V now stands for Verifiability — not just a registry, but a trust layer for Move packages. With provenance support powered by CI/CD, this project transforms the Move Registry into something you can verify, not just use.
This GitHub Action builds a Move package using the Sui CLI, generates provenance metadata, and registers it in the Move Registry (MVR).
Every deployment includes:
- A compiled
bytecode.dump.json - An
intoto.jsonlSLSA provenance bundle - Metadata registration to MVR via
mvr.config.json
- name: Build and Upload Move Smart Contract
uses: zktx-io/sui-mvr-provenance@v0.3.9
with:
working-directory: my-move-package
env:
ED25519_PRIVATE_KEY: ${{ secrets.ED25519_PRIVATE_KEY }}
GIT_SIGNER_PIN: ${{ secrets.GIT_SIGNER_PIN }} # optional
⚠️ Themvr.config.jsonfile must exist in your working directory.
| Variable | Required | Description |
|---|---|---|
ED25519_PRIVATE_KEY |
✅ | Default signing key in Sui format (suiprivkey...) |
GIT_SIGNER_PIN |
optional | Enables secure remote signing via notary.wal.app/sign |
Located in your working directory, this file defines how the package is deployed and registered:
{
"network": "mainnet",
"owner": "0x123...abc",
"app_name": "@myname/app",
"app_desc": "My App Description",
"upgrade_cap": "0xabc...def",
"app_cap": "0xappcap...123",
"pkg_info": "0xpackageinfo...456",
"icon_url": "https://example.com/icon.png",
"homepage_url": "https://myapp.site",
"documentation_url": "https://docs.myapp.site",
"contact": "team@myapp.site"
}| Field | Type | Required | Description |
|---|---|---|---|
network |
string | ✅ | "mainnet", "testnet", or "devnet" |
owner |
string | ✅ | Sui address that will own the package |
app_name |
string | ✅ | MVR name in @name/app format |
app_desc |
string | ✅ | Short description for MVR |
upgrade_cap |
string | optional | Object ID to upgrade existing package |
app_cap |
string | optional | AppCap object ID for registration |
pkg_info |
string | optional | PackageInfo object ID |
icon_url |
string | optional | Icon displayed in registry UI |
homepage_url |
string | optional | Official app/site URL |
documentation_url |
string | optional | Docs URL |
contact |
string | optional | Email or support contact |
ℹ️ If
app_nameorapp_descis missing, MVR registration will be skipped.
| File | Description |
|---|---|
bytecode.dump.json |
Compiled base64-encoded Move bytecode |
deploy.json |
Deployment result with package_id, upgrade_id, etc. |
mvr.config.json |
Configuration used for registration |
mvr.intoto.jsonl |
SLSA-compatible provenance file |
The following items are registered to the Move Registry (MVR) as metadata:
mvr.intoto.jsonl— SLSA-compatible provenance file- Deployment transaction digest — the on-chain reference for the published package
This enables:
- ✅ Verifiable origin of Move packages
- Combine with GitHub OIDC + GitSigner for secure key separation
- Use
upgrade_capto automate upgrades across environments - Integrate with your CI/CD via
upload-artifact/download-artifact
This repository includes:
- 🧩 Move package:
hello_world - ⚙️ GitHub Actions workflow:
.github/workflows/deploy.yml - 📝 Provenance config:
mvr.config.json
This example is derived from the official Sui Move Intro Course – Hello World. It demonstrates how even a minimal Move module can be published and verified with full provenance.