---
component: provenance-governor
version: "1.7"
slug: provenance-governor/publishing-attestations
canonical_url: "https://docs.gradle.com/develocity/provenance-governor/1.7/publishing-attestations/"
title: "Publishing Attestations"
description: "Guide for publishing attestations using the Develocity Provenance Governor API or GitHub Action."
keywords:
  - "attestation"
  - "supply chain"
  - "API"
  - "authentication"
status: current
---

<!-- llms-index: https://docs.gradle.com/develocity/llms.txt -->

# Publishing Attestations

<a id="preamble"></a>

You can publish attestations for a software package by calling the Develocity Provenance Governor API directly, or by using the Develocity Provenance Governor GitHub Action.

In both cases, the following information will be needed:

  
| Information | Where to Find It | Example |
| --- | --- | --- |
| Package type | Your build system or registry type | oci, maven |
| Package name | Artifact name from your build | acme-app |
| Package version | Build version or tag | 1.0.0 |
| SHA-256 digest | Build output or registry metadata | sha256:73f482a2…​ |
| Repository URL | Package repository where the artifact is stored | artifactory.example.com/maven-repo-local |
| Build Scan IDs or Query | Develocity Build Scan URLs or advanced search | bjvognekiphus or search query |

<a id="when-to-publish-attestations"></a>

## When to Publish Attestations

You can publish attestations for a software package at any time after the package has been built and published to a package repository.

This flexibility allows you to optimize your workflow:

*   **Immediate publishing**: Publish right after the build for complete tracking
    
*   **Gated publishing**: Only publish for packages that pass quality gates
    
*   **Batch publishing**: Collect multiple builds and publish together
    

Delaying attestations until it is known the package will move forward reduces the number of attestations to store and manage. E.g., only publish for packages passing an initial quality gate.

For details on using the API, see [API Reference](https://docs.gradle.com/develocity/provenance-governor/1.7/api-reference/). For GitHub Actions, see [GitHub Actions](https://docs.gradle.com/develocity/provenance-governor/1.7/ci-cd-integration/#github-actions).

<a id="attestation-types"></a>

## Attestation Types

Develocity Provenance Governor generates attestations compliant with the [in-toto Attestations Framework](https://github.com/in-toto/attestation). Each attestation is a JSON document wrapped in a signing envelope and has a subject and predicate describing the type and properties.

> [!NOTE]
> See Attestations for a detailed description of all attestation types published.

The following attestation types are supported:

  
| Attestation | Predicate Type | Description |
| --- | --- | --- |
| Build Tool | https://gradle.com/attestation/build-tool/v1 | Attests to the build tool used to create the package, including version. |
| Java Toolchains | https://gradle.com/attestation/java-toolchains/v1 | Attests to the Java toolchains used during the build. |
| Resolved Dependencies Repositories | https://gradle.com/attestation/resolved-dependencies-repositories/v1 | Attests to repository sources for resolved dependencies. |
| Resolved Dependencies | https://gradle.com/attestation/resolved-dependencies/v1 | Attests to dependencies resolved during the build. |
| Publish Repositories | https://gradle.com/attestation/publish-repositories/v1 | Attests to the repositories where the package was published. |
| Verification Summary | https://slsa.dev/verification\_summary/v1 | Records that an artifact has been verified against a set of policies. |
| Policy Scan Predicate | https://gradle.com/attestation/policyscan/v1 | Records per-policy evaluation results and evaluated policy snapshots from a Policy Scan. |
| Dependency Insights | https://policies.gradle.com/dependency-insights/v1 | Provides enriched dependency analysis data. |