MetaMask · mikesposito · Jun 11, 2026 · May 20, 2026 · May 20, 2026 · Jun 9, 2026
diff --git a/.github/workflows/publish-preview.yml b/.github/workflows/publish-preview.yml
@@ -23,6 +23,11 @@ on:
         type: boolean
         required: false
         default: true
+      rename-after-install-and-build:
+        description: 'Governs where in the workflow that packages in the repo are renamed to use the preview build scope. If true, this step runs after the install and build steps; if false (default), it runs before. This option is mostly for Snaps so that artifacts (e.g. dist/bundle.js, snap.manifest.json) capture the original package name, not the preview build name.'
+        type: boolean
+        required: false
+        default: false
       environment:
         description: 'GitHub environment for the publish job (e.g., default-branch). Empty = no gate.'
         type: string
@@ -46,6 +51,9 @@ on:
     secrets:
       PUBLISH_PREVIEW_NPM_TOKEN:
         required: true
+      BUILD_ENV:
+        description: 'JSON object of environment variables to pass to the build step (e.g. ''{"FOO":"bar","API_URL":"https://..."}''). Use this for build-time configuration and secrets needed by the build command.'
+        required: false
 
 jobs:
   is-fork-pull-request:
@@ -100,7 +108,28 @@ jobs:
         id: commit-sha
         run: echo "COMMIT_SHA=$(git rev-parse --short HEAD)" >> "$GITHUB_OUTPUT"
 
-      - name: Prepare preview builds
+      - name: Install dependencies (pre-build)
+        if: ${{ inputs.rename-after-install-and-build }}
+        run: yarn install --no-immutable
+
+      - name: Mask build environment values
+        env:
+          BUILD_ENV: ${{ secrets.BUILD_ENV }}
+        run: |
+          if [[ -n "$BUILD_ENV" ]]; then
+            while IFS= read -r line; do
+              if [[ -n "$line" ]]; then
+                echo "::add-mask::$line"
+              fi
+            done < <(jq --raw-output '.[] | tostring' <<< "$BUILD_ENV")
+          fi
+
+      - name: Build (pre-rename)
+        if: ${{ inputs.rename-after-install-and-build }}
+        env: ${{ fromJSON(secrets.BUILD_ENV || '{}') }}
+        run: ${{ inputs.build-command }}
+
+      - name: Prepare preview manifests
         env:
           NPM_SCOPE: ${{ inputs.npm-scope }}
           COMMIT_SHA: ${{ steps.commit-sha.outputs.COMMIT_SHA }}
@@ -139,10 +168,12 @@ jobs:
             prepare_manifest package.json
           fi
 
-          echo "Installing dependencies..."
-          yarn install --no-immutable
+      - name: Install dependencies
+        run: yarn install --no-immutable
 
-      - name: Build
+      - name: Build (post-rename)
+        if: ${{ !inputs.rename-after-install-and-build }}
+        env: ${{ fromJSON(secrets.BUILD_ENV || '{}') }}
         run: ${{ inputs.build-command }}
 
       - name: Upload build artifacts (monorepo)

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,6 +7,14 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Added
+
+- Add `rename-after-install-and-build` input to the `publish-preview` reusable workflow ([#254](https://github.com/MetaMask/github-tools/pull/254))
+  - When set to `true`, the workflow installs dependencies and runs the build _before_ renaming workspace manifests to the preview NPM scope. This ensures snap artifacts (e.g. `dist/bundle.js`, `snap.manifest.json` and its `source.shasum`) are produced with the original `@metamask/...` package name.
+  - Defaults to `false` to preserve existing behavior for non-snap consumers.
+- Add `BUILD_ENV` secret input to the `publish-preview` reusable workflow
+  - Accepts a JSON object of environment variables that will be passed to the build step (e.g. `'{"API_URL":"https://...","LOG_LEVEL":"all"}'`). Useful when the build command needs additional configuration or secret values to produce a valid preview build.
+
 ## [1.12.0]
 
 ### Changed