Skip to content

gradle/develocity-provenance-governor-actions

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

144 Commits
.devcontainer
.devcontainer
 
 
.github
.github
 
 
.idea
.idea
 
 
.vscode
.vscode
 
 
badges
badges
 
 
dist
dist
 
 
enforce
enforce
 
 
publish
publish
 
 
script
script
 
 
src
src
 
 
.env.example
.env.example
 
 
.gitattributes
.gitattributes
 
 
.gitignore
.gitignore
 
 
.licensed.yml
.licensed.yml
 
 
.markdown-lint.yml
.markdown-lint.yml
 
 
.node-version
.node-version
 
 
.prettierignore
.prettierignore
 
 
.prettierrc.yml
.prettierrc.yml
 
 
.yaml-lint.yml
.yaml-lint.yml
 
 
README.md
README.md
 
 
develocity.config.cjs
develocity.config.cjs
 
 
eslint.config.mjs
eslint.config.mjs
 
 
jest.config.js
jest.config.js
 
 
package-lock.json
package-lock.json
 
 
package.json
package.json
 
 
rollup.config.ts
rollup.config.ts
 
 
tsconfig.base.json
tsconfig.base.json
 
 
tsconfig.eslint.json
tsconfig.eslint.json
 
 
tsconfig.json
tsconfig.json
 
 

Repository files navigation

Develocity Provenance Governor Actions

GitHub Actions to make Develocity Provenance Governor part of your GitHub workflows.

Publishing

uses: gradle/develocity-provenance-governor-actions/publish@main
with:
  attestation-publisher-url: 'https://develocity-provenance-governor.example.com'
  build-scan-ids: eo5xxyg3drtoc
  build-scan-queries: 'value:"CI run=${{ github.run_id }}"'
  subject-type: oci
  subject-name: java-payment-calculator
  subject-version: 1.2.3
  subject-digest: 1a6b2bf83435f2a9ccd33519ad3e817bf79aee6af1c7a15d26d8a256bfa9cc94
  subject-repository-url: develocitytia.jfrog.io/docker-trial

Requires a GitHub OIDC token.

One of build-scan-ids or build-scan-queries must be provided. Multiple IDs and queries may be specified, one per line. Queries use the Develocity advanced query syntax.

There is also a subject-namespace field that can be used with subject types that require it.

Tip

You can use the Common Custom User Data plugins (Gradle, Maven, Sbt) to automatically add GitHub-related custom values to Build Scans, like the CI run value used in the example configuration.

Enforcement

uses: gradle/develocity-provenance-governor-actions/enforce@main
with:
  policy-evaluator-url: 'https://develocity-provenance-governor.example.com'
  subject-type: oci
  subject-name: java-payment-calculator
  subject-version: 1.2.3
  subject-digest: 1a6b2bf83435f2a9ccd33519ad3e817bf79aee6af1c7a15d26d8a256bfa9cc94
  subject-repository-url: develocitytia.jfrog.io/docker-example-repo
  policy-scan: ci-enforcement

Requires a GitHub OIDC token.

There is also a subject-namespace field that can be used with subject types that require it.

About

GitHub Action to create attestations

gradle.com/develocity/product/provenance-governor/

Topics

security supply-chain policy attestation supply-chain-security

Resources

Readme

Code of conduct

Code of conduct

Security policy

Security policy
Activity
Custom properties

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Releases 1

1.0.0 - Initial Release Latest
Oct 21, 2025

Packages

No packages published

Contributors 5

Languages