diff --git a/.github/workflows/test-proto.yml b/.github/workflows/test-proto.yml
new file mode 100644
index 000000000..1bfeb636c
--- /dev/null
+++ b/.github/workflows/test-proto.yml
@@ -0,0 +1,35 @@
+name: Proto generate check
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - main
+      - "release/**"
+    paths:
+      - "**.proto"
+      - ".github/workflows/test-proto.yml"
+      - "proto/Dockerfile.gen-proto"
+  pull_request:
+    paths:
+      - "**.proto"
+      - ".github/workflows/test-proto.yml"
+      - "proto/Dockerfile.gen-proto"
+
+jobs:
+  go-generate:
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Checkout
+        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
+        with:
+          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
+
+      - name: Generate proto
+        shell: bash
+        working-directory: proto
+        env:
+          DOCKER_BUILDKIT: 1
+        run: |
+          docker build -o .. -f Dockerfile.gen-proto ..
+          git diff --exit-code
diff --git a/disk-mapper/recoverproto/recover.pb.go b/disk-mapper/recoverproto/recover.pb.go
index 79c08d32d..de46e25c1 100644
--- a/disk-mapper/recoverproto/recover.pb.go
+++ b/disk-mapper/recoverproto/recover.pb.go
@@ -27,7 +27,9 @@ type RecoverMessage struct {
 
 	// bytes state_disk_key = 1; removed
 	// bytes measurement_secret = 2; removed
-	KmsUri     string `protobuf:"bytes,3,opt,name=kms_uri,json=kmsUri,proto3" json:"kms_uri,omitempty"`
+	// kms_uri is the URI of the KMS the recoveryserver should use to decrypt DEKs.
+	KmsUri string `protobuf:"bytes,3,opt,name=kms_uri,json=kmsUri,proto3" json:"kms_uri,omitempty"`
+	// storage_uri is the URI of the storage location the recoveryserver should use to fetch DEKs.
 	StorageUri string `protobuf:"bytes,4,opt,name=storage_uri,json=storageUri,proto3" json:"storage_uri,omitempty"`
 }
 
diff --git a/disk-mapper/recoverproto/recover_grpc.pb.go b/disk-mapper/recoverproto/recover_grpc.pb.go
index 1d4943029..6b0ef5fb1 100644
--- a/disk-mapper/recoverproto/recover_grpc.pb.go
+++ b/disk-mapper/recoverproto/recover_grpc.pb.go
@@ -22,6 +22,7 @@ const _ = grpc.SupportPackageIsVersion7
 //
 // For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.
 type APIClient interface {
+	// Recover sends the necessary information to the recoveryserver to initiate recovery of a node.
 	Recover(ctx context.Context, in *RecoverMessage, opts ...grpc.CallOption) (*RecoverResponse, error)
 }
 
@@ -46,6 +47,7 @@ func (c *aPIClient) Recover(ctx context.Context, in *RecoverMessage, opts ...grp
 // All implementations must embed UnimplementedAPIServer
 // for forward compatibility
 type APIServer interface {
+	// Recover sends the necessary information to the recoveryserver to initiate recovery of a node.
 	Recover(context.Context, *RecoverMessage) (*RecoverResponse, error)
 	mustEmbedUnimplementedAPIServer()
 }
diff --git a/joinservice/joinproto/join.pb.go b/joinservice/joinproto/join.pb.go
index 5888d0025..9498bec0a 100644
--- a/joinservice/joinproto/join.pb.go
+++ b/joinservice/joinproto/join.pb.go
@@ -25,9 +25,12 @@ type IssueJoinTicketRequest struct {
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
 
