defi-wonderland · 0xDiscotech · Dec 9, 2025 · Dec 2, 2025 · Dec 2, 2025 · Dec 2, 2025
diff --git a/.circleci/config.yml b/.circleci/config.yml
diff --git a/.github/actions/docker-build-prep/action.yml b/.github/actions/docker-build-prep/action.yml
@@ -0,0 +1,40 @@
+name: 'Docker Build Prep'
+description: 'Prepare environment for docker builds (checkout, kona version, git versions)'
+
+outputs:
+  versions:
+    description: 'JSON object mapping image names to their GIT_VERSION'
+    value: ${{ steps.compute_versions.outputs.versions }}
+  kona_version:
+    description: 'KONA_VERSION from kona/version.json'
+    value: ${{ steps.kona.outputs.version }}
+  date:
+    description: 'Current date in YYYYMMDD format'
+    value: ${{ steps.date.outputs.date }}
+
+runs:
+  using: 'composite'
+  steps:
+    - name: Get date
+      id: date
+      shell: bash
+      run: |
+        DATE=$(date +%Y%m%d)
+        echo "date=$DATE" >> $GITHUB_OUTPUT
+
+    - name: Read KONA_VERSION from kona/version.json
+      id: kona
+      shell: bash
+      run: |
+        KONA_VERSION=$(jq -r .version kona/version.json)
+        echo "version=$KONA_VERSION" >> $GITHUB_OUTPUT
+        echo "KONA_VERSION: $KONA_VERSION"
+
+    - name: Compute GIT_VERSION for all images
+      id: compute_versions
+      shell: bash
+      run: |
+        VERSIONS=$(GIT_COMMIT="${{ github.sha }}" make compute-git-versions)
+        echo "versions=$VERSIONS" >> $GITHUB_OUTPUT
+        echo "Computed versions: $VERSIONS"
+
diff --git a/.github/workflows/branches.yaml b/.github/workflows/branches.yaml
@@ -0,0 +1,122 @@
+name: branch build
+
+on:
+  push:
+    branches:
+      - 'develop'
+  pull_request:
+    branches:
+      - 'develop'
+    paths:
+      - 'ops/docker/**'
+      - 'packages/contracts-bedrock/**'
+      - 'docker-bake.hcl'
+      - '.github/workflows/branches.yaml'
+      - 'ops/scripts/compute-git-versions.sh'
+
+jobs:
+  prep:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    outputs:
+      versions: ${{ steps.prep.outputs.versions }}
+      kona_version: ${{ steps.prep.outputs.kona_version }}
+      date: ${{ steps.prep.outputs.date }}
+    steps:
+      - name: Harden the runner
+        uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2
+        with:
+          egress-policy: audit
+      - name: Checkout
+        uses: actions/checkout@71cf2267d89c5cb81562390fa70a37fa40b1305e # v6
+        with:
+          fetch-depth: 0
+      - uses: ./.github/actions/docker-build-prep
+        id: prep
+
+  local:
+    needs: prep
+    # only build if push to develop, or PR from a local branch (not a fork)
+    if: github.event_name == 'push' || (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository)
+    strategy:
+      fail-fast: false
+      matrix:
+        image_name:
+          - op-node
+          - op-batcher
+          - op-deployer
+          - op-faucet
+          - op-program
+          - op-proposer
+          - op-challenger
+          - op-dispute-mon
+          - op-conductor
+          - da-server
+          - op-supervisor
+          - op-supernode
+          - op-test-sequencer
+          - cannon
+          - op-dripper
+          - op-interop-mon
+    uses: ethereum-optimism/factory/.github/workflows/docker.yaml@d04222c229c50320f513afe678b3264869ea11a9
+    with:
+      mode: bake
+      image_name: ${{ matrix.image_name }}
+      bake_file: docker-bake.hcl
+      target: ${{ matrix.image_name }}
+      tag: ${{ github.event_name == 'push' && 'develop' || format('pr-{0}', github.event.pull_request.number) }}
+      gcp_project_id: ${{ vars.GCP_PROJECT_ID_OPLABS_TOOLS_ARTIFACTS }}
+      registry: us-docker.pkg.dev/oplabs-tools-artifacts/oss
+      env: |
+        GIT_VERSION=${{ fromJson(needs.prep.outputs.versions)[matrix.image_name] }}
+        KONA_VERSION=${{ needs.prep.outputs.kona_version }}
+      set: |
+        *.args.GIT_COMMIT=${{ github.sha }}
+        *.args.GIT_DATE=${{ needs.prep.outputs.date }}
+    permissions:
+      contents: read
