feat: add is-snap argument to publish-preview.yml workflow

[mikesposito]

The reusable publish-preview workflow renames each workspace's package.json#name from @metamask/... to @metamask-previews/... before running the build. This works for typical libraries but breaks for Snap packages, because:

• The Snap build (mm-snap build) embeds the package name into dist/bundle.js.
• snap.manifest.json contains a source.shasum computed over the bundle, the manifest itself (minus the shasum), the icon, and locales.
• source.location.npm.packageName in the manifest must match package.json#name at publish time.
  When the rename happens before the build, the bundle and manifest are produced against the preview scope, the shasum is computed over the contaminated bundle, and downstream clients that verify against the published @metamask/... shasum reject the snap.
  The workaround used by snap repos today (e.g. snap-tron-wallet) is to build first, then rename — but the reusable workflow had no way to express that ordering.

To fix this issue and make this workflow usable for Snaps, this PR adds a new boolean input is-snap (default false) to .github/workflows/publish-preview.yml.

Existing consumers don't need to change anything. Snap consumers add a single input:

jobs:
  publish-preview:
    uses: MetaMask/github-tools/.github/workflows/publish-preview.yml
    with:
      is-snap: true
    secrets:
      PUBLISH_PREVIEW_NPM_TOKEN: ${{ secrets.PUBLISH_PREVIEW_NPM_TOKEN }}

---

Note

Medium Risk
Changes the publish-preview reusable workflow’s build/install ordering and introduces a new secret-driven environment injection for builds, which could affect preview artifact contents and publishing behavior if misconfigured.

Overview
Updates the reusable publish-preview workflow to support Snap consumers via a new is-snap input that runs install + build before renaming package.json manifests to the preview NPM scope.

Adds optional BUILD_ENV (JSON) secret support and passes it into the build step, allowing build-time configuration/secrets without changing the workflow call. The changelog documents both additions.

^{Reviewed by Cursor Bugbot for commit 989eead. Bugbot is set up for automated code reviews on this repo. Configure here.}

[gabrieledm]

LGTM

[mikesposito]

This workflow variation has been tested on this repository:

• https://github.com/MetaMask/snap-stellar-wallet/blob/main/.github/workflows/publish-preview.yml
• test: preview builds snap-stellar-wallet#38

[mcmire]

Instead of adding a flag that's specific to a type of project, what are your thoughts on adding a flag that describes the behavior? Maybe something like:

Suggested change

	is-snap:
	description: 'Whether the consumer is a Snap. When true, the build runs before manifests are renamed so that snap artifacts (e.g. dist/bundle.js, snap.manifest.json) capture the original package name.'
	type: boolean
	required: false
	default: false
	rename-after-install-and-build:
	description: 'Governs where in the workflow that packages in the repo are renamed to use the preview build scope. If true, this step runs after the install and build steps; if false (default), it runs before. This option is mostly for Snaps so that artifacts (e.g. dist/bundle.js, snap.manifest.json) capture the original package name, not the preview build name.'
	type: boolean
	required: false
	default: false

[mcmire]

Can you associate the current PR with these changelog entries? e.g.

Suggested change

	- Add `is-snap` input to the `publish-preview` reusable workflow
	- Add `is-snap` input to the `publish-preview` reusable workflow ([#254](https://github.com/MetaMask/github-tools/pull/254))