infra: extend attestation preflight to all image-deploy scripts

Factor a verifyImagesAndConfirm helper into src/utils/attestation.ts
and wire it into every infra deploy script that deploys an image
from config/docker.ts:

- agents (unchanged call site, now uses helper)
- key-funder (unchanged call site, now uses helper)
- rebalancer (NODE_SERVICES)
- warp-monitor (NODE_SERVICES)
- check-warp-deploy (MONOREPO, cronjob)
- fee-quoting (FEE_QUOTING)

Each script now shows build age for its deploy image and prompts
before Helm, with a bold red banner + flipped default on verify fail.

Author: paulbalaji

typescript/infra/scripts/agents/deploy-agents.ts

@@ -5,7 +5,7 @@ import { execSync } from 'child_process';
 import { DockerImageRepos } from '../../config/docker.js';
 import { createAgentKeysIfNotExistsWithPrompt } from '../../src/agents/key-utils.js';
 import { RootAgentConfig } from '../../src/config/agent/agent.js';
-import { preflightVerifyImages } from '../../src/utils/attestation.js';
+import { verifyImagesAndConfirm } from '../../src/utils/attestation.js';
 import {
   checkAgentImageExists,
   checkMonorepoImageExists,
@@ -115,25 +115,7 @@ async function verifyAgentAttestationsWithPrompt(agentConfig: RootAgentConfig) {
       tag,
     }));
 
-  if (refs.length === 0) return;
-
-  console.log(chalk.grey.italic('Verifying image attestations...'));
-  const { allVerified } = await preflightVerifyImages(refs);
-
-  const message = allVerified
-    ? 'All attestations verified. Continue with deploy?'
-    : chalk.red.bold(
-        'One or more images FAILED attestation verify. Continue with deploy anyway?',
-      );
-
-  const shouldContinue = await confirm({
-    message,
-    default: allVerified,
-  });
-  if (!shouldContinue) {
-    console.log(chalk.red.bold('Exiting...'));
-    process.exit(1);
-  }
+  await verifyImagesAndConfirm(refs);
 }
 
 async function main() {

typescript/infra/scripts/check/deploy-check-warp-deploy.ts

@@ -1,5 +1,6 @@
 import { Contexts } from '../../config/contexts.js';
 import { CheckWarpDeployHelmManager } from '../../src/check-warp-deploy/helm.js';
+import { verifyImagesAndConfirm } from '../../src/utils/attestation.js';
 import { HelmCommand } from '../../src/utils/helm.js';
 import { assertCorrectKubeContext } from '../agent-utils.js';
 import { getConfigsBasedOnArgs } from '../core-utils.js';
@@ -18,6 +19,14 @@ async function main() {
     throw new Error('No checkWarpDeployConfig found');
   }
 
+  await verifyImagesAndConfirm([
+    {
+      component: 'check-warp-deploy',
+      image: manager.config.docker.repo,
+      tag: manager.config.docker.tag,
+    },
+  ]);
+
   await manager.runHelmCommand(HelmCommand.InstallOrUpgrade);
 }
 

typescript/infra/scripts/fee-quoting/deploy-fee-quoting.ts

@@ -5,7 +5,9 @@ import {
   rootLogger,
 } from '@hyperlane-xyz/utils';
 
+import { DockerImageRepos, mainnetDockerTags } from '../../config/docker.js';
 import { FeeQuotingHelmManager } from '../../src/fee-quoting/helm.js';
+import { verifyImagesAndConfirm } from '../../src/utils/attestation.js';
 import { HelmCommand } from '../../src/utils/helm.js';
 import {
   assertCorrectKubeContext,
@@ -22,6 +24,14 @@ async function main() {
 
   await assertCorrectKubeContext(getEnvironmentConfig(environment));
 
+  await verifyImagesAndConfirm([
+    {
+      component: 'fee-quoting',
+      image: DockerImageRepos.FEE_QUOTING,
+      tag: mainnetDockerTags.feeQuoting,
+    },
+  ]);
+
   const helmManager = new FeeQuotingHelmManager(
     environment,
     registryCommit ?? 'main',

typescript/infra/scripts/funding/deploy-key-funder.ts

@@ -6,7 +6,7 @@ import { join } from 'path';
 import { Contexts } from '../../config/contexts.js';
 import { DockerImageRepos } from '../../config/docker.js';
 import { KeyFunderHelmManager } from '../../src/funding/key-funder.js';
-import { preflightVerifyImages } from '../../src/utils/attestation.js';
+import { verifyImagesAndConfirm } from '../../src/utils/attestation.js';
 import {
   checkNodeServicesImageExists,
   warnIfPrTag,
@@ -44,23 +44,9 @@ async function main() {
       process.exit(1);
     }
 