+      id-token: write
+      attestations: write
+
+  fork:
+    needs: prep
+    # only build if PR from a fork
+    if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name != github.repository
+    strategy:
+      fail-fast: false
+      matrix:
+        image_name:
+          - op-node
+          - op-batcher
+          - op-deployer
+          - op-faucet
+          - op-program
+          - op-proposer
+          - op-challenger
+          - op-dispute-mon
+          - op-conductor
+          - da-server
+          - op-supervisor
+          - op-supernode
+          - op-test-sequencer
+          - cannon
+          - op-dripper
+          - op-interop-mon
+    uses: ethereum-optimism/factory/.github/workflows/docker.yaml@d04222c229c50320f513afe678b3264869ea11a9
+    with:
+      mode: bake
+      image_name: ${{ matrix.image_name }}
+      bake_file: docker-bake.hcl
+      target: ${{ matrix.image_name }}
+      tag: 24h
+      registry: ttl.sh/${{ github.sha }}
+      env: |
+        GIT_VERSION=${{ fromJson(needs.prep.outputs.versions)[matrix.image_name] }}
+        KONA_VERSION=${{ needs.prep.outputs.kona_version }}
+      set: |
+        *.args.GIT_COMMIT=${{ github.sha }}
+        *.args.GIT_DATE=${{ needs.prep.outputs.date }}
+    permissions:
+      contents: read
+
diff --git a/.github/workflows/protected.yaml b/.github/workflows/protected.yaml
diff --git a/.github/workflows/tags.yaml b/.github/workflows/tags.yaml
@@ -0,0 +1,53 @@
+name: tag build
+
+on:
+  push:
+    tags:
+      - '*/v*' # Match tags like op-node/v1.2.3
+
+jobs:
+  prep:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    outputs:
+      image_name: ${{ steps.parse-tag.outputs.image_name }}
+      version: ${{ steps.parse-tag.outputs.version }}
+      versions: ${{ steps.prep.outputs.versions }}
+      kona_version: ${{ steps.prep.outputs.kona_version }}
+    steps:
+      - name: Harden the runner
+        uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2
+        with:
+          egress-policy: audit
+      - name: Checkout
+        uses: actions/checkout@71cf2267d89c5cb81562390fa70a37fa40b1305e # v6
+        with:
+          fetch-depth: 0
+      - uses: ./.github/actions/docker-build-prep
+        id: prep
+      - name: Parse tag
+        uses: ethereum-optimism/factory/actions/parse-tag@240b16167a5f5aa789270fa9c0efbfa9f010b7e7
+        id: parse-tag
+
+  release:
+    needs: prep
+    uses: ethereum-optimism/factory/.github/workflows/docker.yaml@d04222c229c50320f513afe678b3264869ea11a9
+    with:
+      mode: bake
+      image_name: ${{ needs.prep.outputs.image_name }}
+      bake_file: docker-bake.hcl
+      target: ${{ needs.prep.outputs.image_name }}
+      tag: ${{ needs.prep.outputs.version }}
+      gcp_project_id: ${{ vars.GCP_PROJECT_ID_OPLABS_TOOLS_ARTIFACTS }}
+      registry: us-docker.pkg.dev/oplabs-tools-artifacts/oss
+      env: |
+        GIT_VERSION=${{ fromJson(needs.prep.outputs.versions)[needs.prep.outputs.image_name] }}
+        KONA_VERSION=${{ needs.prep.outputs.kona_version }}
+      set: |
+        *.args.GIT_COMMIT=${{ github.sha }}
+        *.args.GIT_DATE=${{ github.event.head_commit.timestamp }}
+    permissions:
+      contents: read
+      id-token: write
+      attestations: write
diff --git a/.github/workflows/unprotected.yaml b/.github/workflows/unprotected.yaml
diff --git a/.semgrep/rules/sol-rules.yaml b/.semgrep/rules/sol-rules.yaml
@@ -322,6 +322,8 @@ rules:
         - packages/contracts-bedrock/src/L1/OPContractsManager.sol
         - packages/contracts-bedrock/src/L1/opcm/OPContractsManagerV2.sol
         - packages/contracts-bedrock/src/L1/opcm/OPContractsManagerContainer.sol
+        - packages/contracts-bedrock/src/L1/opcm/OPContractsManagerUtils.sol
+        - packages/contracts-bedrock/src/L1/opcm/OPContractsManagerUtilsCaller.sol
         - packages/contracts-bedrock/src/L1/OptimismPortal2.sol
         - packages/contracts-bedrock/src/L1/OptimismPortalInterop.sol
         - packages/contracts-bedrock/src/L2/FeeVault.sol