[pull] main from MetaMask:main

.github/CODEOWNERS

@@ -46,6 +46,7 @@ app/core/DeeplinkManager                                    @MetaMask/mobile-pla
 scripts/build.sh                                            @MetaMask/mobile-platform
 fingerprint.config.js                                       @MetaMask/mobile-platform
 builds.yml                                                  @MetaMask/mobile-platform
+.github/workflows/create-build-branch.yml                   @MetaMask/mobile-platform
 .github/workflows/push-eas-update.yml                       @MetaMask/mobile-admins
 .github/workflows/upload-to-testflight.yml                  @MetaMask/mobile-admins
 scripts/update-expo-channel.js                              @MetaMask/mobile-admins

.github/workflows/build.yml

@@ -84,6 +84,7 @@ jobs:
     outputs:
       github_environment: ${{ steps.config.outputs.github_environment }}
       secrets_json: ${{ steps.config.outputs.secrets_json }}
+      tap_and_pay_sdk_repo_ssh: ${{ steps.config.outputs.tap_and_pay_sdk_repo_ssh }}
       signing_aws_role: ${{ steps.config.outputs.signing_aws_role }}
       signing_aws_secret: ${{ steps.config.outputs.signing_aws_secret }}
       signing_android_keystore_path: ${{ steps.config.outputs.signing_android_keystore_path }}
@@ -110,6 +111,8 @@ jobs:
           const build = config.builds['${{ inputs.build_name }}'];
           fs.appendFileSync(process.env.GITHUB_OUTPUT, 'github_environment=' + build.github_environment + '\n');
           fs.appendFileSync(process.env.GITHUB_OUTPUT, 'secrets_json=' + JSON.stringify(build.secrets || {}) + '\n');
+          const env = build.env || {};
+          fs.appendFileSync(process.env.GITHUB_OUTPUT, 'tap_and_pay_sdk_repo_ssh=' + (env.TAP_AND_PAY_SDK_REPO_SSH || '') + '\n');
           const signing = build.signing;
           fs.appendFileSync(process.env.GITHUB_OUTPUT, 'signing_aws_role=' + (signing ? signing.aws_role || '' : '') + '\n');
           fs.appendFileSync(process.env.GITHUB_OUTPUT, 'signing_aws_secret=' + (signing ? signing.aws_secret || '' : '') + '\n');
@@ -241,6 +244,35 @@ jobs:
           XCODE_VERSION: '16.3'
         run: sudo xcode-select -s "/Applications/Xcode_$XCODE_VERSION.app"
 
+      # TapAndPay SDK Setup (Android only)
+      - name: Clone TapAndPay SDK
+        if: |
+          matrix.platform == 'android' &&
+          needs.prepare.outputs.tap_and_pay_sdk_repo_ssh != ''
+        run: |
+          if [ -z "$TAP_AND_PAY_SDK_SSH_KEY" ]; then
+            echo "⚠️ TAP_AND_PAY_SDK_SSH_KEY not set, skipping TapAndPay SDK clone"
+            exit 0
+          fi
+          mkdir -p ~/.ssh
+          echo "$TAP_AND_PAY_SDK_SSH_KEY" | base64 -d > ~/.ssh/tap_and_pay_key
+          chmod 600 ~/.ssh/tap_and_pay_key
+          trap 'rm -f ~/.ssh/tap_and_pay_key' EXIT
+          ssh-keyscan github.com >> ~/.ssh/known_hosts 2>/dev/null
+          eval "$(ssh-agent -s)"
+          ssh-add ~/.ssh/tap_and_pay_key
+          echo "📦 Cloning TapAndPay SDK into android/libs/..."
+          git clone --depth 1 "$TAP_AND_PAY_SDK_REPO_SSH" /tmp/tap-and-pay-sdk
+          mkdir -p android/libs
+          cp -r /tmp/tap-and-pay-sdk/* android/libs/
+          rm -rf /tmp/tap-and-pay-sdk
+          ssh-add -D
+          eval "$(ssh-agent -k)"
+          echo "✅ TapAndPay SDK installed to android/libs/"
+        env:
+          TAP_AND_PAY_SDK_SSH_KEY: ${{ secrets.TAP_AND_PAY_SDK_SSH_KEY }}
+          TAP_AND_PAY_SDK_REPO_SSH: ${{ needs.prepare.outputs.tap_and_pay_sdk_repo_ssh }}
+
       - name: Apply build config
         run: |
           # Load env vars from builds.yml (this step only)

