infra: parallelise attestation verifies, drop fee-quoting verify

preflightVerifyImages now runs gh attestation verify concurrently via
promisified execFile + Promise.all, deduping by image:tag first. Status
prints in input order after all verifies settle so output ordering is
preserved. For deploy-agents running all three roles this cuts
preflight latency from sequential 3× to a single round-trip worth.

Also drop the fee-quoting verify call: DockerImageRepos.FEE_QUOTING is
not built by any workflow in this repo, so the verify always failed
and trained operators to bypass the banner. Left a comment to restore
verification when/if the image gets a build+sign workflow.

Author: paulbalaji

typescript/infra/scripts/fee-quoting/deploy-fee-quoting.ts

@@ -5,9 +5,7 @@ import {
   rootLogger,
 } from '@hyperlane-xyz/utils';
 
-import { DockerImageRepos, mainnetDockerTags } from '../../config/docker.js';
 import { FeeQuotingHelmManager } from '../../src/fee-quoting/helm.js';
-import { verifyImagesAndConfirm } from '../../src/utils/attestation.js';
 import { HelmCommand } from '../../src/utils/helm.js';
 import {
   assertCorrectKubeContext,
@@ -24,13 +22,9 @@ async function main() {
 
   await assertCorrectKubeContext(getEnvironmentConfig(environment));
 
-  await verifyImagesAndConfirm([
-    {
-      component: 'fee-quoting',
-      image: DockerImageRepos.FEE_QUOTING,
-      tag: mainnetDockerTags.feeQuoting,
-    },
-  ]);
+  // Note: FEE_QUOTING image is not built by a workflow in this repo and
+  // therefore has no attestation to verify. Add attestation verify here
+  // once the image is built + signed by CI.
 
   const helmManager = new FeeQuotingHelmManager(
     environment,

typescript/infra/src/utils/attestation.ts

@@ -1,6 +1,9 @@
 import { confirm } from '@inquirer/prompts';
 import chalk from 'chalk';
-import { execSync } from 'child_process';
+import { execFile } from 'child_process';
+import { promisify } from 'util';
+
+const execFileP = promisify(execFile);
 
 const DEFAULT_REPO = 'hyperlane-xyz/hyperlane-monorepo';
 const YOUNG_BUILD_THRESHOLD_MS = 60 * 60 * 1000; // 1h
@@ -33,12 +36,13 @@ export async function verifyImageAttestation({
 }): Promise<AttestationStatus> {
   const ref = `oci://${image}:${tag}`;
   try {
-    const raw = execSync(
-      `gh attestation verify ${ref} --repo ${repo} --format json`,
-      { stdio: ['ignore', 'pipe', 'pipe'] },
-    ).toString();
+    const { stdout } = await execFileP(
+      'gh',
+      ['attestation', 'verify', ref, '--repo', repo, '--format', 'json'],
+      { maxBuffer: 10 * 1024 * 1024 },
+    );
 
-    const finishedOn = extractFinishedOn(raw);
+    const finishedOn = extractFinishedOn(stdout);
     if (!finishedOn) {
       return { verified: true };
     }
@@ -205,19 +209,26 @@ export async function preflightVerifyImages(refs: ImageRef[]): Promise<{
   allVerified: boolean;
   results: Array<{ ref: ImageRef; status: AttestationStatus }>;
 }> {
+  const unique: ImageRef[] = [];
   const seen = new Set<string>();
-  const results: Array<{ ref: ImageRef; status: AttestationStatus }> = [];
-  let allVerified = true;
-
   for (const ref of refs) {
     const key = `${ref.image}:${ref.tag}`;
     if (seen.has(key)) continue;
     seen.add(key);
+    unique.push(ref);
+  }
+
+  const statuses = await Promise.all(
+    unique.map((ref) =>
+      verifyImageAttestation({ image: ref.image, tag: ref.tag }),
+    ),
+  );
 
-    const status = await verifyImageAttestation({
-      image: ref.image,
-      tag: ref.tag,
-    });
+  const results: Array<{ ref: ImageRef; status: AttestationStatus }> = [];
+  let allVerified = true;
+  for (let i = 0; i < unique.length; i++) {
+    const ref = unique[i];
+    const status = statuses[i];
     printAttestationStatus(ref, status);
     results.push({ ref, status });
     if (!status.verified) allVerified = false;