-    console.log(chalk.grey.italic('Verifying image attestation...'));
-    const { allVerified } = await preflightVerifyImages([
+    await verifyImagesAndConfirm([
       { component: 'key-funder', image: DockerImageRepos.NODE_SERVICES, tag },
     ]);
-
-    const shouldContinue = await confirm({
-      message: allVerified
-        ? 'Attestation verified. Continue with deploy?'
-        : chalk.red.bold(
-            'Image FAILED attestation verify. Continue with deploy anyway?',
-          ),
-      default: allVerified,
-    });
-    if (!shouldContinue) {
-      console.log(chalk.red.bold('Exiting...'));
-      process.exit(1);
-    }
   }
 
   const defaultRegistryCommit = readRegistryRc();

typescript/infra/scripts/rebalancer/deploy-rebalancer.ts

@@ -8,11 +8,13 @@ import {
   rootLogger,
 } from '@hyperlane-xyz/utils';
 
+import { DockerImageRepos, mainnetDockerTags } from '../../config/docker.js';
 import { DeployEnvironment } from '../../src/config/deploy-environment.js';
 import {
   RebalancerHelmManager,
   getDeployedRebalancerWarpRouteIds,
 } from '../../src/rebalancer/helm.js';
+import { verifyImagesAndConfirm } from '../../src/utils/attestation.js';
 import { REBALANCER_HELM_RELEASE_PREFIX } from '../../src/utils/consts.js';
 import { validateRegistryCommit } from '../../src/utils/git.js';
 import { HelmCommand } from '../../src/utils/helm.js';
@@ -45,6 +47,14 @@ async function main() {
 
   await assertCorrectKubeContext(getEnvironmentConfig(environment));
 
+  await verifyImagesAndConfirm([
+    {
+      component: 'rebalancer',
+      image: DockerImageRepos.NODE_SERVICES,
+      tag: mainnetDockerTags.rebalancer,
+    },
+  ]);
+
   let warpRouteIds: string[];
   if (warpRouteId) {
     warpRouteIds = [warpRouteId];

typescript/infra/scripts/warp-routes/deploy-warp-monitor.ts

@@ -9,7 +9,9 @@ import {
 } from '@hyperlane-xyz/utils';
 
 import { Contexts } from '../../config/contexts.js';
+import { DockerImageRepos, mainnetDockerTags } from '../../config/docker.js';
 import { getWarpCoreConfig } from '../../config/registry.js';
+import { verifyImagesAndConfirm } from '../../src/utils/attestation.js';
 import { WARP_ROUTE_MONITOR_HELM_RELEASE_PREFIX } from '../../src/utils/consts.js';
 import { validateRegistryCommit } from '../../src/utils/git.js';
 import { HelmCommand } from '../../src/utils/helm.js';
@@ -41,6 +43,14 @@ async function main() {
     assertCorrectKubeContext(getEnvironmentConfig(environment)),
   );
 
+  await verifyImagesAndConfirm([
+    {
+      component: 'warp-monitor',
+      image: DockerImageRepos.NODE_SERVICES,
+      tag: mainnetDockerTags.warpMonitor,
+    },
+  ]);
+
   const envConfig = getEnvironmentConfig(environment);
 
   let warpRouteIds: string[];

typescript/infra/src/utils/attestation.ts

@@ -1,3 +1,4 @@
+import { confirm } from '@inquirer/prompts';
 import chalk from 'chalk';
 import { execSync } from 'child_process';
 
@@ -143,3 +144,26 @@ export async function preflightVerifyImages(
 
   return { allVerified, results };
 }
+
+export async function verifyImagesAndConfirm(refs: ImageRef[]): Promise<void> {
+  if (refs.length === 0) return;
+
+  console.log(chalk.grey.italic('Verifying image attestations...'));
+  const { allVerified } = await preflightVerifyImages(refs);
+
+  const message = allVerified
+    ? 'All attestations verified. Continue with deploy?'
+    : chalk.red.bold(
+        'One or more images FAILED attestation verify. Continue with deploy anyway?',
+      );
+
+  const shouldContinue = await confirm({
+    message,
+    default: allVerified,
+  });
+
+  if (!shouldContinue) {
+    console.log(chalk.red.bold('Exiting...'));
+    process.exit(1);
+  }
+}