init

.github/workflows/generator_generic_slsa3.yml

@@ -0,0 +1,57 @@
+name: SLSA 3+
+
+on:
+  workflow_call:
+    inputs:
+      move-compiler:
+        description:
+          'Select a CLI to compile the Move language. Examples include tools such as `aptos` and `sui`.'
+        required: true
+        type: string
+      move-directory:
+        description:
+          'The root directory of the Move project refers to the directory containing the Move.toml file.'
+        required: true
+        type: string
+    outputs:
+      package-name:
+        description: "The name of the package."
+        value: ${{ jobs.build.outputs.package-name }}
+      package-framework:
+        description: "The name of the network where the package is deployed."
+        value: ${{ jobs.build.outputs.package-framework }}
+      provenance-name:
+        description: "The artifact name of the signed provenance. The file must have the .intoto extension. Defaults to <filename>.intoto for single artifact or multiple.intoto.jsonl for multiple artifacts."
+        value: ${{ jobs.provenance.outputs.provenance-name }}
+      base64-subjects:
+        value: ${{ jobs.build.outputs.base64-subjects }}
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    outputs:
+      package-name: ${{ steps.compile.outputs.package-name }}
+      package-framework: ${{ steps.compile.outputs.package-framework }}
+      base64-subjects: ${{ steps.compile.outputs.base64-subjects }}
+    permissions:
+      actions: read
+      contents: write
+      id-token: write
+    steps:
+      - name: Build Move
+        id: compile
+        uses: 'zktx-io/slsa-on-move@main'
+        with:
+          move-compiler: ${{inputs.move-compiler}}
+          move-directory: ${{ inputs.move-directory}}
+
+  provenance:
+    needs: [build]
+    permissions:
+      actions: read
+      id-token: write
+      contents: write
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0
+    with:
+      base64-subjects: ${{ needs.build.outputs.base64-subjects }}
+      upload-assets: true

README.md

@@ -0,0 +1,142 @@
+# Move Builds for Generation of SLSA3+ provenance
+
+This document explains how to generate SLSA provenance for Move artifact(s).
+
+This can be done by adding a step to your GitHub Actions workflow to call a [reusable workflow](https://docs.github.com/en/actions/using-workflows/reusing-workflows) to build the package and generate SLSA provenance. We’ll call this workflow the **“Move builder”** from now on.
+
+---
+
+<!-- markdown-toc --bullets="-" -i README.md -->
+
+<!-- toc -->
+
+- [Benefits of Provenance](#benefits-of-provenance)
+- [Development Status](#development-status)
+- [Limitations](#limitations)
+- [Generating Provenance](#generating-provenance)
+  - [Getting Started](#getting-started)
+
+<!-- tocstop -->
+
+---
+
+## Benefits of Provenance
+
+Using the **Move builder** will generate a non-forgeable attestation to the Move package using the identity of the GitHub workflow. This can be used to create a positive attestation to a package coming from your repository.
+
+That means that once your users verify the package they have downloaded, they can be sure that it was created by your repository’s workflow and hasn’t been tampered with.
+
+## Development Status
+
+The **Move builder** is currently in alpha. The API could change while approaching a Generally Available (GA) release. You can track progress towards General Availability via [this milestone](https://github.com/slsa-framework/slsa-github-generator/milestone/17).
+
+Please try it out and [create an issue](https://github.com/slsa-framework/slsa-github-generator/issues/new) to send us feedback!
+
+## Limitations
+
+The **Move builder** currently has the following limitations:
+
+1. The project must be buildable using move builder. If you need options for flags, profiles, or something else to define more granular builds, please [open an issue](https://github.com/slsa-framework/slsa-github-generator/issues/new).
+2. The **Move builder** is limited to projects that output artifacts in a build directory, which is the default for the vast majority of projects.
+
+## Generating Provenance
+
+The **Move builder** uses a GitHub Actions reusable workflow to build your package and generate the provenance.
+
+### Getting Started
+
+Let’s say you have the following build setup:
+
+1. You can build your artifacts using **Move builder**.
+2. You release artifacts via GitHub Actions.
+
+To add provenance to releases, simply use the following workflow in .github/workflows in your repository:
+
+```yaml
+on:
+  push:
+    tags:
+      - '*'
+
+permissions:
+  actions: read
+  contents: write
+  id-token: write
+  attestations: write
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    outputs:
+      package-name: ${{ steps.compile.outputs.package-name }}
+      package-framework: ${{ steps.compile.outputs.package-framework }}
+      base64-subjects: ${{ steps.compile.outputs.base64-subjects }}
+    permissions:
+      actions: read
+      contents: write
+      id-token: write
+    steps:
+      - name: Build Move
+        id: compile
+        uses: 'zktx-io/slsa-on-move@main'
+        with:
+          move-compiler: "Select a CLI to compile the Move language. Examples include tools such as `sui` and `aptos`."
+          move-directory: "The root directory of the Move project refers to the directory containing the Move.toml file."
+```
+or
+```yaml
+on:
+  push:
+    tags:
+      - '*'
+
+permissions:
+  actions: read
+  contents: write
+  id-token: write
+  attestations: write
+
+jobs:
+  build:
+    uses: zktx-io/slsa-on-move/.github/workflows/generator_generic_slsa3.yml@main
+    with:
+      move-compiler: "Select a CLI to compile the Move language. Examples include tools such as `aptos` and `sui`."
+      move-directory: "The root directory of the Move project refers to the directory containing the Move.toml file."
+
+  verify:
+    needs: [build]
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      id-token: write
+      contents: write
+    steps:
+      - name: Download provenance
+        uses: actions/download-artifact@v4
+        with:
+          name: ${{ needs.build.outputs.provenance-name }}
+          path: "."
+
+      - name: Download hash-modules
+        uses: actions/download-artifact@v4
+        with:
+          name: hash-modules
+          path: "."
+
+      - name: Install the verifier
+        uses: slsa-framework/slsa-verifier/actions/installer@v2.5.1
+
+      - name: Verify assets
+        shell: bash
+        env:
+          HASH: ${{ needs.build.outputs.base64-subjects }}
+        run: |
+          set -euo pipefail
+          echo "github.com/$GITHUB_REPOSITORY"
+          slsa-verifier verify-artifact --provenance-path ${{ needs.build.outputs.provenance-name }} \
+                                        --source-uri "github.com/$GITHUB_REPOSITORY" \
+                                        --source-tag "$GITHUB_REF_NAME" \
+                                        hash-modules.text
+```
+
+Now, when you invoke this workflow, the **Move builder** will build both your artifacts and the provenance files for them.

