diff --git a/.github/workflows/build-contract-test.sh b/.github/workflows/build-contract-test.sh
new file mode 100755
index 00000000..c4d20f40
--- /dev/null
+++ b/.github/workflows/build-contract-test.sh
@@ -0,0 +1,29 @@
+#!/bin/bash
+set -eo pipefail
+
+# print and run a command
+function ee()
+{
+    echo "$ $*"
+    eval "$@"
+}
+
+export Deosio_DIR='/usr/lib/x86_64-linux-gnu/cmake/eosio'
+# debug code
+ee cmake --version
+echo 'Leap version:'
+cat "$Deosio_DIR/EosioTester.cmake" | grep 'EOSIO_VERSION' | grep -oP "['\"].*['\"]" | tr -d "'\"" || :
+
+# build
+ee mkdir -p contract/tests/build
+ee pushd contract/tests
+ee pushd build
+ee "cmake -DCMAKE_BUILD_TYPE=$DCMAKE_BUILD_TYPE .."
+ee make -j "$(nproc)" unit_test
+
+# pack
+ee popd
+ee 'tar -czf ../../contract-test.tar.gz build/*'
+ee popd
+
+echo "Done! - ${0##*/}"
diff --git a/.github/workflows/build-contract.sh b/.github/workflows/build-contract.sh
new file mode 100755
index 00000000..87cdc17a
--- /dev/null
+++ b/.github/workflows/build-contract.sh
@@ -0,0 +1,27 @@
+#!/bin/bash
+set -eo pipefail
+
+# print and run a command
+function ee()
+{
+    echo "$ $*"
+    eval "$@"
+}
+
+# debug code
+ee cdt-cc --version
+ee cmake --version
+
+# build
+ee mkdir -p contract/build
+ee pushd contract
+ee pushd build
+ee "cmake -DCMAKE_BUILD_TYPE=$DCMAKE_BUILD_TYPE -DWITH_TEST_ACTIONS=$DWITH_TEST_ACTIONS .."
+ee make -j "$(nproc)"
+
+# pack
+ee popd
+ee 'tar -czf ../contract.tar.gz build/*'
+ee popd
+
+echo "Done! - ${0##*/}"
diff --git a/.github/workflows/contract.md b/.github/workflows/contract.md
new file mode 100644
index 00000000..2556625e
--- /dev/null
+++ b/.github/workflows/contract.md
@@ -0,0 +1,71 @@
+# TrustEVM Contract CI
+This GitHub Actions workflow builds the TrustEVM contract and its associated tests.
+
+### Index
+1. [Triggers](#triggers)
+1. [Inputs](#inputs)
+1. [Steps](#steps)
+1. [Outputs](#outputs)
+1. [GitHub App Integration](#github-app-integration)
+1. [See Also](#see-also)
+
+## Triggers
+This GitHub action will run under the following circumstances:
+1. When code is pushed to the `main` branch.
+1. When code is pushed to any branch with a name starting with `release/`.
+1. Workflow dispatch event, which is triggered manually using the "Workflow Dispatch" button in the Actions tab of the GitHub repository.
+
+## Inputs
+The inputs for this GitHub action are:
+1. `DCMAKE_BUILD_TYPE` - defined in the GitHub Action YAML, this sets the build type and determines the level of optimization, debugging information, and other flags; one of `Debug`, `Release`, `RelWithDebInfo`, or `MinSizeRel`.
+1. `DWITH_TEST_ACTIONS` - defined in the GitHub Action YAML, build with or without code paths intended to be excercised exclusively by tests.
+1. `GITHUB_TOKEN` - a GitHub Actions intrinsic used to access the repository and other public resources.
+1. `TRUSTEVM_CI_APP_ID` - the app ID of the `trustevm-ci-submodule-checkout` GitHub App.
+1. `TRUSTEVM_CI_APP_KEY` - the private key to the `trustevm-ci-submodule-checkout` GitHub App.
+
+These inputs are used in various steps of the workflow to perform actions such as authentication, downloading artifacts, configuring the build, and uploading artifacts.
+
+## Steps
+This workflow performs the following steps:
+1. Attach Documentation
+    1. Checkout the repo with no submodules.
