Publishing Attestations
You can publish attestations for a software package by calling the Develocity Provenance Governor API directly, or by using the Develocity Provenance Governor GitHub Action.
In both cases, the following information will be needed:
| Information | Where to Find It | Example |
|---|---|---|
Package type |
Your build system or registry type |
|
Package name |
Artifact name from your build |
|
Package version |
Build version or tag |
|
SHA-256 digest |
Build output or registry metadata |
|
Repository URL |
Package repository where the artifact is stored |
|
Build Scan IDs or Query |
Develocity Build Scan URLs or advanced search |
|
Annotations |
Key-value pairs from your CI pipeline or build tool |
|
When to Publish Attestations
You can publish attestations for a software package at any time after the package has been built and published to a package repository.
This flexibility allows you to optimize your workflow:
-
Immediate publishing: Publish right after the build for complete tracking
-
Gated publishing: Only publish for packages that pass quality gates
-
Batch publishing: Collect multiple builds and publish together
Delaying attestations until it’s known the package will move forward reduces the number of attestations to store and manage. E.g., only publish for packages passing an initial quality gate.
For details on using the API, see API Reference. For GitHub Actions, see GitHub Actions.
Attestation Types
Develocity Provenance Governor generates attestations compliant with the in-toto Attestations Framework. Each attestation is a JSON document wrapped in a signing envelope and has a subject and predicate describing the type and properties.
|
See Attestations for a detailed description of all attestation types published. |
The following attestation types are supported:
| Attestation | Predicate Type | Description |
|---|---|---|
Attests to the build tool used to create the package, including version. |
||
Attests to the Java toolchains used during the build. |
||
|
Attests to repository sources for resolved dependencies. |
|
Attests to dependencies resolved during the build. |
||
Attests to the repositories where the package was published. |
||
Records that an artifact has been verified against a set of policies. |
||
Records per-policy evaluation results and evaluated policy snapshots from a Policy Scan. |
||
Provides enriched dependency analysis data. |
Publishing With Annotations
Annotations are key-value pairs that route your publish request to matching Fact Connector policies. Those policies call external backends and store the responses as predicates on your attestation. See Fact Connector for how routing and predicate generation work.
Annotations carry on every attestation the publish request produces, not only on those produced by Fact Connector policies. This makes annotations useful as custom metadata even when no Fact Connector policy is configured.
Include annotations as a JSON object in the request body:
{
"annotations": {
"ci.build.id": "12345",
"vcs.branch": "main",
"deploy.environment": "production"
}
}For form-encoded requests, use bracket notation with the same keys:
annotations[ci.build.id]=12345&annotations[vcs.branch]=main&annotations[deploy.environment]=productionSee Fact Connector for pattern matching, template expansion, and complete examples.