harald/teepot
1
0
Fork 0
mirror of https://github.com/matter-labs/teepot.git synced 2025-07-21 15:13:56 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat: initial commit

Browse source 
Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
This commit is contained in:
Harald Hoyer 2024-02-09 10:10:53 +01:00
parent aff4dd30bd
commit 89ffbd35a8
Signed by: harald
GPG key ID: F519A1143B3FBE32
123 changed files with 16508 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

4
.github/CODEOWNERS vendored Normal file
View file

@ -0,0 +1,4 @@
# Each line is a file pattern followed by one or more owners.
# Owners will be automatically notified about new PRs and
# an owner's approval is required to merge to protected branches.
* @matter-labs/tee

6
.github/renovate.json vendored Normal file
View file

@ -0,0 +1,6 @@
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": [
"config:base"
]
}

52
.github/workflows/container.yml vendored Normal file
View file

@ -0,0 +1,52 @@
name: Container
on:
push:
branches: [ "main" ]
pull_request:
jobs:
push_to_registry:
permissions:
packages: write
contents: read
name: Build and push containers image to GitHub Packages
runs-on: ubuntu-latest
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}-${{ matrix.config.dockerfile }}
cancel-in-progress: true
strategy:
fail-fast: false
matrix:
config:
- { dockerfile: 'vault/Dockerfile', tag: 'vault:latest', repository: 'teepot-vault' }
- { dockerfile: 'bin/tee-vault-unseal/Dockerfile-azure', tag: 'tvu:latest', repository: 'teepot-tvu' }
- { dockerfile: 'bin/tee-vault-admin/Dockerfile-azure', tag: 'tva:latest', repository: 'teepot-tva' }
steps:
- name: Check out the repo
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Log in to Docker Hub
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKERHUB_USER }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Login to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Set up env
run: echo "repository_owner=${GITHUB_REPOSITORY_OWNER,,}" >>${GITHUB_ENV}
- name: Build and Push Container
uses: docker/build-push-action@v5
with:
file: ${{ matrix.config.dockerfile }}
tags: |
ghcr.io/${{env.repository_owner}}/${{ github.event.repository.name }}-${{ matrix.config.tag }}
matterlabsrobot/${{ matrix.config.repository }}:latest
cache-from: type=gha
cache-to: type=gha,mode=max,ignore-error=true
push: ${{ github.event_name == 'push' || github.event_name == 'schedule' }}

47
.github/workflows/lint.yml vendored Normal file
View file

@ -0,0 +1,47 @@
name: lint
on:
push:
branches: [ "main" ]
pull_request:
branches: [ "main" ]
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
fmt:
name: cargo fmt
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
- name: Setup Rust toolchain
run: rustup show
- run: cargo fmt --all -- --check
deny:
name: cargo deny
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
- uses: EmbarkStudios/cargo-deny-action@v1
with:
arguments: --workspace
check-spdx-headers:
runs-on: ubuntu-latest
steps:
- name: checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
- uses: enarx/spdx@master
with:
licenses: Apache-2.0 BSD-3-Clause MIT
taplo:
name: taplo
runs-on: ubuntu-latest
container: tamasfe/taplo:latest
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
- run: taplo fmt --check

66
.github/workflows/nix.yml vendored Normal file
View file

@ -0,0 +1,66 @@
name: nix
on:
pull_request:
branches: [ "main" ]
push:
branches: [ "main" ]
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
check:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
- uses: cachix/install-nix-action@6004951b182f8860210c8d6f0d808ec5b1a33d28 # v25
with:
extra_nix_config: |
access-tokens = github.com=${{ github.token }}
- run: nix flake check -L --show-trace --keep-going
fmt:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
- uses: cachix/install-nix-action@6004951b182f8860210c8d6f0d808ec5b1a33d28 # v25
with:
extra_nix_config: |
access-tokens = github.com=${{ github.token }}
- run: nix fmt
clippy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
- uses: cachix/install-nix-action@6004951b182f8860210c8d6f0d808ec5b1a33d28 # v25
with:
extra_nix_config: |
access-tokens = github.com=${{ github.token }}
- uses: cachix/cachix-action@v14
continue-on-error: true
with:
name: teepot
authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
extraPullNames: nixsgx
- name: cargo clippy
run: nix develop -L --ignore-environment -c cargo clippy --all --locked
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
- uses: cachix/install-nix-action@6004951b182f8860210c8d6f0d808ec5b1a33d28 # v25
with:
extra_nix_config: |
access-tokens = github.com=${{ github.token }}
- uses: cachix/cachix-action@v14
continue-on-error: true
with:
name: teepot
authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
extraPullNames: nixsgx
- name: nix build
run: nix run nixpkgs#nixci

18
.github/workflows/secrets_scanner.yaml vendored Normal file
View file

@ -0,0 +1,18 @@
name: Leaked Secrets Scan
on: [pull_request]
jobs:
TruffleHog:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
with:
fetch-depth: 0
- name: TruffleHog OSS
uses: trufflesecurity/trufflehog@4db20e29f8568502b8d69ca2be6ce47a533925d3 # v3.63.3
with:
path: ./
base: ${{ github.event.repository.default_branch }}
head: HEAD
extra_args: --debug --only-verified