-	DiskUuid           string `protobuf:"bytes,1,opt,name=disk_uuid,json=diskUuid,proto3" json:"disk_uuid,omitempty"`
+	// disk_uuid is the UUID of a node's state disk.
+	DiskUuid string `protobuf:"bytes,1,opt,name=disk_uuid,json=diskUuid,proto3" json:"disk_uuid,omitempty"`
+	// certificate_request is a certificate request for the node's kubelet certificate.
 	CertificateRequest []byte `protobuf:"bytes,2,opt,name=certificate_request,json=certificateRequest,proto3" json:"certificate_request,omitempty"`
-	IsControlPlane     bool   `protobuf:"varint,3,opt,name=is_control_plane,json=isControlPlane,proto3" json:"is_control_plane,omitempty"`
+	// is_control_plane indicates whether the node is a control-plane node.
+	IsControlPlane bool `protobuf:"varint,3,opt,name=is_control_plane,json=isControlPlane,proto3" json:"is_control_plane,omitempty"`
 }
 
 func (x *IssueJoinTicketRequest) Reset() {
@@ -88,16 +91,28 @@ type IssueJoinTicketResponse struct {
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
 
-	StateDiskKey             []byte                   `protobuf:"bytes,1,opt,name=state_disk_key,json=stateDiskKey,proto3" json:"state_disk_key,omitempty"`
-	MeasurementSalt          []byte                   `protobuf:"bytes,2,opt,name=measurement_salt,json=measurementSalt,proto3" json:"measurement_salt,omitempty"`
-	MeasurementSecret        []byte                   `protobuf:"bytes,3,opt,name=measurement_secret,json=measurementSecret,proto3" json:"measurement_secret,omitempty"`
-	KubeletCert              []byte                   `protobuf:"bytes,4,opt,name=kubelet_cert,json=kubeletCert,proto3" json:"kubelet_cert,omitempty"`
-	ApiServerEndpoint        string                   `protobuf:"bytes,5,opt,name=api_server_endpoint,json=apiServerEndpoint,proto3" json:"api_server_endpoint,omitempty"`
-	Token                    string                   `protobuf:"bytes,6,opt,name=token,proto3" json:"token,omitempty"`
-	DiscoveryTokenCaCertHash string                   `protobuf:"bytes,7,opt,name=discovery_token_ca_cert_hash,json=discoveryTokenCaCertHash,proto3" json:"discovery_token_ca_cert_hash,omitempty"`
-	ControlPlaneFiles        []*ControlPlaneCertOrKey `protobuf:"bytes,8,rep,name=control_plane_files,json=controlPlaneFiles,proto3" json:"control_plane_files,omitempty"`
-	KubernetesVersion        string                   `protobuf:"bytes,9,opt,name=kubernetes_version,json=kubernetesVersion,proto3" json:"kubernetes_version,omitempty"`
-	KubernetesComponents     []*KubernetesComponent   `protobuf:"bytes,10,rep,name=kubernetes_components,json=kubernetesComponents,proto3" json:"kubernetes_components,omitempty"`
+	// state_disk_key is the key used to encrypt the state disk.
+	StateDiskKey []byte `protobuf:"bytes,1,opt,name=state_disk_key,json=stateDiskKey,proto3" json:"state_disk_key,omitempty"`
+	// measurement_salt is a salt used to derive the node's ClusterID.
+	// This value is persisted on the state disk.
+	MeasurementSalt []byte `protobuf:"bytes,2,opt,name=measurement_salt,json=measurementSalt,proto3" json:"measurement_salt,omitempty"`
+	// measurement_secret is a secret used to derive the node's ClusterID.
+	// This value is NOT persisted on the state disk.
+	MeasurementSecret []byte `protobuf:"bytes,3,opt,name=measurement_secret,json=measurementSecret,proto3" json:"measurement_secret,omitempty"`
+	// kubelet_cert is the certificate to be used by the kubelet.
+	KubeletCert []byte `protobuf:"bytes,4,opt,name=kubelet_cert,json=kubeletCert,proto3" json:"kubelet_cert,omitempty"`
+	// api_server_endpoint is the endpoint of Constellation's API server.
+	ApiServerEndpoint string `protobuf:"bytes,5,opt,name=api_server_endpoint,json=apiServerEndpoint,proto3" json:"api_server_endpoint,omitempty"`
+	// token is the Kubernetes Join Token to be used by the node to join the cluster.
+	Token string `protobuf:"bytes,6,opt,name=token,proto3" json:"token,omitempty"`
+	// discovery_token_ca_cert_hash is a hash of the root certificate authority presented by the Kubernetes control-plane.
+	DiscoveryTokenCaCertHash string `protobuf:"bytes,7,opt,name=discovery_token_ca_cert_hash,json=discoveryTokenCaCertHash,proto3" json:"discovery_token_ca_cert_hash,omitempty"`
+	// control_plane_files is a list of control-plane certificates and keys.
+	ControlPlaneFiles []*ControlPlaneCertOrKey `protobuf:"bytes,8,rep,name=control_plane_files,json=controlPlaneFiles,proto3" json:"control_plane_files,omitempty"`
+	// kubernetes_version is the Kubernetes version to install on the node.
+	KubernetesVersion string `protobuf:"bytes,9,opt,name=kubernetes_version,json=kubernetesVersion,proto3" json:"kubernetes_version,omitempty"`
+	// kubernetes_components is a list of components to install on the node.
+	KubernetesComponents []*KubernetesComponent `protobuf:"bytes,10,rep,name=kubernetes_components,json=kubernetesComponents,proto3" json:"kubernetes_components,omitempty"`
 }
 
