Attest docker images

.github/workflows/docker-build-scan.yaml

@@ -68,3 +68,102 @@ jobs:
           source: .
           files: docker-bake.hcl
           targets: op-node,op-batcher,op-proposer,op-conductor,op-dispute-mon
+
+  # Attest images
+  attest-op-stack:
+    runs-on: ubuntu-latest
+    needs: [detect-files-changed, build-op-stack]
+    if: |
+      contains(needs.detect-files-changed.outputs.files-changed, 'go.sum') ||
+      contains(needs.detect-files-changed.outputs.files-changed, 'ops/docker') ||
+      contains(needs.detect-files-changed.outputs.files-changed, 'op-node/') ||
+      contains(needs.detect-files-changed.outputs.files-changed, 'op-batcher/') ||
+      contains(needs.detect-files-changed.outputs.files-changed, 'op-conductor/') ||
+      contains(needs.detect-files-changed.outputs.files-changed, 'op-challenger/') ||
+      contains(needs.detect-files-changed.outputs.files-changed, 'op-dispute-mon/') ||
+      contains(needs.detect-files-changed.outputs.files-changed, 'op-proposer/') ||
+      contains(needs.detect-files-changed.outputs.files-changed, 'op-service/') ||
+      contains(needs.detect-files-changed.outputs.files-changed, '.github/workflows/docker-build-scan.yaml') ||
+      github.event_name == 'workflow_dispatch' ||
+      true
+    permissions:
+      contents: read
+      id-token: write
+      attestations: write
+      artifact-metadata: write
+    env:
+      GIT_COMMIT: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }}
+      GIT_DATE: ${{ github.event.head_commit.timestamp }}
+      IMAGE_TAGS: ${{ (github.event_name == 'push' && (github.ref == 'refs/heads/master' || startsWith(github.ref, 'refs/heads/celo')) && 'latest,' || '') }}${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }}
+      REGISTRY: us-west1-docker.pkg.dev
+      REPOSITORY: blockchaintestsglobaltestnet/dev-images
+    steps:
+      - uses: 'google-github-actions/auth@v2'
+        id: auth1
+        with:
+          workload_identity_provider: projects/1094498259535/locations/global/workloadIdentityPools/gh-optimism/providers/github-by-repos
+          service_account: [email protected]
+          token_format: access_token
+      - name: Auth w/ registry
+        uses: docker/login-action@v3
+        with:
+          registry: us-west1-docker.pkg.dev
+          username: oauth2accesstoken
+          password: ${{ steps.auth1.outputs.access_token }}
+      - name: Set up crane
+        uses: imjasonh/[email protected]
+      - name: Resolve op-node image digest
+        id: op_node_digest
+        run: |
+          digest="$(crane digest "${REGISTRY}/${REPOSITORY}/op-node:${GIT_COMMIT}")"
+          echo "digest=${digest}" >> "$GITHUB_OUTPUT"
+      - name: Attest op-node image
+        uses: actions/[email protected]
+        with:
+          subject-name: ${{ env.REGISTRY }}/${{ env.REPOSITORY }}/op-node
+          subject-digest: ${{ steps.op_node_digest.outputs.digest }}
+          push-to-registry: true
+      - name: Resolve op-batcher image digest
+        id: op_batcher_digest
+        run: |
+          digest="$(crane digest "${REGISTRY}/${REPOSITORY}/op-batcher:${GIT_COMMIT}")"
+          echo "digest=${digest}" >> "$GITHUB_OUTPUT"
+      - name: Attest op-batcher image
+        uses: actions/[email protected]
+        with:
+          subject-name: ${{ env.REGISTRY }}/${{ env.REPOSITORY }}/op-batcher
+          subject-digest: ${{ steps.op_batcher_digest.outputs.digest }}
+          push-to-registry: true
+      - name: Resolve op-proposer image digest
+        id: op_proposer_digest
+        run: |
+          digest="$(crane digest "${REGISTRY}/${REPOSITORY}/op-proposer:${GIT_COMMIT}")"
+          echo "digest=${digest}" >> "$GITHUB_OUTPUT"
+      - name: Attest op-proposer image
+        uses: actions/[email protected]
+        with:
+          subject-name: ${{ env.REGISTRY }}/${{ env.REPOSITORY }}/op-proposer
+          subject-digest: ${{ steps.op_proposer_digest.outputs.digest }}
+          push-to-registry: true
+      - name: Resolve op-conductor image digest
+        id: op_conductor_digest
+        run: |
+          digest="$(crane digest "${REGISTRY}/${REPOSITORY}/op-conductor:${GIT_COMMIT}")"
+          echo "digest=${digest}" >> "$GITHUB_OUTPUT"
+      - name: Attest op-conductor image
+        uses: actions/[email protected]
+        with:
+          subject-name: ${{ env.REGISTRY }}/${{ env.REPOSITORY }}/op-conductor
+          subject-digest: ${{ steps.op_conductor_digest.outputs.digest }}
+          push-to-registry: true
+      - name: Resolve op-dispute-mon image digest
+        id: op_dispute_mon_digest
+        run: |
+          digest="$(crane digest "${REGISTRY}/${REPOSITORY}/op-dispute-mon:${GIT_COMMIT}")"
+          echo "digest=${digest}" >> "$GITHUB_OUTPUT"
+      - name: Attest op-dispute-mon image
+        uses: actions/[email protected]
+        with:
+          subject-name: ${{ env.REGISTRY }}/${{ env.REPOSITORY }}/op-dispute-mon
+          subject-digest: ${{ steps.op_dispute_mon_digest.outputs.digest }}
+          push-to-registry: true