+    1. Attach an annotation to the GitHub Actions build summary page containing CI documentation.
+1. TrustEVM Contract Build
+    > This is a build matrix with and without tests enabled.
+    1. Authenticate to the `trustevm-ci-submodule-checkout` GitHub app using the [AntelopeIO/github-app-token-action](https://github.com/AntelopeIO/github-app-token-action) action to obtain an ephemeral token.
+    1. Checkout the repo and submodules using the ephemeral token.
+    1. Download the CDT binary using the [AntelopeIO/asset-artifact-download-action](https://github.com/AntelopeIO/asset-artifact-download-action) action.
+    1. Install the CDT binary.
+    1. Build the TrustEVM contract using `make` and `cmake`.
+    1. Upload the contract build folder to GitHub Actions.
+    1. If tests are enabled, download the `leap-dev` binary using [AntelopeIO/asset-artifact-download-action](https://github.com/AntelopeIO/asset-artifact-download-action) action.
+    1. If tests are enabled, install the `leap-dev` binary.
+    1. If tests are enabled, build the TrustEVM contract tests using `make` and `cmake`.
+    1. If tests are enabled, upload the build folder for the contract test code to GitHub Actions.
+
+## Outputs
+This workflow produces the following outputs:
+1. Contract Build Artifacts - `contract.test-actions-off.tar.gz` containing the built contract from the `contract/build` folder with `DWITH_TEST_ACTIONS=off`.
+1. Contract Build Artifacts - `contract.test-actions-on.tar.gz` containing the built contract from the `contract/build` folder with `DWITH_TEST_ACTIONS=on`.
+1. Contract Test Artifacts - `contract-test.tar.gz` containing the built contract test artifacts from the `contract/tests/build` folder.
+
+> 📁 Due to actions/upload-artifact [issue 39](https://github.com/actions/upload-artifact/issues/39) which has been open for over _three years and counting_, the archives attached as artifacts will be zipped by GitHub when you download them such that you get a `*.zip` containing the `*.tar.gz`. There is nothing anyone can do about this except for Microsoft/GitHub.
+
+## GitHub App Integration
+This workflow uses the [AntelopeIO/github-app-token-action](https://github.com/AntelopeIO/github-app-token-action) GitHub action to assume the role of a GitHub application installed to the AntelopeIO organization to clone the private submodules. It requests a token from the GitHub app, clones everything using this token under the identity of the app, then the token expires. This is advantageous over a persistent API key from a GitHub service account because this does not consume a paid user seat, the "account" associated with the app cannot be logged into in the GitHub web UI, the app is scoped to exactly the permissions it needs to perform the clones for this repo _and nothing more_, and the API key expires very quickly so a bad actor who exfiltrates this key from the CI system should find it is not useful.
+
+**The downside is that if TrustEVM adds additional private submodules, the GitHub app must be granted permissions to these new submodules.** The CI system will not work until this happens.
+
+## See Also
+- [asset-artifact-download-action](https://github.com/AntelopeIO/asset-artifact-download-action) GitHub Action
+- [github-app-token-action](https://github.com/AntelopeIO/github-app-token-action) GitHub action
+- [TrustEVM Documentation](../../README.md)
+
+For assistance with the CI system, please open an issue in this repo or reach out in the `#help-automation` channel via IM.
+
+***
+**_Legal notice_**  
+This document was generated in collaboration with ChatGPT from OpenAI, a machine learning algorithm or weak artificial intelligence (AI). At the time of this writing, the [OpenAI terms of service agreement](https://openai.com/terms) §3.a states:
+> Your Content. You may provide input to the Services (“Input”), and receive output generated and returned by the Services based on the Input (“Output”). Input and Output are collectively “Content.” As between the parties and to the extent permitted by applicable law, you own all Input, and subject to your compliance with these Terms, OpenAI hereby assigns to you all its right, title and interest in and to Output.
+
+This notice is required in some countries.
diff --git a/.github/workflows/contract.yml b/.github/workflows/contract.yml
new file mode 100644
index 00000000..bd977b64
--- /dev/null
+++ b/.github/workflows/contract.yml
@@ -0,0 +1,102 @@
+name: TrustEVM Contract CI
+
+on:
+  push:
+    branches:
+      - main
+      - release/*
+  pull_request:
+  workflow_dispatch:
+
+jobs:
+  documentation:
+    name: Attach Documentation
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Repo
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 1
+          submodules: 'false'
+
+      - name: Attach Documentation
+        run: cat .github/workflows/contract.md >> $GITHUB_STEP_SUMMARY
+
+  build:
+    runs-on: ubuntu-20.04
+    strategy:
+      matrix:
+        DWITH_TEST_ACTIONS: ['on', 'off']
+    name: TrustEVM Contract Build - Tests ${{ matrix.DWITH_TEST_ACTIONS }}
+    env:
+      CC: gcc-10
+      CXX: g++-10
+      DCMAKE_BUILD_TYPE: 'Release'
+
+    steps:
+      - name: Authenticate
+        id: auth
+        uses: AntelopeIO/github-app-token-action@v1
+        with:
+          app_id: ${{ secrets.TRUSTEVM_CI_APP_ID }}
+          private_key: ${{ secrets.TRUSTEVM_CI_APP_KEY }}
+
+      - name: Checkout Repo
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+          submodules: 'recursive'
+          token: ${{ steps.auth.outputs.token }}
+
+      - name: Download CDT
+        uses: AntelopeIO/asset-artifact-download-action@v2
+        with:
+          owner: AntelopeIO
+          repo: cdt
+          target: 'v3.1.0'
+          prereleases: false
+          file: 'cdt_.*amd64.deb'
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Install CDT
+        run: sudo apt-get install -y ./cdt*.deb
+
+      - name: Build TrustEVM Contract
+        run: .github/workflows/build-contract.sh
+        env:
+          DWITH_TEST_ACTIONS: ${{ matrix.DWITH_TEST_ACTIONS }}
+
+      - name: Upload Artifacts
+        uses: actions/upload-artifact@v3
+        with:
+          name: contract.test-actions-${{ matrix.DWITH_TEST_ACTIONS }}.tar.gz
+          path: contract.tar.gz
+          if-no-files-found: error
+
+      - name: Download Leap - dev binary
+        if: matrix.DWITH_TEST_ACTIONS == 'on' || matrix.DWITH_TEST_ACTIONS == 'true'
+        uses: AntelopeIO/asset-artifact-download-action@v2
+        with:
+          owner: AntelopeIO
+          repo: leap
+          target: 'v3.1.3'
+          prereleases: false
+          file: 'leap-dev.*(x86_64|amd64).deb'
+          container-package: experimental-binaries
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Install Leap
+        if: matrix.DWITH_TEST_ACTIONS == 'on' || matrix.DWITH_TEST_ACTIONS == 'true'
+        run: sudo apt-get install -y ./leap*.deb
+
+      - name: Build TrustEVM Contract Tests
+        if: matrix.DWITH_TEST_ACTIONS == 'on' || matrix.DWITH_TEST_ACTIONS == 'true'
+        run: .github/workflows/build-contract-test.sh
+
+      - name: Upload Artifacts
+        if: matrix.DWITH_TEST_ACTIONS == 'on' || matrix.DWITH_TEST_ACTIONS == 'true'
+        uses: actions/upload-artifact@v3
+        with:
+          name: contract-test.tar.gz
+          path: contract-test.tar.gz
+          if-no-files-found: error
diff --git a/README.md b/README.md
index 6a182ba1..bfd8e750 100644
--- a/README.md
+++ b/README.md
@@ -115,3 +115,11 @@ https://github.com/eosnetworkfoundation/TrustEVM/blob/main/docs/local_testnet_de
 
 For public testnet deployment, please refer to 
 https://github.com/eosnetworkfoundation/TrustEVM/blob/main/docs/public_testnet_deployment_plan.md
+
+## CI
+This repo contains the following GitHub Actions workflows for CI:
+- TrustEVM Contract CI - build the TrustEVM contract and its associated tests
+    - [Pipeline](https://github.com/eosnetworkfoundation/TrustEVM/actions/workflows/contract.yml)
+    - [Documentation](./.github/workflows/contract.md)
+
+See the pipeline documentation for more information.