Publish Repositories Predicate

Predicate Type URI: https://gradle.com/attestation/publish-repositories/v1

Captures where an artifact was published. This attestation enables tracking an artifact’s publication history to support governance policies that enforce proper promotion workflows (e.g., ensuring artifacts are deployed to staging before production).

Fields:

uris (List of URI strings) - The URIs of the repositories where the artifact was published. Schemes (e.g., https://) must be omitted (e.g., repo.example.com/libs-release).
timePublished (string) - Timestamp of publication (ISO 8601).
sourcedFrom (string) - The identity of the principal that performed the publication (e.g., urn:basic-identity:cicd-user or urn:oidc:repo:octo-org/octo-repo:environment:prod).

{
  "uris": ["repo.example.com/libs-release"],
  "timePublished": "2024-10-15T14:30:00Z",
  "sourcedFrom": "urn:oidc:repo:octo-org/octo-repo:environment:prod"
}