox, and Chromium browsers.
+- The codebase is modular, with clear separation between background logic, UI, build system, and shared libraries.
+- Key directories:
+  - `app/`: Core extension logic, background scripts, controllers (e.g., `metamask-controller.js`, `TransactionController`).
+  - `ui/`: React-based UI, component library, state management (Redux, Context, hooks).
+  - `shared/`: Shared constants, utilities, and logic between background and UI.
+  - `development/`: Build scripts, dev tools, and workflow automation.
+  - `docs/`: Architecture, workflows, and refactoring guides.
+
+## Build & Development Workflows
+- **Local build:**
+  - Use `yarn start` for a watched development build (fast, no LavaMoat).
+  - Use `yarn dist` for a production build (outputs to `builds/`).
+  - Use `yarn webpack` for custom dev builds (see `development/webpack/README.md`).
+- **Environment setup:**
+  - Copy `.metamaskrc.dist` to `.metamaskrc` and set `INFURA_PROJECT_ID` (see root `README.md`).
+  - For Segment/Sentry debugging, set `SEGMENT_WRITE_KEY`/`SENTRY_DSN` in `.metamaskrc`.
+- **Testing:**
+  - E2E and integration tests are in `test/` (see sub-`README.md` files for details).
+- **Component development:**
+  - Use `ui/components/component-library/` for design-system-aligned components. Prefer `Box`-based layout and design tokens.
+
+## Architecture & Patterns
+- **Background logic:**
+  - `app/scripts/metamask-controller.js` glues together controllers for transactions, messages, and approvals.
+  - Transaction and message handling is migrating to `@metamask/transaction-controller` and `@metamask/message-manager` (see `docs/confirmation-refactoring/confirmation-backend-architecture/README.md`).
+- **UI state:**
+  - Use Redux state (`state.metamask`) as the single source of truth.
+  - Use hooks and React Context for derived/temporary UI state (see `docs/confirmation-refactoring/confirmation-state-management/README.md`).
+- **Build transforms:**
+  - Custom Browserify transforms (e.g., `remove-fenced-code.js`) enable build-type-specific code inclusion (see `development/build/transforms/README.md`).
+
+## Conventions & Gotchas
+- **Feature flags:** Use `.manifest-overrides.json` and `MANIFEST_OVERRIDES` for custom builds.
+- **Design tokens:** Use MetaMask design tokens for UI colors/styles; avoid hardcoded hex values.
+- **Component patterns:** Use polymorphic `as` prop and style utility props for layout (see `component-library/README.md`).
+- **Refactoring:** See `docs/confirmation-refactoring/` for ongoing architectural changes and best practices.
+
+## References
+- [Root `README.md`](../README.md)
+- [Development workflow](../development/README.md)
+- [Build system](../development/build/README.md)
+- [Component library](../ui/components/component-library/README.md)
+- [Confirmation refactoring docs](../docs/confirmation-refactoring/)
+
+---
+
+**If unsure about a workflow or pattern, check the referenced READMEs or ask for clarification.**
diff --git a/.github/workflows/add-release-label.yml b/.github/workflows/add-release-label.yml
@@ -24,12 +24,15 @@ jobs:
         id: get-next-semver-version
         env:
           FORCE_NEXT_SEMVER_VERSION: ${{ vars.FORCE_NEXT_SEMVER_VERSION }}
-        run: ./get-next-semver-version.sh "$FORCE_NEXT_SEMVER_VERSION"
+        run: |
+          set -e
+          NEXT_SEMVER_VERSION=$(./get-next-semver-version.sh "$FORCE_NEXT_SEMVER_VERSION")
+          echo "NEXT_SEMVER_VERSION=$NEXT_SEMVER_VERSION" >> $GITHUB_OUTPUT
         working-directory: '.github/scripts'
 
