Sui MVR Provenance
Overview
This guide explains how to use the sui-mvr-provenance
GitHub Action to publish and register Move packages on the Sui blockchain with full SLSA-backed provenance.
Each deployment:
- Builds a Move package and generates
bytecode.dump.json
- Produces a signed
mvr.intoto.jsonl
provenance file - Registers the provenance metadata and transaction digest to the Move Registry (MVR)
This ensures your smart contract is verifiably built, tamper-evident, and traceable to source.
Features
- ✅ SLSA-compatible provenance for Move packages
- 🔐 GitHub OIDC-based signing via Sigstore
- 🔁 Optional remote signing with GitSigner
- 📦 On-chain metadata registration to MVR
- 🧾 Full artifact output:
.jsonl
,deploy.json
,mvr.config.json
Quick Start
Add the GitHub Action to your workflow:
yaml
- name: Build and Upload Move Bytecode
uses: zktx-io/sui-mvr-provenance@v0.2.0
with:
working-directory: my-move-package
env:
ED25519_PRIVATE_KEY: ${{ secrets.ED25519_PRIVATE_KEY }}
GIT_SIGNER_PIN: ${{ secrets.GIT_SIGNER_PIN }} # optional
⚠️ Your Move package must include a
mvr.config.json
file in the working directory.
Configuration: mvr.config.json
This file defines the deployment and metadata registration details:
json
{
"network": "mainnet",
"owner": "0x123...abc",
"app_name": "@myname/app",
"app_desc": "My App Description",
"upgrade_cap": "0xabc...def",
"app_cap": "0xappcap...123",
"pkg_info": "0xpackageinfo...456",
"icon_url": "https://example.com/icon.png",
"homepage_url": "https://myapp.site",
"documentation_url": "https://docs.myapp.site",
"contact": "team@myapp.site"
}
Signing Options
🔑 ED25519_PRIVATE_KEY
- Default signing method
- Requires a Sui-format secret key (
suiprivkey...
)
🔐 GIT_SIGNER_PIN (Optional)
- Enables secure remote signing via notary.wal.app/sign
- Useful when keeping keys outside CI or requiring human approval
Provenance Workflow
Each deployment:
- Compiles your Move package and generates
bytecode.dump.json
- Captures build provenance in
mvr.intoto.jsonl
(via GitHub OIDC) - Registers metadata and signature to the Move Registry (MVR)
- Outputs artifacts for independent verification
You can verify your package using Notary at:
https://notary.wal.app/mvr/@your-name/your-app
Replace
your-name/your-app
with the MVR package name (e.g.,@notary/hello-mvr
).
Output Artifacts
File | Description |
---|---|
bytecode.dump.json | Base64-encoded compiled Move bytecode |
deploy.json | Deployment result (e.g. package_id , upgrade_id ) |
mvr.config.json | Deployment configuration input |
mvr.intoto.jsonl | SLSA provenance bundle |
These are used across provenance
, verify
, and register
steps in full CI workflows.
Resources
- 🔗 GitHub Action: sui-mvr-provenance
- 🧾 Example config: mvr.config.json
- 🌐 Verifier UI: notary.wal.app
- 🌐 MVR Explorer: moveregistry.com
- 📘 SLSA: slsa.dev
- 🔐 Sigstore: sigstore.dev