feat: initial commit

Signed-off-by: Harald Hoyer <harald@matterlabs.dev>

.github/CODEOWNERS

@@ -0,0 +1,4 @@
+# Each line is a file pattern followed by one or more owners.
+# Owners will be automatically notified about new PRs and
+# an owner's approval is required to merge to protected branches.
+* @haraldh @thomasknauth

.github/workflows/container.yml

@@ -0,0 +1,41 @@
+name: Container
+on:
+  push:
+    branches: [ "main" ]
+  pull_request:
+    branches: [ "main" ]
+
+permissions:
+  packages: write
+  contents: read
+
+jobs:
+  push_to_registry:
+    name: Build and push containers image to GitHub Packages
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out the repo
+        uses: actions/checkout@v4
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      - name: Log in to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USER }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Set up env
+        run: echo "repository_owner=${GITHUB_REPOSITORY_OWNER,,}" >>${GITHUB_ENV}
+      - name: Build and Push Container
+        uses: docker/build-push-action@v5
+        with:
+          tags: |
+            ghcr.io/${{env.repository_owner}}/${{ github.event.repository.name }}:latest
+            matterlabsrobot/${{ github.event.repository.name }}:latest
+          push: ${{ github.event_name == 'push' ||  github.event_name == 'schedule' }}
+

.github/workflows/go.yml

@@ -0,0 +1,40 @@
+# This workflow will build a golang project
+# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-go
+
+name: Go
+
+on:
+  push:
+    branches: [ "main" ]
+  pull_request:
+    branches: [ "main" ]
+
+jobs:
+
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Prep
+        run: |
+          wget -qO - https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | sudo apt-key add -
+          sudo bash -c 'echo "deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu focal main" > /etc/apt/sources.list.d/intel-sgx.list'
+          sudo apt -o Acquire::Retries=3 update
+          sudo apt -o Acquire::Retries=3 install -y --no-install-recommends \
+            libsgx-headers \
+            libsgx-enclave-common \
+            libsgx-urts \
+            libsgx-dcap-quote-verify \
+            libsgx-dcap-quote-verify-dev
+
+      - uses: actions/checkout@v4
+
+      - name: Set up Go
+        uses: actions/setup-go@v4
+        with:
+          go-version: 1.19
+
+      - name: Build
+        run: go build -v ./...
+
+      - name: Test
+        run: go test -v ./...

.github/workflows/nix.yml

@@ -0,0 +1,72 @@
+name: nix
+
+on:
+  pull_request:
+    branches: [ "main" ]
+    paths:
+    - '**.nix'
+    - 'go.mod'
+    - 'go.sum'
+    - 'flake.lock'
+  push:
+    branches: [ "main" ]
+    paths:
+      - '**.nix'
+      - 'go.mod'
+      - 'go.sum'
+      - 'flake.lock'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  check:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+    - uses: cachix/install-nix-action@6a9a9e84a173d90b3ffb42c5ddaf9ea033fad011 # v23
+      with:
+        extra_nix_config: |
+          access-tokens = github.com=${{ github.token }}
+    - run: nix flake check -L --show-trace --keep-going
+
+  fmt:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+    - uses: cachix/install-nix-action@6a9a9e84a173d90b3ffb42c5ddaf9ea033fad011 # v23
+      with:
+        extra_nix_config: |
+          access-tokens = github.com=${{ github.token }}
+    - run: nix fmt
+
+  build:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+    - uses: cachix/install-nix-action@6a9a9e84a173d90b3ffb42c5ddaf9ea033fad011 # v23
+      with:
+        extra_nix_config: |
+          access-tokens = github.com=${{ github.token }}
+    - uses: cachix/cachix-action@v12
+      continue-on-error: true
+      with:
+        name: haraldh
+        authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
+    - run: nix build -L .
+
+  develop:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+    - uses: cachix/install-nix-action@6a9a9e84a173d90b3ffb42c5ddaf9ea033fad011 # v23
+      with:
+        extra_nix_config: |
+          access-tokens = github.com=${{ github.token }}
+    - uses: cachix/cachix-action@v12
+      continue-on-error: true
+      with:
+        name: haraldh
+        authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
+    - run: nix develop -L  -c go test ./...

.github/workflows/secrets_scanner.yaml

@@ -0,0 +1,18 @@
+name: Leaked Secrets Scan
+on: [pull_request]
+jobs:
+  TruffleHog:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
+        with:
+          fetch-depth: 0
+      - name: TruffleHog OSS
+        uses: trufflesecurity/trufflehog@6914dacde37c95874645cc208ce63a58c888cc6c # v3.60.4
+        with:
+          path: ./
+          base: ${{ github.event.repository.default_branch }}
+          head: HEAD
+          extra_args: --debug --only-verified
+