---
component: provenance-governor
version: "1.7"
slug: provenance-governor/policy-type-publish-repositories
canonical_url: "https://docs.gradle.com/develocity/provenance-governor/1.7/policy-type-publish-repositories/"
title: "PublishRepositories Policy"
description: "Reference for the PublishRepositories policy type."
keywords:
  - "attestation"
  - "supply chain"
  - "configuration"
status: current
---

<!-- llms-index: https://docs.gradle.com/develocity/llms.txt -->

# PublishRepositories Policy

<a id="preamble"></a>

The `PublishRepositories` policy enforces constraints on where artifacts are published. It evaluates against [Publish Repositories attestations](https://docs.gradle.com/develocity/provenance-governor/1.7/attestation-publish-repositories/) (predicate type `[https://gradle.com/attestation/publish-repositories/v1](https://gradle.com/attestation/publish-repositories/v1)`).

<a id="configuration-fields"></a>

## Configuration Fields

  
| Field | Required | Description |
| --- | --- | --- |
| matchingStrategy | Yes | must-match (allow list) or none-match (deny list) |
| uris | Yes | Repository URI patterns; wildcards supported |

<a id="repository-uri-patterns"></a>

## Repository URI Patterns

 
| Pattern | Matches |
| --- | --- |
| repo.example.com/snapshots | Exact URI match |
| repo.example.com/\* | Single path segment (e.g., /libs, /releases) |
| repo.example.com/\*\* | Any path depth (e.g., /libs/releases/v1) |
| \*/staging/\*\* | Any URI with staging in the path |

> [!IMPORTANT]
> Omit the URI scheme — use repo.example.com/path, not https://repo.example.com/path.

> [!WARNING]
> Avoid overly broad wildcards like \*\* on shared repository hosts. Prefer the most specific pattern for your environment.

<a id="examples"></a>

## Examples

<a id="must-match-strategy-allow-list"></a>

### must-match Strategy (Allow List)

<a id="require-staging-repository"></a>

#### Require Staging Repository

```yaml
apiVersion: policy.gradle.com/v1
kind: PublishRepositories
metadata:
  name: require-staging-publish
  labels:
    policy.my-corp.com/gate: production
spec:
  resultsLabels:
    policy.my-corp.com/gate: production
  description: Ensure artifacts are published to staging repository
  remediation: Publish artifact to staging before promoting to production
  matchingStrategy: must-match
  uris:
    - "repo.example.com/staging/*"
```

<a id="authorized-repositories-only"></a>

#### Authorized Repositories Only

```yaml
apiVersion: policy.gradle.com/v1
kind: PublishRepositories
metadata:
  name: authorized-repositories-only
  labels:
    policy.my-corp.com/gate: build
spec:
  resultsLabels:
    policy.my-corp.com/gate: build
  description: Only allow artifacts from authorized company repositories
  remediation: Use only authorized repositories for artifact publishing
  matchingStrategy: must-match
  uris:
    - "repo.example.com/*"
    - "nexus.example.com/*"
```

<a id="none-match-strategy-deny-list"></a>

### none-match Strategy (Deny List)

<a id="block-production-publishing"></a>

#### Block Production Publishing

```yaml
apiVersion: policy.gradle.com/v1
kind: PublishRepositories
metadata:
  name: block-production-publish
  labels:
    policy.my-corp.com/gate: staging
spec:
  resultsLabels:
    policy.my-corp.com/gate: staging
  description: Block artifacts published to production repositories
  remediation: Only publish to staging and development repositories
  matchingStrategy: none-match
  uris:
    - "repo.example.com/production/*"
```

<a id="multiple-uri-patterns"></a>

### Multiple URI Patterns

A single policy with multiple URIs acts as an OR — the artifact must match **at least one** of the URIs (for `must-match`) or must not match **any** of them (for `none-match`).

<a id="allow-development-or-staging"></a>

#### Allow Development or Staging

```yaml
apiVersion: policy.gradle.com/v1
kind: PublishRepositories
metadata:
  name: allow-staging-or-dev
  labels:
    policy.my-corp.com/gate: production
spec:
  resultsLabels:
    policy.my-corp.com/gate: production
  description: Artifacts may be published to development or staging repositories
  remediation: Publish artifact to either development or staging repository
  matchingStrategy: must-match
  uris:
    - "repo.example.com/dev/*"
    - "repo.example.com/staging/*"
```

<a id="requiring-multiple-repositories-and-logic"></a>

### Requiring Multiple Repositories (AND Logic)

To require that an artifact has been published to **both** repositories, use separate policies. Each `must-match` policy is evaluated independently, so the artifact must satisfy all of them.

<a id="require-both-development-and-staging-publication"></a>

#### Require Both Development and Staging Publication

```yaml
apiVersion: policy.gradle.com/v1
kind: PublishRepositories
metadata:
  name: require-dev-publication
  labels:
    policy.my-corp.com/gate: production
spec:
  description: Artifacts must be published to development repository
  remediation: Publish artifact to development repository first
  matchingStrategy: must-match
  uris:
    - "repo.example.com/dev/*"
```

```yaml
apiVersion: policy.gradle.com/v1
kind: PublishRepositories
metadata:
  name: require-staging-publication
  labels:
    policy.my-corp.com/gate: production
spec:
  description: Artifacts must be published to staging repository
  remediation: Publish artifact to staging before production
  matchingStrategy: must-match
  uris:
    - "repo.example.com/staging/*"
```