PublishRepositories Policy
The PublishRepositories policy enforces constraints on where artifacts are published. It evaluates against Publish Repositories attestations (predicate type https://gradle.com/attestation/publish-repositories/v1).
Configuration Fields
| Field | Required | Description |
|---|---|---|
|
Yes |
|
|
Yes |
Repository URI patterns; wildcards supported |
Repository URI Patterns
| Pattern | Matches |
|---|---|
|
Exact URI match |
|
Single path segment (e.g., |
|
Any path depth (e.g., |
|
Any URI with |
|
Omit the URI scheme — use |
|
Avoid overly broad wildcards like |
Examples
must-match Strategy (Allow List)
Require Staging Repository
apiVersion: policy.gradle.com/v1
kind: PublishRepositories
metadata:
name: require-staging-publish
labels:
policy.my-corp.com/gate: production
spec:
resultsLabels:
policy.my-corp.com/gate: production
description: Ensure artifacts are published to staging repository
remediation: Publish artifact to staging before promoting to production
matchingStrategy: must-match
uris:
- "repo.example.com/staging/*"Authorized Repositories Only
apiVersion: policy.gradle.com/v1
kind: PublishRepositories
metadata:
name: authorized-repositories-only
labels:
policy.my-corp.com/gate: build
spec:
resultsLabels:
policy.my-corp.com/gate: build
description: Only allow artifacts from authorized company repositories
remediation: Use only authorized repositories for artifact publishing
matchingStrategy: must-match
uris:
- "repo.company.com/*"
- "nexus.company.com/*"none-match Strategy (Deny List)
Block Production Publishing
apiVersion: policy.gradle.com/v1
kind: PublishRepositories
metadata:
name: block-production-publish
labels:
policy.my-corp.com/gate: staging
spec:
resultsLabels:
policy.my-corp.com/gate: staging
description: Block artifacts published to production repositories
remediation: Only publish to staging and development repositories
matchingStrategy: none-match
uris:
- "repo.example.com/production/*"Multiple URI Patterns
A single policy with multiple URIs acts as an OR — the artifact must match at least one of the URIs (for must-match) or must not match any of them (for none-match).
Allow Development or Staging
apiVersion: policy.gradle.com/v1
kind: PublishRepositories
metadata:
name: allow-staging-or-dev
labels:
policy.my-corp.com/gate: production
spec:
resultsLabels:
policy.my-corp.com/gate: production
description: Artifacts may be published to development or staging repositories
remediation: Publish artifact to either development or staging repository
matchingStrategy: must-match
uris:
- "repo.example.com/dev/*"
- "repo.example.com/staging/*"Requiring Multiple Repositories (AND Logic)
To require that an artifact has been published to both repositories, use separate policies. Each must-match policy is evaluated independently, so the artifact must satisfy all of them.
Require Both Development and Staging Publication
apiVersion: policy.gradle.com/v1
kind: PublishRepositories
metadata:
name: require-dev-publication
labels:
policy.my-corp.com/gate: production
spec:
description: Artifacts must be published to development repository
remediation: Publish artifact to development repository first
matchingStrategy: must-match
uris:
- "repo.example.com/dev/*"apiVersion: policy.gradle.com/v1
kind: PublishRepositories
metadata:
name: require-staging-publication
labels:
policy.my-corp.com/gate: production
spec:
description: Artifacts must be published to staging repository
remediation: Publish artifact to staging before production
matchingStrategy: must-match
uris:
- "repo.example.com/staging/*"