matter-labs · tomg10 · Jan 19, 2026 · Jan 20, 2026 · Feb 3, 2026 · Feb 4, 2026
@@ -1,6 +1,10 @@
-name: Build Docker Image (manual)
+name: Build Docker Image
 
 on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main, draft-v31]
   workflow_dispatch:
     inputs:
       ref:
@@ -14,19 +18,19 @@ on:
 
 jobs:
   build-image:
-    name: Build and Push protocol Docker Image
+    name: Build protocol ops Docker Image
     runs-on: ubuntu-latest
     permissions:
       contents: read
       packages: write
     env:
-      IMAGE_NAME: protocol
+      IMAGE_NAME: protocol-ops
 
     steps:
       - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
-          ref: ${{ inputs.ref != '' && inputs.ref || github.sha }}
+          ref: ${{ github.event_name == 'workflow_dispatch' && inputs.ref != '' && inputs.ref || github.sha }}
           submodules: recursive
 
       - name: Set up Docker Buildx
@@ -35,15 +39,18 @@ jobs:
       - name: Compute image tag
         shell: bash
         run: |
-          if [ -n "${{ inputs.image_tag_override }}" ]; then
+          if [ "${{ github.event_name }}" = "workflow_dispatch" ] && [ -n "${{ inputs.image_tag_override }}" ]; then
             IMAGE_TAG="${{ inputs.image_tag_override }}"
+          elif [ "${{ github.event_name }}" = "pull_request" ]; then
+            IMAGE_TAG="protocol-ops-$(git rev-parse --short HEAD)"
           else
             IMAGE_TAG=$(git rev-parse --short HEAD)-$(date +%s)
           fi
           echo "IMAGE_TAG=$IMAGE_TAG" >> $GITHUB_ENV
           echo "Computed image tag: $IMAGE_TAG"
 
       - name: Login to GitHub Container Registry
+        if: github.event_name == 'workflow_dispatch'
         uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
         with:
           registry: ghcr.io
@@ -54,7 +61,7 @@ jobs:
         uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6.15.0
         with:
           context: .
-          push: true
+          push: ${{ github.event_name == 'workflow_dispatch' }}
           platforms: linux/amd64
           file: docker/protocol/Dockerfile
           tags: |

@@ -1,38 +1,80 @@
 # syntax=docker/dockerfile:1.6
 
+ARG FOUNDRY_ARCH=linux_amd64
+ARG FOUNDRY_ZKSYNC_TAG=nightly-807f47ace7cdd90eed7190dc4481952cfaa25938
+ARG FOUNDRY_VANILLA_VERSION=v1.3.5
+ARG NODE_MAJOR=18
+ARG NODE_VERSION=18.20.8
+ARG RUST_TARGET=x86_64-unknown-linux-gnu
+ARG RUST_TOOLCHAIN=nightly-2025-09-19
+ARG YARN_VERSION=1.22.19
+
 ########################################
-# 1) Build
+# 1) Builder: produce artifacts
 ########################################
 FROM debian:bookworm-slim AS build
 
+ARG FOUNDRY_ARCH
+ARG FOUNDRY_ZKSYNC_TAG
+ARG FOUNDRY_VANILLA_VERSION
+ARG NODE_MAJOR
+ARG NODE_VERSION
+ARG RUST_TARGET
+ARG RUST_TOOLCHAIN
+ARG YARN_VERSION
+
 ENV DEBIAN_FRONTEND=noninteractive \
-    PATH=/usr/local/bin:$PATH \
+    PATH=/root/.cargo/bin:/root/.local/bin:/usr/local/bin:$PATH \
     YARN_CACHE_FOLDER=/tmp/yarn-cache
 
 # Build deps
 RUN apt-get update && apt-get install -y --no-install-recommends \
-      ca-certificates curl git bash coreutils openssl jq xz-utils gnupg && \
+      ca-certificates curl git bash coreutils openssl jq xz-utils gnupg \
+      build-essential pkg-config libssl-dev && \
     rm -rf /var/lib/apt/lists/*
 
