ci: replace PR_TOKEN with Token Exchange Service in release workflows

[tommasini]

Description

Replaces the PR_TOKEN personal access token (Patroll-managed) with the DevSecOps Token Exchange Service (the MetaMask/github-tools/.github/actions/get-token@v1 OIDC action) across the release-related workflows.

Why: Patroll-rotated tokens have been unreliable (rotation job not running consistently), and a long-lived PAT is broader than needed. Token Exchange mints short-lived, least-privilege tokens on demand per workflow run.

What changed (all PR_TOKEN usages removed — 0 remain in the repo):

Workflow	Trigger(s)	Change
commit-build-version.yml	workflow_call (reusable)	Mints contents: write; dropped the PR_TOKEN secret input
create-release-pr.yml	workflow_dispatch + workflow_call	One get-token step (contents/pull_requests: write, members: read); replaced all token refs; removed github-token/PR_TOKEN secrets; deleted the dispatch-vs-call ternary
update-release-changelog.yml	push	Mints contents/pull_requests: write (no members: read — see note)
publish-slack-release-testing-status.yml	schedule + workflow_dispatch	Mints contents/pull_requests: read
build-rc-auto.yml	push	Stopped passing PR_TOKEN; added id-token: write to caller job
runway-production-builds.yml	workflow_dispatch	Same
runway-rc-builds.yml	workflow_dispatch	Same
auto-create-release-pr.yml	create	Stopped passing github-token: ${{ secrets.PR_TOKEN }}

members: read rationale: only create-release-pr.yml needs org member read, because its native path runs gen:commits (generate-rc-commits.mjs), which resolves PR author → org team. update-release-changelog.yml no longer generates commits.csv and auto-changelog --autoCategorize sorts by Conventional Commit prefix, so it does not need it.

Important

Depends on Token Exchange policies in consensys-vertical-apps/token-exchange-service (policies/metamask/metamask-mobile.rego). Reusable workflows must match via job_workflow_ref_match. These must be merged + deployed (push-acr-prod, deploy-prod) before this is functional. Also confirm the mm-token-exchange-service app has org members: read. After a green release run, the PR_TOKEN secret can be revoked.

Changelog

CHANGELOG entry: null

Related issues

Fixes: N/A

Manual testing steps

N/A — CI/release workflow changes. Validation happens once the Token Exchange policies are deployed: confirm create-release-pr, RC builds (commit-build-version), changelog update, and the Slack status job each mint a token and complete successfully on a release branch run.

Screenshots/Recordings

N/A

Pre-merge author checklist

• I've followed MetaMask Contributor Docs and MetaMask Mobile Coding Standards.
• I've completed the PR template to the best of my ability
• I've included tests if applicable
• I've documented my code using JSDoc format if applicable
• I've applied the right labels on the PR (see labeling guidelines). Not required for external contributors.

Made with Cursor

[github-actions]

CLA Signature Action: All authors have signed the CLA. You may need to manually re-run the blocking PR check if it doesn't pass in a few minutes.

[mm-token-exchange-service]

PR template — items to address before "Ready for review"

Warnings — informational, address before merging:

• PR body does not match pull-request-template.md (one or more section headings are missing). See https://github.com/MetaMask/metamask-mobile/blob/main/.github/scripts/shared/pr-template-checks.ts#L15-L23.

See docs/readme/ready-for-review.md for the full Definition of Ready for Review.