ci: verify ci-base-clang provenance attestation in GitHub Actions

[falcorocks]

Summary

• Adds .github/workflows/verify-ci-base-clang-attestation.yml. It extracts the rust_base_image digest from .circleci/config.yml and runs gh attestation verify --bundle-from-oci against it, enforcing the attestation was signed by ethereum-optimism/factory for source repo ethereum-optimism/optimism on refs/heads/develop. Triggers on push to develop and on PRs to develop when either the pin or the workflow itself changes, plus workflow_dispatch.
• Repins rust_base_image in .circleci/config.yml to the digest built from develop (sha256:00f641689576d7393d83f6fd49fe1592006148305999f1ba2fc4f1f9d2e8a342), replacing the PR-build digest from chore(ci): add ci-base-clang image and register for factory builds #20121 so the new check passes.

Why

CircleCI config is editable by contributors. A GitHub Actions workflow is protected because it runs from the base branch, so putting the provenance check there prevents a PR from silently swapping the pin to an unattested or off-branch image. Closes the last remaining item of the ci-base-clang rollout.

Test plan

• verify ci-base-clang attestation workflow passes on this PR.
• CircleCI Rust jobs still pull the image (new digest is reachable in the public registry; verified via curl on the Artifact Registry manifest endpoint).
• Locally confirmed gh attestation verify oci://...@sha256:00f6416... --bundle-from-oci --owner ethereum-optimism --signer-repo ethereum-optimism/factory --source-ref refs/heads/develop exits 0.

Closes #20122

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 76.6%. Comparing base (5b839fe) to head (b9344a2).
⚠️ Report is 2 commits behind head on develop.

Additional details and impacted files

@@            Coverage Diff             @@
##           develop   #20171     +/-   ##
==========================================
- Coverage     76.7%    76.6%   -0.1%     
==========================================
  Files          691      691             
  Lines        76081    76081             
==========================================
- Hits         58355    58292     -63     
- Misses       17582    17645     +63     
  Partials       144      144             

Flag	Coverage Δ
cannon-go-tests-64	66.3% <ø> (ø)
contracts-bedrock-tests	81.8% <ø> (-0.4%)	⬇️
unit	76.7% <ø> (-0.1%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.
see 6 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.