-# Node 18.20.8 + Yarn 1.22.19
-RUN curl -fsSL https://deb.nodesource.com/setup_18.x | bash - \
- && apt-get update && apt-get install -y --no-install-recommends nodejs=18.20.8-* \
- && npm i -g yarn@1.22.19 \
+# Node + Yarn
+RUN curl -fsSL https://deb.nodesource.com/setup_${NODE_MAJOR}.x | bash - \
+ && apt-get update && apt-get install -y --no-install-recommends nodejs=${NODE_VERSION}-* \
+ && npm i -g yarn@${YARN_VERSION} \
  && npm cache clean --force \
  && rm -rf /var/lib/apt/lists/*
 
-# Foundry ZKSync (pinned)
-RUN curl -LO https://github.com/matter-labs/foundry-zksync/releases/download/nightly-ae913af65381734ad46c044a9495b67310bc77c4/foundry_nightly_linux_amd64.tar.gz \
- && tar zxf foundry_nightly_linux_amd64.tar.gz -C /usr/local/bin/ \
+# Foundry zksync (forge + cast)
+RUN curl -L -o /tmp/foundry.tgz https://github.com/matter-labs/foundry-zksync/releases/download/${FOUNDRY_ZKSYNC_TAG}/foundry_zksync_nightly_${FOUNDRY_ARCH}.tar.gz \
+ && tar zxf /tmp/foundry.tgz -C /usr/local/bin/ \
  && chmod +x /usr/local/bin/forge /usr/local/bin/cast \
- && rm foundry_nightly_linux_amd64.tar.gz
+ && rm /tmp/foundry.tgz
+
+# Foundry vanilla (anvil)
+RUN curl -L -o /tmp/foundry-vanilla.tgz https://github.com/foundry-rs/foundry/releases/download/${FOUNDRY_VANILLA_VERSION}/foundry_${FOUNDRY_VANILLA_VERSION}_${FOUNDRY_ARCH}.tar.gz \
+ && tar zxf /tmp/foundry-vanilla.tgz -C /tmp/ anvil \
+ && mv /tmp/anvil /usr/local/bin/anvil \
+ && chmod +x /usr/local/bin/anvil \
+ && rm /tmp/foundry-vanilla.tgz
+
+# === Install Rust ===
+RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | \
+    sh -s -- -y --default-toolchain ${RUST_TOOLCHAIN}
+
+# === Install target ===
+RUN rustup target add ${RUST_TARGET}
 
-# Copy sources
+# === Copy all source code and install dependencies ===
 WORKDIR /contracts
 COPY . /contracts
+
+# === Build protocol_ops ===
+WORKDIR /contracts/protocol-ops
+RUN cargo build --bin protocol_ops --release --target ${RUST_TARGET} && \
+    cp target/${RUST_TARGET}/release/protocol_ops /usr/local/bin/ && \
+    rm -rf target
+
+# === Install dependencies ===
+WORKDIR /contracts
 RUN yarn install --frozen-lockfile
 
-# Clean
+# === Clean ===
 RUN forge clean --root da-contracts
 RUN yarn --cwd l1-contracts clean
 RUN forge clean --root l1-contracts
@@ -41,36 +83,44 @@ RUN forge clean --root l2-contracts
 RUN yarn --cwd system-contracts clean
 RUN forge clean --root system-contracts
 
-# Compile contracts
+# === Compile contracts ===
 RUN yarn --cwd da-contracts build:foundry
 RUN yarn --cwd l1-contracts build:foundry
 RUN yarn --cwd l2-contracts build:foundry
 RUN yarn --cwd system-contracts build:foundry
 
-# Check hashes
+# === Calculate hashes ===
 RUN yarn calculate-hashes:check
 
-# Remove node_modules
+# === Remove node_modules ===
 RUN rm -rf node_modules
+RUN yarn cache clean
 
 ########################################
-# 2) Runtime
+# 2) Runtime: sources + artifacts
 ########################################
 FROM debian:bookworm-slim
 
+# === Pass build arg for copying the correct binary ===
 ENV DEBIAN_FRONTEND=noninteractive \
-    PATH=/usr/local/bin:$PATH
+    PATH=/usr/local/bin:$PATH \
+    FOUNDRY_DISABLE_NIGHTLY_WARNING=1
 
 # Minimal runtime deps
 RUN apt-get update && apt-get install -y --no-install-recommends \
       ca-certificates bash openssl jq && \
     rm -rf /var/lib/apt/lists/*
 