 func (x *IssueJoinTicketResponse) Reset() {
@@ -207,7 +222,9 @@ type ControlPlaneCertOrKey struct {
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
 
+	// name of the certificate or key.
 	Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
+	// data of the certificate or key.
 	Data []byte `protobuf:"bytes,2,opt,name=data,proto3" json:"data,omitempty"`
 }
 
@@ -262,6 +279,7 @@ type IssueRejoinTicketRequest struct {
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
 
+	// disk_uuid is the UUID of a node's state disk.
 	DiskUuid string `protobuf:"bytes,1,opt,name=disk_uuid,json=diskUuid,proto3" json:"disk_uuid,omitempty"`
 }
 
@@ -309,7 +327,10 @@ type IssueRejoinTicketResponse struct {
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
 
-	StateDiskKey      []byte `protobuf:"bytes,1,opt,name=state_disk_key,json=stateDiskKey,proto3" json:"state_disk_key,omitempty"`
+	// state_disk_key is the key to decrypt the state disk.
+	StateDiskKey []byte `protobuf:"bytes,1,opt,name=state_disk_key,json=stateDiskKey,proto3" json:"state_disk_key,omitempty"`
+	// measurement_secret is a secret used to derive the node's ClusterID.
+	// This value is NOT persisted on the state disk.
 	MeasurementSecret []byte `protobuf:"bytes,2,opt,name=measurement_secret,json=measurementSecret,proto3" json:"measurement_secret,omitempty"`
 }
 
@@ -365,10 +386,14 @@ type KubernetesComponent struct {
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
 
-	Url         string `protobuf:"bytes,1,opt,name=url,proto3" json:"url,omitempty"`
-	Hash        string `protobuf:"bytes,2,opt,name=hash,proto3" json:"hash,omitempty"`
+	// url to download the component from.
+	Url string `protobuf:"bytes,1,opt,name=url,proto3" json:"url,omitempty"`
+	// hash of the component.
+	Hash string `protobuf:"bytes,2,opt,name=hash,proto3" json:"hash,omitempty"`
+	// install_path is the path to install the component to.
 	InstallPath string `protobuf:"bytes,3,opt,name=install_path,json=installPath,proto3" json:"install_path,omitempty"`
-	Extract     bool   `protobuf:"varint,4,opt,name=extract,proto3" json:"extract,omitempty"`
+	// extract indicates whether the component is an archive and needs to be extracted.
+	Extract bool `protobuf:"varint,4,opt,name=extract,proto3" json:"extract,omitempty"`
 }
 