.github/workflows/ci.yml

@@ -214,7 +214,7 @@ jobs:
           NODE_OPTIONS: --max_old_space_size=12288
 
       - name: Check bundle size
-        run: ./scripts/js-bundle-stats.sh ios/main.jsbundle 53
+        run: ./scripts/js-bundle-stats.sh ios/main.jsbundle 54
 
       - name: Upload iOS bundle
         uses: actions/upload-artifact@v4

.github/workflows/create-build-branch.yml

@@ -0,0 +1,44 @@
+name: Create Build Branch
+
+# Reusable workflow that creates an ephemeral build/<source>-<timestamp> branch
+# from a source ref. This avoids pushing version-bump commits directly to
+# protected branches (e.g. main).
+#
+# The caller is responsible for deleting the branch after use.
+
+on:
+  workflow_call:
+    inputs:
+      source_branch:
+        description: 'Branch, tag, or SHA to branch from'
+        required: true
+        type: string
+    outputs:
+      build_branch:
+        description: 'Name of the created ephemeral build branch'
+        value: ${{ jobs.create.outputs.branch_name }}
+
+jobs:
+  create:
+    name: Create build branch
+    runs-on: ubuntu-latest
+    outputs:
+      branch_name: ${{ steps.create-branch.outputs.branch_name }}
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          ref: ${{ inputs.source_branch }}
+          token: ${{ secrets.PR_TOKEN || github.token }}
+      - name: Create temporary build branch
+        id: create-branch
+        env:
+          SOURCE_BRANCH: ${{ inputs.source_branch }}
+        run: |
+          TIMESTAMP=$(date +%s%3N)
+          SANITIZED=$(echo "$SOURCE_BRANCH" | tr '/' '-')
+          BRANCH_NAME="build/${SANITIZED}-${TIMESTAMP}"
+          git checkout -b "$BRANCH_NAME"
+          git push origin "$BRANCH_NAME"
+          echo "branch_name=$BRANCH_NAME" >> "$GITHUB_OUTPUT"
+          echo "✅ Created build branch: $BRANCH_NAME"

.github/workflows/crowdin_download_translations.yml

@@ -0,0 +1,34 @@
+name: Crowdin Download Approved Translations Action
+
+on:
+  schedule:
+    - cron: '0 */12 * * *'
+  workflow_dispatch:
+
+jobs:
+  download-translations:
+    runs-on: ubuntu-latest
+    timeout-minutes: 3
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          # Use PAT to ensure that the commit later can trigger status check workflows
+          token: ${{ secrets.METAMASKBOT_CROWDIN_TOKEN }}
+
+      - name: crowdin download approved translations
+        uses: crowdin/github-action@a3160b9e5a9e00739392c23da5e580c6cabe526d
+        with:
+          upload_sources: false
+          upload_translations: false # disabled to prevent translations overwriting Blends translations
+          download_translations: true # created separate action to pull down completed translations
+          export_only_approved: true
+          pull_request_title: 'chore: New Crowdin Translations by GitHub Action'
+          github_user_name: metamaskbot
+          github_user_email: metamaskbot@users.noreply.github.com
+        env:
+          GITHUB_TOKEN: ${{ secrets.METAMASKBOT_CROWDIN_TOKEN }}
+          GITHUB_ACTOR: metamaskbot
+          CROWDIN_PROJECT_ID: ${{ secrets.CROWDIN_PROJECT_ID }}
+          CROWDIN_PERSONAL_TOKEN: ${{ secrets.CROWDIN_PERSONAL_TOKEN }}

.github/workflows/crowdin_action.yml → .github/workflows/crowdin_upload_sources.yml

@@ -1,15 +1,14 @@
-name: Crowdin Action
+name: Crowdin Upload Sources Action
 
 on:
   push:
     branches:
       - main
-  schedule:
-    - cron: '0 */12 * * *'
 
 jobs:
-  synchronize-with-crowdin:
+  upload-sources:
     runs-on: ubuntu-latest
+    timeout-minutes: 3
 
     steps:
       - name: Checkout
@@ -18,11 +17,12 @@ jobs:
           # Use PAT to ensure that the commit later can trigger status check workflows
           token: ${{ secrets.METAMASKBOT_CROWDIN_TOKEN }}
 