       - name: Add release label to PR and linked issues
         id: add-release-label-to-pr-and-linked-issues
         env:
-          RELEASE_LABEL_TOKEN: ${{ secrets.RELEASE_LABEL_TOKEN }}
-          NEXT_SEMVER_VERSION: ${{ env.NEXT_SEMVER_VERSION }}
+          RELEASE_LABEL_TOKEN: ${{ secrets.RELEASE_LABEL_TOKEN || '' }}
+          NEXT_SEMVER_VERSION: ${{ steps.get-next-semver-version.outputs.NEXT_SEMVER_VERSION }}
         run: yarn run add-release-label-to-pr-and-linked-issues
-          RELEASE_LABEL_TOKEN: ${{ secrets.RELEASE_LABEL_TOKEN || '' }}
-          NEXT_SEMVER_VERSION: ${{ steps.get-next-semver-version.outputs.NEXT_SEMVER_VERSION }}
-        run: yarn run add-release-label-to-pr-and-linked-issues
+          RELEASE_LABEL_TOKEN: ${{ secrets.RELEASE_LABEL_TOKEN }}
+          NEXT_SEMVER_VERSION: ${{ steps.get-next-semver-version.outputs.NEXT_SEMVER_VERSION }}
+        run: |
+          if [ -z "$RELEASE_LABEL_TOKEN" ]; then
+            echo "ERROR: RELEASE_LABEL_TOKEN secret is not set. Failing workflow."
+            exit 1
+          fi
+          yarn run add-release-label-to-pr-and-linked-issues
-          RELEASE_LABEL_TOKEN: ${{ secrets.RELEASE_LABEL_TOKEN || '' }}
-          NEXT_SEMVER_VERSION: ${{ steps.get-next-semver-version.outputs.NEXT_SEMVER_VERSION }}
-        run: yarn run add-release-label-to-pr-and-linked-issues
+          RELEASE_LABEL_TOKEN: ${{ secrets.RELEASE_LABEL_TOKEN }}
+          NEXT_SEMVER_VERSION: ${{ steps.get-next-semver-version.outputs.NEXT_SEMVER_VERSION }}
+        run: |
+          if [ -z "$RELEASE_LABEL_TOKEN" ]; then
+            echo "ERROR: RELEASE_LABEL_TOKEN secret is not set. Failing workflow."
+            exit 1
+          fi
+          yarn run add-release-label-to-pr-and-linked-issues
diff --git a/.github/workflows/add-team-label.yml b/.github/workflows/add-team-label.yml
@@ -1,5 +1,4 @@
 name: Add team label
-
 on:
   pull_request:
     types:

diff --git a/.github/workflows/auto-update-pr-targeting-release.yml b/.github/workflows/auto-update-pr-targeting-release.yml
@@ -9,7 +9,7 @@ on:
 jobs:
   auto-update:
     name: Auto-update
-    runs-on: ubuntu-latest
+    runs-on: self-hosted
     env:
       YARN_ENABLE_IMMUTABLE_INSTALLS: false
       YARN_ENABLE_HARDENED_MODE: false

diff --git a/.github/workflows/automated-rca.yml b/.github/workflows/automated-rca.yml
@@ -1,5 +1,4 @@
 name: Automated RCA
-
 on:
   issues:
     types: [closed]

diff --git a/.github/workflows/benchmark-pr.yml b/.github/workflows/benchmark-pr.yml
@@ -22,7 +22,7 @@ on:
 jobs:
   benchmark-pr:
     name: Run Page Load Benchmarks
-    runs-on: ubuntu-latest
+    runs-on: self-hosted
     env:
       PR_COMMENT_TOKEN: ${{ secrets.PR_COMMENT_TOKEN }}
       OWNER: ${{ github.repository_owner }}

diff --git a/.github/workflows/build-ts-migration-dashboard.yml b/.github/workflows/build-ts-migration-dashboard.yml
@@ -8,7 +8,7 @@ on:
 
 jobs:
   build-ts-migration-dashboard:
-    runs-on: ubuntu-latest
+    runs-on: self-hosted
     env:
       # For a `pull_request` event, the branch is `github.head_ref``.
       # For a `push` event, the branch is `github.ref_name`.

diff --git a/.github/workflows/changelog-check.yml b/.github/workflows/changelog-check.yml
@@ -1,7 +1,7 @@
 name: Check Changelog
 
 on:
-  pull_request:
+  pull_request: 
     types: [opened, synchronize, labeled, unlabeled]
 
 jobs:

diff --git a/.github/workflows/check-attributions.yml b/.github/workflows/check-attributions.yml
@@ -8,7 +8,7 @@ on:
 
 jobs:
   check-attributions:
-    runs-on: ubuntu-latest
+    runs-on: self-hosted
     steps:
       - name: Checkout and setup environment
         uses: MetaMask/action-checkout-and-setup@v1

diff --git a/.github/workflows/check-pr-labels.yml b/.github/workflows/check-pr-labels.yml
@@ -16,7 +16,7 @@ concurrency:
 
 jobs:
   check-pr-labels:
-    runs-on: ubuntu-latest
+    runs-on: self-hosted
     permissions:
       pull-requests: read
 

diff --git a/.github/workflows/check-pr-max-lines.yml b/.github/workflows/check-pr-max-lines.yml
@@ -1,5 +1,4 @@
 name: 'Check PR Max Lines'
-
 on:
   pull_request:
     types:

diff --git a/.github/workflows/check-template-and-add-labels.yml b/.github/workflows/check-template-and-add-labels.yml
@@ -8,7 +8,7 @@ on:
 
 jobs:
   check-template-and-add-labels:
-    runs-on: ubuntu-latest
+    runs-on: self-hosted
     steps:
       - name: Checkout and setup environment
         uses: MetaMask/action-checkout-and-setup@v1

diff --git a/.github/workflows/cla.yml b/.github/workflows/cla.yml
@@ -24,7 +24,6 @@ jobs:
         with:
           path-to-signatures: 'cla.json'
           url-to-cladocument: 'https://metamask.io/cla'
-          # This branch can't have protections, commits are made directly to the specified branch.
           branch: 'cla-signatures'
           allowlist: 'dependabot[bot],metamaskbot,crowdin-bot,runway-github[bot]'
           allow-organization-members: true

diff --git a/.github/workflows/close-bug-report.yml b/.github/workflows/close-bug-report.yml
@@ -9,7 +9,7 @@ on:
 
 jobs:
   close-bug-report:
-    runs-on: ubuntu-latest
+    runs-on: self-hosted
     if: github.event.pull_request.merged == true && ( startsWith(github.event.pull_request.head.ref, 'Version-v') || startsWith(github.event.pull_request.head.ref, 'release/') )
     steps:
       - name: Checkout and setup environment

diff --git a/.github/workflows/create-bug-report.yml b/.github/workflows/create-bug-report.yml
@@ -1,10 +1,9 @@
 name: Create release bug report issue when release branch gets created
 
 on: create
-
 jobs:
   create-bug-report:
-    runs-on: ubuntu-latest
+    runs-on: self-hosted
     steps:
       - name: Extract version from branch name if release branch
         id: extract_version

diff --git a/.github/workflows/create-cherry-pick-pr.yml b/.github/workflows/create-cherry-pick-pr.yml
@@ -15,7 +15,7 @@ on:
 
 jobs:
   cherry-pick:
-    runs-on: ubuntu-latest
+    runs-on: self-hosted
 
     steps:
       - name: Checkout code

diff --git a/.github/workflows/crowdin-action.yml b/.github/workflows/crowdin-action.yml
@@ -1,9 +1,9 @@
-name: Crowdin Action
+name: Crowdin Action 
 
 on:
   push:
     branches:
-    branches:
+    branches:
+      - main
-    branches:
+    branches:
+      - main
-      - main
+      - QYX20
   schedule:
     - cron: '0 */12 * * *'
 

diff --git a/.github/workflows/e2e-chrome.yml b/.github/workflows/e2e-chrome.yml
@@ -1,7 +1,7 @@
 # This workflow is meant to better structure the main.yaml one for redability reasons.
 # It is not meant to be a reusable workflow.
 
-name: E2E Chrome
+name: E2E Chrome 
 
 on:
   workflow_call:
@@ -92,7 +92,7 @@ jobs:
   test-e2e-chrome-api-specs-alert-on-failure:
     needs:
       - test-e2e-chrome-api-specs
-    runs-on: ubuntu-latest
+    runs-on: self-hosted
     if: ${{ github.event_name == 'pull_request' && vars.AWS_CLOUDFRONT_URL && vars.AWS_REGION && vars.AWS_IAM_ROLE && vars.AWS_S3_BUCKET && failure() }}
     env:
       GITHUB_TOKEN: ${{ secrets.PR_COMMENT_TOKEN }}
@@ -133,7 +133,7 @@ jobs:
   test-e2e-chrome-api-specs-multichain-alert-on-failure:
     needs:
       - test-e2e-chrome-api-specs-multichain
-    runs-on: ubuntu-latest
+    runs-on: self-hosted
     if: ${{ github.event_name == 'pull_request' && vars.AWS_CLOUDFRONT_URL && vars.AWS_REGION && vars.AWS_IAM_ROLE && vars.AWS_S3_BUCKET && failure() }}
     env:
       GITHUB_TOKEN: ${{ secrets.PR_COMMENT_TOKEN }}
@@ -172,7 +172,7 @@ jobs:
       - test-e2e-chrome-vault-decryption
       - test-e2e-chrome-api-specs
       - test-e2e-chrome-api-specs-multichain
-    runs-on: ubuntu-latest
+    runs-on: self-hosted
     if: ${{ !cancelled() }}
     env:
       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