 func (x *KubernetesComponent) Reset() {
diff --git a/joinservice/joinproto/join_grpc.pb.go b/joinservice/joinproto/join_grpc.pb.go
index 2be209c94..1ca4f53f5 100644
--- a/joinservice/joinproto/join_grpc.pb.go
+++ b/joinservice/joinproto/join_grpc.pb.go
@@ -22,7 +22,9 @@ const _ = grpc.SupportPackageIsVersion7
 //
 // For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.
 type APIClient interface {
+	// IssueJoinTicket issues a join ticket for a new node.
 	IssueJoinTicket(ctx context.Context, in *IssueJoinTicketRequest, opts ...grpc.CallOption) (*IssueJoinTicketResponse, error)
+	// IssueRejoinTicket issues a join ticket for a node that has previously joined the cluster.
 	IssueRejoinTicket(ctx context.Context, in *IssueRejoinTicketRequest, opts ...grpc.CallOption) (*IssueRejoinTicketResponse, error)
 }
 
@@ -56,7 +58,9 @@ func (c *aPIClient) IssueRejoinTicket(ctx context.Context, in *IssueRejoinTicket
 // All implementations must embed UnimplementedAPIServer
 // for forward compatibility
 type APIServer interface {
+	// IssueJoinTicket issues a join ticket for a new node.
 	IssueJoinTicket(context.Context, *IssueJoinTicketRequest) (*IssueJoinTicketResponse, error)
+	// IssueRejoinTicket issues a join ticket for a node that has previously joined the cluster.
 	IssueRejoinTicket(context.Context, *IssueRejoinTicketRequest) (*IssueRejoinTicketResponse, error)
 	mustEmbedUnimplementedAPIServer()
 }
diff --git a/verify/verifyproto/verify.pb.go b/verify/verifyproto/verify.pb.go
index 85e1747f9..c8758244e 100644
--- a/verify/verifyproto/verify.pb.go
+++ b/verify/verifyproto/verify.pb.go
@@ -26,6 +26,7 @@ type GetAttestationRequest struct {
 	unknownFields protoimpl.UnknownFields
 
 	// bytes user_data = 1; removed
+	// nonce is a random nonce to prevent replay attacks.
 	Nonce []byte `protobuf:"bytes,2,opt,name=nonce,proto3" json:"nonce,omitempty"`
 }
 
@@ -73,6 +74,7 @@ type GetAttestationResponse struct {
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
 
+	// attestation is the attestation for the given user data and nonce.
 	Attestation []byte `protobuf:"bytes,1,opt,name=attestation,proto3" json:"attestation,omitempty"`
 }
 
diff --git a/verify/verifyproto/verify_grpc.pb.go b/verify/verifyproto/verify_grpc.pb.go
index db3696814..f2cc5d502 100644
--- a/verify/verifyproto/verify_grpc.pb.go
+++ b/verify/verifyproto/verify_grpc.pb.go
@@ -22,6 +22,7 @@ const _ = grpc.SupportPackageIsVersion7
 //
 // For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.
 type APIClient interface {
+	// GetAttestation returns an attestation for the given user data and nonce.
 	GetAttestation(ctx context.Context, in *GetAttestationRequest, opts ...grpc.CallOption) (*GetAttestationResponse, error)
 }
 
@@ -46,6 +47,7 @@ func (c *aPIClient) GetAttestation(ctx context.Context, in *GetAttestationReques
 // All implementations must embed UnimplementedAPIServer
 // for forward compatibility
 type APIServer interface {
+	// GetAttestation returns an attestation for the given user data and nonce.
 	GetAttestation(context.Context, *GetAttestationRequest) (*GetAttestationResponse, error)
 	mustEmbedUnimplementedAPIServer()
 }