-# forge/cast
+# === Copy foundry binaries from build stage ===
 COPY --from=build /usr/local/bin/forge /usr/local/bin/forge
 COPY --from=build /usr/local/bin/cast  /usr/local/bin/cast
+COPY --from=build /usr/local/bin/anvil /usr/local/bin/anvil
+# === Copy the new protocol_ops binary ===
+COPY --from=build /usr/local/bin/protocol_ops /usr/local/bin/protocol_ops
 
+# === Set new WORKDIR and copy artifacts to /contracts/ ===
 WORKDIR /contracts
+COPY --from=build /contracts/configs /contracts/configs
 COPY --from=build /contracts/l1-contracts /contracts/l1-contracts
 COPY --from=build /contracts/l2-contracts /contracts/l2-contracts
 COPY --from=build /contracts/system-contracts /contracts/system-contracts
@@ -79,5 +129,9 @@ COPY --from=build /contracts/lib /contracts/lib
 COPY --from=build /contracts/AllContractsHashes.json /contracts/AllContractsHashes.json
 COPY --from=build /contracts/SystemConfig.json /contracts/SystemConfig.json
 
+# Disable foundry-zksync telemetry prompt
+RUN mkdir -p /root/.config/zksync-tooling && \
+    echo '{"enabled":false}' > /root/.config/zksync-tooling/telemetry.json
+
 # Sanity
-RUN forge --version
+RUN forge --version && cast --version && anvil --version && protocol_ops --help
@@ -46,12 +46,7 @@ contract InitializeL2WethTokenScript is Script {
         string memory root = vm.projectRoot();
 
         // Read create2 factory values from permanent values file
-        // Note: This script uses $.contracts prefix instead of $.permanent_contracts
-        (address create2FactoryAddr, bytes32 create2FactorySalt) = PermanentValuesHelper.getPermanentValuesWithPrefix(
-            vm,
-            PermanentValuesHelper.getPermanentValuesPath(vm),
-            "$.contracts"
-        );
+        (address create2FactoryAddr, bytes32 create2FactorySalt) = PermanentValuesHelper.getPermanentValues();
         config.create2FactoryAddr = create2FactoryAddr;
         config.create2FactorySalt = create2FactorySalt;
 

@@ -107,8 +107,8 @@ contract DeployCTMScript is Script, DeployCTMUtils, IDeployCTM {
     }
 
     /// @notice Returns the address to use as the deployer/owner for contracts.
-    function getDeployerAddress() public view returns (address) {
-        return tx.origin;
+    function getDeployerAddress() public view virtual returns (address) {
+        return msg.sender;
     }
 
     function runInner(
@@ -546,8 +546,7 @@ contract DeployCTMScript is Script, DeployCTMUtils, IDeployCTM {
 
     function deployServerNotifier() internal returns (address implementation, address proxy) {
         // We will not store the address of the ProxyAdmin as it is trivial to query if needed.
-        address ecosystemProxyAdmin = deployWithCreate2AndOwner("ProxyAdmin", ctmAddresses.chainAdmin, false);
-
+        address ecosystemProxyAdmin = ctmAddresses.admin.transparentProxyAdmin;
         (implementation, proxy) = deployTuppWithContractAndProxyAdmin("ServerNotifier", ecosystemProxyAdmin, false);
     }
 

@@ -69,6 +69,7 @@ import {UpgradeStageValidator} from "contracts/upgrades/UpgradeStageValidator.so
 import {DeployUtils} from "../utils/deploy/DeployUtils.sol";
 import {AddressIntrospector} from "../utils/AddressIntrospector.sol";
 import {Create2FactoryUtils} from "../utils/deploy/Create2FactoryUtils.s.sol";
+import {PermanentValuesHelper} from "../utils/PermanentValuesHelper.sol";
 import {StateTransitionDeployedAddresses, DataAvailabilityDeployedAddresses, ChainCreationParamsConfig, BridgehubAddresses, CoreDeployedAddresses} from "../utils/Types.sol";
 import {ChainCreationParamsLib} from "./ChainCreationParamsLib.sol";
 
@@ -162,7 +163,9 @@ abstract contract DeployCTMUtils is DeployUtils {
             config.isZKsyncOS = toml.readBool("$.is_zk_sync_os");
         }
 