.github/workflows/docker-publish-release.yaml

@@ -53,3 +53,56 @@ jobs:
           source: .
           files: docker-bake.hcl
           targets: op-node,op-batcher
+
+  # Attest images
+  attest-op-stack:
+    runs-on: ubuntu-latest
+    needs: [Set-Tags, build-op-stack]
+    permissions:
+      contents: read
+      id-token: write
+      attestations: write
+      artifact-metadata: write
+    env:
+      IMAGE_TAGS: ${{ needs.Set-Tags.outputs.tags }}
+      REGISTRY: us-west1-docker.pkg.dev
+      REPOSITORY: devopsre/celo-blockchain-public
+    steps:
+      - uses: 'google-github-actions/auth@v2'
+        id: auth1
+        with:
+          workload_identity_provider: projects/1094498259535/locations/global/workloadIdentityPools/gh-optimism/providers/github-by-repos
+          service_account: [email protected]
+          token_format: access_token
+      - name: Auth w/ registry
+        uses: docker/login-action@v3
+        with:
+          registry: us-west1-docker.pkg.dev
+          username: oauth2accesstoken
+          password: ${{ steps.auth1.outputs.access_token }}
+      - name: Set up crane
+        uses: imjasonh/[email protected]
+      - name: Resolve op-node image digest
+        id: op_node_digest
+        run: |
+          image_tag="${IMAGE_TAGS%%,*}"
+          digest="$(crane digest "${REGISTRY}/${REPOSITORY}/op-node:${image_tag}")"
+          echo "digest=${digest}" >> "$GITHUB_OUTPUT"
+      - name: Attest op-node image
+        uses: actions/[email protected]
+        with:
+          subject-name: ${{ env.REGISTRY }}/${{ env.REPOSITORY }}/op-node
+          subject-digest: ${{ steps.op_node_digest.outputs.digest }}
+          push-to-registry: true
+      - name: Resolve op-batcher image digest
+        id: op_batcher_digest
+        run: |
+          image_tag="${IMAGE_TAGS%%,*}"
+          digest="$(crane digest "${REGISTRY}/${REPOSITORY}/op-batcher:${image_tag}")"
+          echo "digest=${digest}" >> "$GITHUB_OUTPUT"
+      - name: Attest op-batcher image
+        uses: actions/[email protected]
+        with:
+          subject-name: ${{ env.REGISTRY }}/${{ env.REPOSITORY }}/op-batcher
+          subject-digest: ${{ steps.op_batcher_digest.outputs.digest }}
+          push-to-registry: true