Skip to content

Latest commit

 

History

History
65 lines (44 loc) · 2.35 KB

README.md

File metadata and controls

65 lines (44 loc) · 2.35 KB

Move Builds for Generation of SLSA3+ provenance

This document explains how to generate SLSA provenance for Move artifact(s).

This can be done by adding a step to your GitHub Actions workflow to call a reusable workflow to build the package and generate SLSA provenance. We’ll call this workflow the “Move builder” from now on.



Benefits of Provenance

Using the Move builder will generate a non-forgeable attestation to the Move package using the identity of the GitHub workflow. This can be used to create a positive attestation to a package coming from your repository.

That means that once your users verify the package they have downloaded, they can be sure that it was created by your repository’s workflow and hasn’t been tampered with.

Development Status

The Move builder is currently in alpha. The API could change while approaching a Generally Available (GA) release. You can track progress towards General Availability via this milestone.

Please try it out and create an issue to send us feedback!

Limitations

The Move builder currently has the following limitations:

  1. The project must be buildable using move builder. If you need options for flags, profiles, or something else to define more granular builds, please open an issue.
  2. The Move builder is limited to projects that output artifacts in a build directory, which is the default for the vast majority of projects.

Generating Provenance

The Move builder uses a GitHub Actions reusable workflow to build your package and generate the provenance.

Getting Started

Let’s say you have the following build setups Link