chore: (optimization) add provenance file + register with release please

andrewklatzke · andrewklatzke · commit 32dc4d0da53d · 2026-05-18T13:14:50.000-08:00
diff --git a/packages/optimization/PROVENANCE.md b/packages/optimization/PROVENANCE.md
@@ -0,0 +1,49 @@
+## Verifying SDK build provenance with GitHub artifact attestations
+
+LaunchDarkly uses [GitHub artifact attestations](https://docs.github.com/en/actions/security-for-github-actions/using-artifact-attestations/using-artifact-attestations-to-establish-provenance-for-builds) to help developers make their supply chain more secure by ensuring the authenticity and build integrity of our published SDK packages.
+
+LaunchDarkly publishes provenance about our SDK package builds using [GitHub's `actions/attest` action](https://github.com/actions/attest). These attestations are stored in GitHub's attestation API and can be verified using the [GitHub CLI](https://cli.github.com/).
+
+To verify build provenance attestations, we recommend using the [GitHub CLI `attestation verify` command](https://cli.github.com/manual/gh_attestation_verify). Example usage for verifying SDK packages is included below:
+
+<!-- x-release-please-start-version -->
+```
+# Set the version of the library to verify
+VERSION=0.1.0
+```
+<!-- x-release-please-end -->
+
+```
+# Download package from PyPI
+$ pip download --only-binary=:all: launchdarkly-ai-optimizer==${VERSION}
+
+# Verify provenance using the GitHub CLI
+$ gh attestation verify launchdarkly_ai_optimizer-${VERSION}-py3-none-any.whl --owner launchdarkly
+```
+
+Below is a sample of expected output.
+
+```
+Loaded digest sha256:... for file://launchdarkly_ai_optimizer-0.1.0-py3-none-any.whl
+Loaded 1 attestation from GitHub API
+
+The following policy criteria will be enforced:
+- Predicate type must match:................ https://slsa.dev/provenance/v1
+- Source Repository Owner URI must match:... https://github.com/launchdarkly
+- Subject Alternative Name must match regex: (?i)^https://github.com/launchdarkly/
+- OIDC Issuer must match:................... https://token.actions.githubusercontent.com
+
+✓ Verification succeeded!
+
+The following 1 attestation matched the policy criteria
+
+- Attestation #1
+  - Build repo:..... launchdarkly/python-server-sdk-ai
+  - Build workflow:. .github/workflows/release-please.yml
+  - Signer repo:.... launchdarkly/python-server-sdk-ai
+  - Signer workflow: .github/workflows/release-please.yml
+```
+
+For more information, see [GitHub's documentation on verifying artifact attestations](https://docs.github.com/en/actions/security-for-github-actions/using-artifact-attestations/using-artifact-attestations-to-establish-provenance-for-builds#verifying-artifact-attestations-with-the-github-cli).
+
+**Note:** These instructions do not apply when building our libraries from source.
diff --git a/release-please-config.json b/release-please-config.json
@@ -38,7 +38,10 @@
       "versioning": "default",
       "bump-minor-pre-major": true,
       "include-v-in-tag": false,
-      "extra-files": ["src/ldai_optimizer/__init__.py"],
+      "extra-files": [
+        "src/ldai_optimizer/__init__.py",
+        "PROVENANCE.md"
+      ],
       "component": "ldai_optimizer"
     }
   }

Original file line number	Diff line number	Diff line change
`@@ -38,7 +38,10 @@`
`38`	`38`	`"versioning": "default",`
`39`	`39`	`"bump-minor-pre-major": true,`
`40`	`40`	`"include-v-in-tag": false,`
`41`		`- "extra-files": ["src/ldai_optimizer/__init__.py"],`
	`41`	`+ "extra-files": [`
	`42`	`+ "src/ldai_optimizer/__init__.py",`
	`43`	`+ "PROVENANCE.md"`
	`44`	`+ ],`
`42`	`45`	`"component": "ldai_optimizer"`
`43`	`46`	`}`
`44`	`47`	`}`