-        (address create2FactoryAddr, bytes32 create2FactorySalt) = getPermanentValues(permanentValuesPath);
+        (address create2FactoryAddr, bytes32 create2FactorySalt) = PermanentValuesHelper.getPermanentValues(
+            permanentValuesPath
+        );
         _initCreate2FactoryParams(create2FactoryAddr, create2FactorySalt);
         config.contracts.governanceSecurityCouncilAddress = toml.readAddress(
             "$.contracts.governance_security_council_address"

@@ -178,7 +178,7 @@ contract RegisterZKChainScript is Script, IRegisterZKChain {
         }
 
         // Read create2 factory values from permanent values file
-        (address create2FactoryAddr, bytes32 create2FactorySalt) = PermanentValuesHelper.getPermanentValues(vm);
+        (address create2FactoryAddr, bytes32 create2FactorySalt) = PermanentValuesHelper.getPermanentValues();
         config.create2FactoryAddress = create2FactoryAddr;
         config.create2Salt = create2FactorySalt;
 

@@ -65,7 +65,7 @@ contract SetupLegacyBridge is Script, ISetupLegacyBridge {
         addresses.diamondProxy = IL1Bridgehub(bridgehub).getZKChain(chainId);
 
         // Read create2 factory parameters from permanent-values.toml
-        (address create2FactoryAddr, bytes32 create2FactorySalt) = PermanentValuesHelper.getPermanentValues(vm);
+        (address create2FactoryAddr, bytes32 create2FactorySalt) = PermanentValuesHelper.getPermanentValues();
         addresses.create2FactoryAddr = create2FactoryAddr;
         config.create2FactorySalt = create2FactorySalt;
 

@@ -0,0 +1,46 @@
+// SPDX-License-Identifier: MIT
+pragma solidity ^0.8.24;
+
+// solhint-disable no-console, gas-custom-errors
+
+import {Script, console2 as console} from "forge-std/Script.sol";
+import {Utils} from "../utils/Utils.sol";
+
+/// @title DeployCreate2Factory
+/// @notice Deploys the deterministic CREATE2 factory (Arachnid's deterministic-deployment-proxy)
+/// @dev This is only needed for dev/local networks. Mainnet and testnets already have this deployed.
+/// @dev See: https://github.com/Arachnid/deterministic-deployment-proxy
+contract DeployCreate2Factory is Script {
+    // The deployer address that will deploy the factory (from the pre-signed transaction)
+    address constant DETERMINISTIC_DEPLOYER = 0x3fAB184622Dc19b6109349B94811493BF2a45362;
+
+    // The exact amount needed to fund the deployer (gas cost of deployment)
+    uint256 constant DEPLOYER_FUNDING = 0.01 ether;
+
+    // The pre-signed deployment transaction (from Arachnid's deterministic-deployment-proxy)
+    // This transaction deploys the factory to 0x4e59b44847b379578588920cA78FbF26c0B4956C
+    bytes constant DEPLOYMENT_TX =
+        hex"f8a58085174876e800830186a08080b853604580600e600039806000f350fe7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffe03601600081602082378035828234f58015156039578182fd5b8082525050506014600cf31ba02222222222222222222222222222222222222222222222222222222222222222a02222222222222222222222222222222222222222222222222222222222222222";
+
+    function run() public {
+        // Check if already deployed
+        if (Utils.DETERMINISTIC_CREATE2_ADDRESS.code.length > 0) {
+            console.log("CREATE2 factory already deployed at:", Utils.DETERMINISTIC_CREATE2_ADDRESS);
+            return;
+        }
+
+        vm.broadcast();
+        (bool success, ) = DETERMINISTIC_DEPLOYER.call{value: DEPLOYER_FUNDING}("");
+        require(success, "Failed to fund deployer");
+        console.log("Funded deployer at:", DETERMINISTIC_DEPLOYER);
+
+        // Send the pre-signed deployment transaction
+        vm.broadcast();
+        vm.broadcastRawTransaction(DEPLOYMENT_TX);
+
+        // Verify deployment
+        require(Utils.DETERMINISTIC_CREATE2_ADDRESS.code.length > 0, "CREATE2 factory deployment failed");
+
+        console.log("CREATE2 factory deployed at:", Utils.DETERMINISTIC_CREATE2_ADDRESS);
+    }
+}