-      - name: crowdin action
+      - name: crowdin upload sources
         uses: crowdin/github-action@a3160b9e5a9e00739392c23da5e580c6cabe526d
         with:
+          upload_sources: true
           upload_translations: false # disabled to prevent translations overwriting Blends translations
-          download_translations: true
+          download_translations: false # created separate action to pull down completed translations
           github_user_name: metamaskbot
           github_user_email: metamaskbot@users.noreply.github.com
         env:

.github/workflows/nightly-build-temp.yml

@@ -0,0 +1,105 @@
+name: Nightly Build (temp)
+
+# Runs on a schedule (4 AM UTC) like the old nightly-temp-branch-sync.
+# Each build creates its own ephemeral branch via create-build-branch.yml,
+# so the persistent chore/temp-nightly branch is no longer needed.
+#
+# iOS builds are handled end-to-end by upload-to-testflight-temp.yml (build + upload).
+# Android builds use create-build-branch.yml + build.yml (build artifacts only).
+#
+# rc depends on exp within each platform stream to ensure the external version
+# service produces sequential numbers (N for exp, N+1 for rc).
+# iOS and Android streams run in parallel; their version numbers will differ
+# but remain unique, which is all TestFlight / Play Store require.
+
+on:
+  schedule:
+    # NOTE: Scheduled workflows ALWAYS run from the default branch (main)
+    - cron: '0 4 * * *'
+  workflow_dispatch:
+
+permissions:
+  contents: write
+  id-token: write
+
+jobs:
+  # ── iOS exp: build + TestFlight upload ─────────────────────────────────
+  ios-exp:
+    name: Nightly iOS exp
+    uses: ./.github/workflows/upload-to-testflight-temp.yml
+    with:
+      source_branch: main
+      environment: exp
+      testflight_group: 'MetaMask BETA & Release Candidates'
+    secrets: inherit
+
+  # ── iOS rc: build + TestFlight upload (after exp for sequential versions) ─
+  ios-rc:
+    name: Nightly iOS rc
+    needs: [ios-exp]
+    uses: ./.github/workflows/upload-to-testflight-temp.yml
+    with:
+      source_branch: main
+      environment: rc
+      testflight_group: 'MetaMask BETA & Release Candidates'
+    secrets: inherit
+
+  # ── Android exp: ephemeral branch + build ──────────────────────────────
+  android-exp-branch:
+    uses: ./.github/workflows/create-build-branch.yml
+    with:
+      source_branch: main
+    secrets: inherit
+
+  android-exp:
+    name: Nightly Android exp
+    needs: [android-exp-branch]
+    uses: ./.github/workflows/build.yml
+    with:
+      build_name: main-exp
+      platform: android
+      skip_version_bump: false
+      source_branch: ${{ needs.android-exp-branch.outputs.build_branch }}
+    secrets: inherit
+
+  # ── Android rc: ephemeral branch + build (after exp for sequential versions) ─
+  android-rc-branch:
+    needs: [android-exp]
+    uses: ./.github/workflows/create-build-branch.yml
+    with:
+      source_branch: main
+    secrets: inherit
+
+  android-rc:
+    name: Nightly Android rc
+    needs: [android-rc-branch]
+    uses: ./.github/workflows/build.yml
+    with:
+      build_name: main-rc
+      platform: android
+      skip_version_bump: false
+      source_branch: ${{ needs.android-rc-branch.outputs.build_branch }}
+    secrets: inherit
+
+  # ── Cleanup Android ephemeral branches ─────────────────────────────────
+  # iOS branches are cleaned up by upload-to-testflight-temp.yml internally.
+  cleanup:
+    name: Cleanup Android build branches
+    needs: [android-exp-branch, android-rc-branch, android-exp, android-rc]
+    if: always()
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          token: ${{ secrets.PR_TOKEN || github.token }}
+      - name: Delete ephemeral branches
+        env:
+          EXP_BRANCH: ${{ needs.android-exp-branch.outputs.build_branch }}
+          RC_BRANCH: ${{ needs.android-rc-branch.outputs.build_branch }}
+        run: |
+          for branch in "$EXP_BRANCH" "$RC_BRANCH"; do
+            if [ -n "$branch" ]; then
+              git push origin --delete "$branch" || true
+              echo "🧹 Deleted: $branch"
+            fi
+          done

.github/workflows/security-code-scanner.yml

@@ -24,6 +24,7 @@ jobs:
           paths_ignored: |
             tests/
             docs/
+            scripts/money-movement/debug-dashboard/
             .storybook/
             '**/*.test.js'
             '**/*.test.ts'