From b1c00b6399f6f041cfe778233ee1af9633ac9d69 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?P=C3=A9ter=20Garamv=C3=B6lgyi?= <peter@scroll.io>
Date: Tue, 16 Sep 2025 15:07:14 +0200
Subject: [PATCH 1/2] add cloak build workflow

---
 .github/workflows/cloak.yml | 29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)
 create mode 100644 .github/workflows/cloak.yml

diff --git a/.github/workflows/cloak.yml b/.github/workflows/cloak.yml
new file mode 100644
index 000000000000..4fa2884cfcda
--- /dev/null
+++ b/.github/workflows/cloak.yml
@@ -0,0 +1,29 @@
+name: Cloak Docker
+
+on:
+  workflow_dispatch:
+
+jobs:
+  docker:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Log in to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Extract commit digest
+        id: vars
+        run: echo "sha8=${GITHUB_SHA::8}" >> $GITHUB_OUTPUT
+
+      - name: Build and Push Docker image
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          platforms: linux/amd64
+          push: true
+          tags: scrolltech/cloak-l2geth:${{ steps.vars.outputs.sha8 }}

From 257022c586f6ba3cb96095a5dd5a032d9b12d656 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?P=C3=A9ter=20Garamv=C3=B6lgyi?= <peter@scroll.io>
Date: Tue, 16 Sep 2025 16:47:35 +0200
Subject: [PATCH 2/2] fix zizmor warnings

---
 .github/workflows/cloak.yml | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/cloak.yml b/.github/workflows/cloak.yml
index 4fa2884cfcda..441d559c72f2 100644
--- a/.github/workflows/cloak.yml
+++ b/.github/workflows/cloak.yml
@@ -6,12 +6,16 @@ on:
 jobs:
   docker:
     runs-on: ubuntu-latest
+    permissions: {}
+
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Log in to Docker Hub
-        uses: docker/login-action@v3
+        uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
@@ -21,7 +25,7 @@ jobs:
         run: echo "sha8=${GITHUB_SHA::8}" >> $GITHUB_OUTPUT
 
       - name: Build and Push Docker image
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
         with:
           context: .
           platforms: linux/amd64