Publishing Attestations

You can publish attestations for a software package by calling the Develocity Provenance Governor API directly, or by using the Develocity Provenance Governor GitHub Action.

In both cases, the following information will be needed:

Information Where to Find It Example

Information	Where to Find It	Example
Package type	Your build system or registry type	`oci`, `maven`
Package name	Artifact name from your build	`my-app`
Package version	Build version or tag	`1.0.0`
SHA-256 digest	Build output or registry metadata	`sha256:73f482a2…`
Repository URL	Artifactory repository where package is stored	`artifactory.example.com/maven-repo-local`
Build Scan IDs or Query	Develocity Build Scan URLs or advanced search	`bjvognekiphus` or search query

Package type

Your build system or registry type

oci, maven

Package name

Artifact name from your build

my-app

Package version

Build version or tag

1.0.0

SHA-256 digest

Build output or registry metadata

sha256:73f482a2…

Repository URL

Artifactory repository where package is stored

artifactory.example.com/maven-repo-local

Build Scan IDs or Query

Develocity Build Scan URLs or advanced search

bjvognekiphus or search query

When to Publish Attestations

You can publish attestations for a software package at any time after the package has been built and published to Artifactory.

This flexibility allows you to optimize your workflow:

Immediate publishing: Publish right after the build for complete tracking
Gated publishing: Only publish for packages that pass quality gates
Batch publishing: Collect multiple builds and publish together

Delaying attestations until it is known the package will move forward reduces the number of attestations to store and manage. E.g., only publish for packages passing an initial quality gate.

For details on using the API, see API Reference. For GitHub Actions, see GitHub Actions.

Attestation Types

Develocity Provenance Governor generates attestations compliant with the in-toto Attestations Framework. Each attestation is a JSON document wrapped in a signing envelope and has a subject and predicate describing the type and properties.

See Attestations for a detailed description of all attestation types published.

The following attestation types are supported:

Attestation Predicate Type Description

Attestation	Predicate Type	Description
Build Tool	`https://gradle.com/attestation/build-tool/v1`	Attests to the build tool used to create the package, including version.
Java Toolchains	`https://gradle.com/attestation/java-toolchains/v1`	Attests to the Java toolchains used during the build.
Resolved Dependencies Repositories	`https://gradle.com/attestation/resolved-dependencies-repositories/v1`	Attests to repository sources for resolved dependencies.
Resolved Dependencies	`https://gradle.com/attestation/resolved-dependencies/v1`	Attests to dependencies resolved during the build.
Publish Repositories	`https://gradle.com/attestation/publish-repositories/v1`	Attests to the repositories where the package was published.
Verification Summary	`https://slsa.dev/verification_summary/v1`	Records that an artifact has been verified against a set of policies.
Dependency Insights	`https://policies.gradle.com/dependency-insights/v1`	Provides enriched dependency analysis data.

Build Tool

https://gradle.com/attestation/build-tool/v1

Attests to the build tool used to create the package, including version.

Java Toolchains

https://gradle.com/attestation/java-toolchains/v1

Attests to the Java toolchains used during the build.

Resolved Dependencies Repositories

https://gradle.com/attestation/resolved-dependencies-repositories/v1

Attests to repository sources for resolved dependencies.

Resolved Dependencies

https://gradle.com/attestation/resolved-dependencies/v1

Attests to dependencies resolved during the build.