CI/CD Integration

GitHub Actions

GitHub Actions are provided for both attestation publishing and enforcement of Policy Scan™ evaluations as part of your workflow.

Both actions require a GitHub token to authenticate with the Develocity Provenance Governor API. You can base your access control policy on this token. For example:

apiVersion: policy.gradle.com/v1
kind: AccessControl
metadata:
  name: example
spec:
  identityMatchingStrategy:
    withOidc:
      - withIssuerUri: "https://token.actions.githubusercontent.com"
        withClaims:
          repository_owner: example-org

Usage examples:

Publish Attestation Example

uses: gradle/develocity-provenance-governor-actions/publish@main
with:
  attestation-publisher-url: 'https://provenance-governor.example.com'
  build-scan-ids: eo5xxyg3drtoc
  build-scan-queries: 'value:"CI run=${{ github.run_id }}"'
  subject-type: oci
  subject-name: java-payment-calculator
  subject-version: 1.2.3
  subject-digest: 1a6b2bf83435f2a9ccd33519ad3e817bf79aee6af1c7a15d26d8a256bfa9cc94
  subject-repository-url: develocitytia.jfrog.io/docker-trial

Enforce Policy Example

uses: gradle/develocity-provenance-governor-actions/enforce@main
with:
  policy-evaluator-url: 'https://provenance-governor.example.com'
  subject-type: oci
  subject-name: java-payment-calculator
  subject-version: 1.2.3
  subject-digest: 1a6b2bf83435f2a9ccd33519ad3e817bf79aee6af1c7a15d26d8a256bfa9cc94
  subject-repository-url: develocitytia.jfrog.io/docker-example-repo
  policy-scan: ci-enforcement

Integration with Other CI/CD

The REST API supports attestation publishing and Policy Scan evaluation from any automation. See Operations for endpoint details and further scriptable examples.