Skip to content
package

GitHub Action

SLSA on Move

v0.0.4 Latest version

SLSA on Move

package

SLSA on Move

SLSA on Move

Installation

Copy and paste the following snippet into your .yml file.

              

- name: SLSA on Move

uses: zktx-io/[email protected]

Learn more about this action in zktx-io/slsa-on-move

Choose a version

Move Builds for Generation of SLSA3+ provenance

This document explains how to generate SLSA provenance for Move artifact(s).

This can be done by adding a step to your GitHub Actions workflow to call a reusable workflow to build the package and generate SLSA provenance. We’ll call this workflow the “Move builder” from now on.



Benefits of Provenance

Using the Move builder will generate a non-forgeable attestation to the Move package using the identity of the GitHub workflow. This can be used to create a positive attestation to a package coming from your repository.

That means that once your users verify the package they have downloaded, they can be sure that it was created by your repository’s workflow and hasn’t been tampered with.

Development Status

The Move builder is currently in alpha. The API could change while approaching a Generally Available (GA) release. You can track progress towards General Availability via this milestone.

Please try it out and create an issue to send us feedback!

Limitations

The Move builder currently has the following limitations:

  1. The project must be buildable using move builder. If you need options for flags, profiles, or something else to define more granular builds, please open an issue.
  2. The Move builder is limited to projects that output artifacts in a build directory, which is the default for the vast majority of projects.

Generating Provenance

The Move builder uses a GitHub Actions reusable workflow to build your package and generate the provenance.

Getting Started

Let’s say you have the following build setups Link