diff --git a/.github/workflows/e2e-firefox.yml b/.github/workflows/e2e-firefox.yml
@@ -40,7 +40,7 @@ jobs:
     needs:
       - test-e2e-firefox-browserify
       - test-e2e-firefox-flask
-    runs-on: ubuntu-latest
+    runs-on: self-hosted
     if: ${{ !cancelled() }}
     env:
       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

diff --git a/.github/workflows/fitness-functions.yml b/.github/workflows/fitness-functions.yml
@@ -9,7 +9,7 @@ on:
 
 jobs:
   build:
-    runs-on: ubuntu-latest
+    runs-on: self-hosted
     steps:
       - name: Checkout and setup environment
         uses: MetaMask/action-checkout-and-setup@v1

diff --git a/.github/workflows/flaky-test-report.yml b/.github/workflows/flaky-test-report.yml
@@ -2,19 +2,30 @@ name: Flaky test report
 
 on:
   schedule:
-    # Once every day from Monday-Friday at 08:00 UTC
-    - cron: 0 8 * * 1-5
+    # Once every day from Monday-Friday at 10:00 UTC
+    - cron: 0 10 * * 1-5
 
 permissions:
   contents: read
   actions: read
 
 jobs:
   flaky-test-report:
-    uses: MetaMask/github-tools/.github/workflows/flaky-test-report.yml@main
-    with:
-      repository: ${{ github.event.repository.name }}
-      workflow_id: main.yml
-    secrets:
-      github-token: ${{ secrets.GITHUB_TOKEN }}
-      slack-webhook-flaky-tests: ${{ secrets.SLACK_WEBHOOK_FLAKY_TESTS }}
+    runs-on: ubuntu-latest
+    env:
+      OWNER: ${{ github.repository_owner }}
+      REPOSITORY: ${{ github.event.repository.name }}
+      WORKFLOW_ID: main.yml
+      BRANCH: ${{ github.ref_name }}
+      SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    steps:
+      - name: Checkout and setup environment
+        uses: MetaMask/action-checkout-and-setup@v1
+        with:
+          is-high-risk-environment: false
+          skip-allow-scripts: true
+          yarn-custom-url: ${{ vars.YARN_URL }}
+
+      - name: Create flaky test report
+        run: yarn tsx .github/scripts/create-flaky-test-report.ts
diff --git a/.github/workflows/identify-codeowners.yml b/.github/workflows/identify-codeowners.yml
@@ -14,7 +14,7 @@ concurrency:
 
 jobs:
   identify-codeowners:
-    runs-on: ubuntu-latest
+    runs-on: self-hosted
     steps:
       - name: Checkout and setup environment
         uses: MetaMask/action-checkout-and-setup@v1

diff --git a/.github/workflows/jekyll-gh-pages.yml b/.github/workflows/jekyll-gh-pages.yml
@@ -0,0 +1,51 @@
+# Sample workflow for building and deploying a Jekyll site to GitHub Pages
+name: Deploy Jekyll with GitHub Pages dependencies preinstalled
+
+on:
+  # Runs on pushes targeting the default branch
+  push:
+    branches: ["QYX20"]
+
+  # Allows you to run this workflow manually from the Actions tab
+  workflow_dispatch:
+
+# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages
+permissions:
+  contents: read
+  pages: write
+  id-token: write
+
+# Allow only one concurrent deployment, skipping runs queued between the run in-progress and latest queued.
+# However, do NOT cancel in-progress runs as we want to allow these production deployments to complete.
+concurrency:
+  group: "pages"
+  cancel-in-progress: true
+
+jobs:
+  # Build job
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Setup Pages
+        uses: actions/configure-pages@v5
+      - name: Build with Jekyll
+        uses: actions/jekyll-build-pages@v1
+        with:
+          source: ./
+          destination: ./_site
+      - name: Upload artifact
+        uses: actions/upload-pages-artifact@v3
+
+  # Deployment job
+  deploy:
+    environment:
+      name: github-pages
+      url: ${{ steps.deployment.outputs.page_url }}
+    runs-on: ubuntu-latest
+    needs: build
+    steps:
+      - name: Deploy to GitHub Pages
+        id: deployment
+        uses: actions/deploy-pages@v4
diff --git a/.github/workflows/locales-only.yml b/.github/workflows/locales-only.yml
@@ -11,7 +11,7 @@ jobs:
   locales-only:
     # For the `pull_request` event, the branch is `github.head_ref``.
     if: ${{ github.head_ref == 'l10n_crowdin_action' }}
-    runs-on: ubuntu-latest
+    runs-on: self-hosted
     env:
       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     steps: