ci(amo): allow release-team manual dispatch of AMO production (INFRA-3769)#44519
ci(amo): allow release-team manual dispatch of AMO production (INFRA-3769)#44519alucardzom wants to merge 1 commit into
Conversation
…3769) - Restrict production target to refs/heads/main only (was main|release/*). AMO production is timing-sensitive (~1% CWS rollout); dispatch after the release is cut from main, not from the release branch. - Expand sender gate to allow @MetaMask/release-team members in addition to Runway bot. Human actors are verified via GitHub API team-membership check before any AWS credential exchange. - Flask target keeps main|release/* branch restriction unchanged. IAM trust policy update (va-mmc-extension-submission-infra) and amo-production GitHub Environment reviewer addition are follow-up items tracked in INFRA-3769.
|
CLA Signature Action: All authors have signed the CLA. You may need to manually re-run the blocking PR check if it doesn't pass in a few minutes. |
Builds ready [e55df3f] [reused from 743cccd]
⚡ Performance Benchmarks (Total: 🟢 16 pass · 🟡 5 warn · 🔴 3 fail)
Bundle size diffs
|
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit e55df3f. Configure here.
| # Human actor — check @MetaMask/release-team membership via GitHub API. | ||
| HTTP_STATUS=$(gh api \ | ||
| "orgs/MetaMask/teams/release-team/memberships/${ACTOR}" \ | ||
| --silent -o /dev/null -w "%{http_code}" 2>/dev/null || echo "000") |
There was a problem hiding this comment.
GITHUB_TOKEN cannot verify team
High Severity
The new release-team gate calls orgs/MetaMask/teams/release-team/memberships/{actor} with secrets.GITHUB_TOKEN, but that token cannot access org team membership (it needs read:org, which workflow tokens do not get). Legitimate @MetaMask/release-team dispatches will see non-200 responses and fail as unauthorized before OIDC, so manual production dispatch cannot work as described.
Reviewed by Cursor Bugbot for commit e55df3f. Configure here.


Description
INFRA-3769 — Allow
@MetaMask/release-teamto independently trigger AMO production upload viaworkflow_dispatch.Follow-up to Mark Stacey's review of #44017:
upload-extension-to-amo.yml:Production branch restriction tightened —
productiontarget now requiresrefs/heads/mainonly (wasmain | release/*). AMO production is timing-sensitive; it must be dispatched frommainafter the release is cut, aligned with the ~1% CWS rollout milestone. Flask keepsmain | release/*unchanged.Sender gate expanded — replaces the Runway-only "Verify Runway sender" step with "Verify authorized sender" that allows:
actor_id=73448015) — existing path, unchanged@MetaMask/release-team— verified via GitHub API (GET /orgs/MetaMask/teams/release-team/memberships/{actor}) before any AWS credential exchangeNon-release-team, non-Runway actors are rejected with a clear error message.
Out of scope (follow-up tracked in INFRA-3769):
va-mmc-extension-submission-infra) — PR consensys-vertical-apps/va-mmc-extension-submission-infra#12amo-productionreviewer addition: platform ask to add@MetaMask/release-teamas required reviewersMetaMask/releases(INFRA-3676)Changelog
CHANGELOG entry: null
Related issues
Fixes:
Manual testing steps
main, dispatchupload-extension-to-amo.ymlwithtarget=productionas a@MetaMask/release-teammember → expect sender verified, continues to OIDC step.target=productionas a non-release-team actor → expect immediate failure with::error::Unauthorized actorbefore any AWS call.target=productionfrom arelease/*branch → expect branch validation failure.target=flaskfrom arelease/*branch → expect success (flask keepsmain | release/*).target=production→ sender check passes onactor_id=73448015.Screenshots/Recordings
Before
After
Pre-merge author checklist
Pre-merge reviewer checklist