action.yml

@@ -0,0 +1,114 @@
+name: SLSA On Move
+description: SLSA On Move
+branding:
+  color: blue
+  icon: package
+
+runs-on: ubuntu-latest
+inputs:
+  move-compiler:
+    description:
+      'Select a CLI to compile the Move language. Examples include tools such as `aptos` and `sui`.'
+    required: true
+    type: string
+  move-directory:
+    description:
+      'The root directory of the Move project refers to the directory containing the Move.toml file.'
+    required: true
+    type: string
+outputs:
+  package-name:
+    description: "The name of the package."
+    value: ${{ steps.compile.outputs.package-name }}
+  package-framework:
+    description: "The name of the network where the package is deployed."
+    value: ${{ steps.compile.outputs.package-framework }}
+  base64-subjects:
+    value: ${{ steps.hash.outputs.base64-subjects }}
+
+runs:
+  using: "composite"
+  steps:
+    - uses: actions/checkout@v3
+
+    - name: Set up Homebrew
+      uses: Homebrew/actions/setup-homebrew@master
+
+    - name: Install Move Compiler
+      shell: bash
+      run: |
+        if [ "${{ inputs.move-compiler }}" = "aptos" ]; then
+          echo "Installing Aptos compiler..."
+          brew install aptos
+        elif [ "${{ inputs.move-compiler }}" = "sui" ]; then
+          echo "Installing Sui compiler..."
+          brew install sui
+        else
+          echo "Unknown compiler: ${{ inputs.move-compiler }}"
+          exit 1
+        fi
+
+    - name: Compile Move
+      id: compile
+      shell: bash
+      run: |
+        set -euo pipefail
+        if [ -z "${GITHUB_WORKSPACE}" ]; then
+          echo "\$GITHUB_WORKSPACE is empty."
+          exit 1
+        fi
+        move_realpath=$(realpath -e "${{ inputs.move-directory }}")
+        echo "Directory '${{ inputs.move-directory }}' resolved to '${move_realpath}'"
+        github_workspace_realpath=$(realpath -e "${GITHUB_WORKSPACE}")
+        echo "GitHub workspace '${GITHUB_WORKSPACE}' resolved to '${github_workspace_realpath}'"
+        echo "Checking directory '${move_realpath}' is a sub-directory of '${github_workspace_realpath}'"
+        if [[ "${move_realpath}" != "${github_workspace_realpath}" ]] && [[ "${move_realpath}" != "${github_workspace_realpath}"/* ]]; then
+          echo "${{ inputs.move-directory }} not a sub-directory of ${GITHUB_WORKSPACE}"
+          exit 1
+        fi
+        # Directory was validated. Explicitly trust it.
+        directory="${{ inputs.move-directory }}"
+        cd "${directory}"
+        toml_file="Move.toml"
+        package_name=$(grep -oP '(?<=name = ").*(?=")' "${toml_file}")
+        package_framework=$(grep -oP '(?<=rev = ").*?(?=")' "${toml_file}")
+        if [ "${{ inputs.move-compiler }}" = "aptos" ]; then
+          echo "Compiling Aptos compiler..."
+          aptos move compile
+        elif [ "${{ inputs.move-compiler }}" = "sui" ]; then
+          echo "Compiling Sui compiler..."
+          sui move build
+        else
+          echo "Unknown compiler: ${{ inputs.move-compiler }}"
+          exit 1
+        fi
+        {
+          echo "package-name=${package_name}"
+          echo "package-framework=${{ inputs.move-compiler }}:${package_framework}"
+        } >>"${GITHUB_OUTPUT}"
+
+    - name: Upload build artifacts
+      uses: actions/upload-artifact@v4
+      with:
+        name: project
+        path: ${{ inputs.move-directory }}
+        if-no-files-found: error
+
+    - name: Generate subject
+      id: hash
+      shell: bash
+      run: |
+        set -euo pipefail
+        TARGET_DIRECTORY="${{ inputs.move-directory }}/build/${{ steps.compile.outputs.package-name }}/bytecode_modules"
+        HASH_FILE="hash-modules.text"
+        find "$TARGET_DIRECTORY" -maxdepth 1 -type f -name "*.mv" -print0 | sort -z | while IFS= read -r -d '' FILE; do
+          sha256sum "$FILE" | awk '{print $1}' >> "$HASH_FILE"
+        done
+        echo "base64-subjects=$(sha256sum $HASH_FILE | base64 -w0)" >> "$GITHUB_OUTPUT"
+
+    - name: Upload subjects
+      uses: actions/upload-artifact@v4
+      with:
+        name: hash-modules
+        path: hash-modules.text
+        if-no-files-found: error