chore: (optimization) add provenance file + register with release please (#190)

andrewklatzke · web-flow · commit d15c6bcb03be · 2026-05-18T14:01:48.000-08:00
**Requirements** - [x] I have added test coverage for new or changed functionality - [x] I have followed the repository's [pull request submission guidelines](../blob/main/CONTRIBUTING.md#submitting-pull-requests) - [x] I have validated my changes against all supported platform versions **Describe the solution you've provided** This adds a PROVENANCE.md file and registers it with release-please. **Describe alternatives you've considered** No alternatives here; required for security  --- > [!NOTE] > **Low Risk** > Low risk: documentation-only addition plus a release configuration tweak to include `PROVENANCE.md` in version bumps; no runtime code changes. > > **Overview** > Adds a new `packages/optimization/PROVENANCE.md` documenting how to verify published wheel provenance using GitHub artifact attestations. > > Updates `release-please-config.json` so `packages/optimization` treats `PROVENANCE.md` as an `extra-file`, ensuring the doc’s embedded version snippet is kept in sync during releases. > > <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit 32dc4d0. Bugbot is set up for automated code reviews on this repo. Configure [here](https://www.cursor.com/dashboard/bugbot).</sup>
diff --git a/packages/optimization/PROVENANCE.md b/packages/optimization/PROVENANCE.md
@@ -0,0 +1,49 @@
+## Verifying SDK build provenance with GitHub artifact attestations
+
+LaunchDarkly uses [GitHub artifact attestations](https://docs.github.com/en/actions/security-for-github-actions/using-artifact-attestations/using-artifact-attestations-to-establish-provenance-for-builds) to help developers make their supply chain more secure by ensuring the authenticity and build integrity of our published SDK packages.
+
+LaunchDarkly publishes provenance about our SDK package builds using [GitHub's `actions/attest` action](https://github.com/actions/attest). These attestations are stored in GitHub's attestation API and can be verified using the [GitHub CLI](https://cli.github.com/).
+
+To verify build provenance attestations, we recommend using the [GitHub CLI `attestation verify` command](https://cli.github.com/manual/gh_attestation_verify). Example usage for verifying SDK packages is included below:
+
+<!-- x-release-please-start-version -->
+```
+# Set the version of the library to verify
+VERSION=0.1.0
+```
+<!-- x-release-please-end -->
+
+```
+# Download package from PyPI
+$ pip download --only-binary=:all: launchdarkly-ai-optimizer==${VERSION}
+
+# Verify provenance using the GitHub CLI
+$ gh attestation verify launchdarkly_ai_optimizer-${VERSION}-py3-none-any.whl --owner launchdarkly
+```
+
+Below is a sample of expected output.
+
+```
+Loaded digest sha256:... for file://launchdarkly_ai_optimizer-0.1.0-py3-none-any.whl
+Loaded 1 attestation from GitHub API
+
+The following policy criteria will be enforced:
+- Predicate type must match:................ https://slsa.dev/provenance/v1
+- Source Repository Owner URI must match:... https://github.com/launchdarkly
+- Subject Alternative Name must match regex: (?i)^https://github.com/launchdarkly/
+- OIDC Issuer must match:................... https://token.actions.githubusercontent.com
+
+✓ Verification succeeded!
+
+The following 1 attestation matched the policy criteria
+
+- Attestation #1
+  - Build repo:..... launchdarkly/python-server-sdk-ai
+  - Build workflow:. .github/workflows/release-please.yml
+  - Signer repo:.... launchdarkly/python-server-sdk-ai
+  - Signer workflow: .github/workflows/release-please.yml
+```
+
+For more information, see [GitHub's documentation on verifying artifact attestations](https://docs.github.com/en/actions/security-for-github-actions/using-artifact-attestations/using-artifact-attestations-to-establish-provenance-for-builds#verifying-artifact-attestations-with-the-github-cli).
+
+**Note:** These instructions do not apply when building our libraries from source.
diff --git a/release-please-config.json b/release-please-config.json
@@ -38,7 +38,10 @@
       "versioning": "default",
       "bump-minor-pre-major": true,
       "include-v-in-tag": false,
-      "extra-files": ["src/ldai_optimizer/__init__.py"],
+      "extra-files": [
+        "src/ldai_optimizer/__init__.py",
+        "PROVENANCE.md"
+      ],
       "component": "ldai_optimizer"
     }
   }

Original file line number	Diff line number	Diff line change
`@@ -38,7 +38,10 @@`
`38`	`38`	`"versioning": "default",`
`39`	`39`	`"bump-minor-pre-major": true,`
`40`	`40`	`"include-v-in-tag": false,`
`41`		`- "extra-files": ["src/ldai_optimizer/__init__.py"],`
	`41`	`+ "extra-files": [`
	`42`	`+ "src/ldai_optimizer/__init__.py",`
	`43`	`+ "PROVENANCE.md"`
	`44`	`+ ],`
`42`	`45`	`"component": "ldai_optimizer"`
`43`	`46`	`}`
`44`	`47`	`}`