Sui MVR Provenance

Overview

This guide explains how to use the sui-mvr-provenance GitHub Action to publish and register Move packages on the Sui blockchain with full SLSA-backed provenance.

Each deployment:

Builds a Move package and generates bytecode.dump.json
Produces a signed mvr.intoto.jsonl provenance file
Registers the provenance metadata and transaction digest to the Move Registry (MVR)

This ensures your smart contract is verifiably built, tamper-evident, and traceable to source.

Features

✅ SLSA-compatible provenance for Move packages
🔐 GitHub OIDC-based signing via Sigstore
🔁 Optional remote signing with GitSigner
📦 On-chain metadata registration to MVR
🧾 Full artifact output: .jsonl, deploy.json, mvr.config.json

Quick Start

Add the GitHub Action to your workflow:

yaml

- name: Build and Upload Move Bytecode
  uses: zktx-io/sui-mvr-provenance@v0.2.0
  with:
    working-directory: my-move-package
  env:
    ED25519_PRIVATE_KEY: ${{ secrets.ED25519_PRIVATE_KEY }}
    GIT_SIGNER_PIN: ${{ secrets.GIT_SIGNER_PIN }} # optional

⚠️ Your Move package must include a mvr.config.json file in the working directory.

Configuration: `mvr.config.json`

This file defines the deployment and metadata registration details:

json

{
  "network": "mainnet",
  "owner": "0x123...abc",
  "app_name": "@myname/app",
  "app_desc": "My App Description",
  "upgrade_cap": "0xabc...def",
  "app_cap": "0xappcap...123",
  "pkg_info": "0xpackageinfo...456",
  "icon_url": "https://example.com/icon.png",
  "homepage_url": "https://myapp.site",
  "documentation_url": "https://docs.myapp.site",
  "contact": "team@myapp.site"
}

Signing Options

🔑 ED25519_PRIVATE_KEY

Default signing method
Requires a Sui-format secret key (suiprivkey...)

🔐 GIT_SIGNER_PIN (Optional)

Enables secure remote signing via notary.wal.app/sign
Useful when keeping keys outside CI or requiring human approval

Provenance Workflow

Each deployment:

Compiles your Move package and generates bytecode.dump.json
Captures build provenance in mvr.intoto.jsonl (via GitHub OIDC)
Registers metadata and signature to the Move Registry (MVR)
Outputs artifacts for independent verification

You can verify your package using Notary at:

https://notary.wal.app/mvr/@your-name/your-app

Replace your-name/your-app with the MVR package name (e.g., @notary/hello-mvr).

Output Artifacts

File	Description
`bytecode.dump.json`	Base64-encoded compiled Move bytecode
`deploy.json`	Deployment result (e.g. `package_id`, `upgrade_id`)
`mvr.config.json`	Deployment configuration input
`mvr.intoto.jsonl`	SLSA provenance bundle

These are used across provenance, verify, and register steps in full CI workflows.

Resources

🔗 GitHub Action: sui-mvr-provenance
🧾 Example config: mvr.config.json
🌐 Verifier UI: notary.wal.app
🌐 MVR Explorer: moveregistry.com
📘 SLSA: slsa.dev
🔐 Sigstore: sigstore.dev

Sui MVR Provenance ​

Overview ​

Features ​

Quick Start ​

Configuration: mvr.config.json ​

Signing Options ​

🔑 ED25519_PRIVATE_KEY ​

🔐 GIT_SIGNER_PIN (Optional) ​

Provenance Workflow ​

Output Artifacts ​

Resources ​