docs: adding example output for PROVENANCE.md (#268)

rsoberano-ld · web-flow · commit 43cf5bf52a5a · 2024-02-22T11:36:47.000-08:00
**Requirements**

- [ ] I have added test coverage for new or changed functionality
- [ ] I have followed the repository's [pull request submission
guidelines](../blob/main/CONTRIBUTING.md#submitting-pull-requests)
- [ ] I have validated my changes against all supported platform
versions

**Describe the solution you've provided**

Using provenance generated for previous release to flesh out
PROVENANCE.md

**Describe alternatives you've considered**

Provide a clear and concise description of any alternative solutions or
features you've considered.

**Additional context**

Add any other context about the pull request here.
diff --git a/PROVENANCE.md b/PROVENANCE.md
@@ -2,24 +2,31 @@
 
 LaunchDarkly uses the [SLSA framework](https://slsa.dev/spec/v1.0/about) (Supply-chain Levels for Software Artifacts) to help developers make their supply chain more secure by ensuring the authenticity and build integrity of our published SDK packages.
 
-As part of [SLSA requirements for level 3 compliance](https://slsa.dev/spec/v1.0/requirements), LaunchDarkly publishes provenance about our SDK package builds using [GitHub's generic SLSA3 provenance generator](https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/generic/README.md#generation-of-slsa3-provenance-for-arbitrary-projects) for distribution alongside our packages. These attestations are available for download from the GitHub release page for the release version under Assets > `multiple-provenance.intoto.jsonl`.
+As part of [SLSA requirements for level 3 compliance](https://slsa.dev/spec/v1.0/requirements), LaunchDarkly publishes provenance about our SDK package builds using [GitHub's generic SLSA3 provenance generator](https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/generic/README.md#generation-of-slsa3-provenance-for-arbitrary-projects) for distribution alongside our packages. These attestations are available for download from the GitHub release page for the release version under Assets > `multiple.intoto.jsonl`.
 
 To verify SLSA provenance attestations, we recommend using [slsa-verifier](https://github.com/slsa-framework/slsa-verifier). Example usage for verifying SDK packages is included below:
 
+<!-- x-release-please-start-version -->
 ```
-# Download packages from PyPi
+# Download package from PyPi
 $ pip download --only-binary=:all: launchdarkly-server-sdk
 
-# Download provenance from Github release
+# Download provenance from Github release into same directory
 $ curl --location -O \
-  https://github.com/launchdarkly/python-server-sdk/releases/download/VERSION/multiple.intoto.jsonl
+  https://github.com/launchdarkly/python-server-sdk/releases/download/9.2.0/multiple.intoto.jsonl
 
 # Run slsa-verifier to verify provenance against package artifacts 
 $ slsa-verifier verify-artifact \
---provenance-path multiple-provenance.intoto.jsonl \
+--provenance-path multiple.intoto.jsonl \
 --source-uri github.com/launchdarkly/python-server-sdk \
-launchdarkly_server_sdk-VERSION-py3-none-any.whl
+launchdarkly_server_sdk-9.2.0-py3-none-any.whl
+Verified signature against tlog entry index 71399397 at URL: https://rekor.sigstore.dev/api/v1/log/entries/24296fb24b8ad77a95c53f2cb33fe2e8c8fbc04591ebf26e4d2796fb2975c3ba377f1dc14507f421
+Verified build using builder "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@refs/tags/v1.7.0" at commit 5e818265c9f85ae9a111290bd6a4fad1a08786e9
+Verifying artifact launchdarkly_server_sdk-9.2.0-py3-none-any.whl: PASSED
+
+PASSED: Verified SLSA provenance
 ```
+<!-- x-release-please-end -->
 
 Alternatively, to verify the provenance manually, the SLSA framework specifies [recommendations for verifying build artifacts](https://slsa.dev/spec/v1.0/verifying-artifacts) in their documentation.
 
diff --git a/release-please-config.json b/release-please-config.json
@@ -4,7 +4,7 @@
       "release-type": "python",
       "versioning": "default",
       "include-v-in-tag": false,
-      "extra-files": ["ldclient/version.py"],
+      "extra-files": ["ldclient/version.py", "PROVENANCE.md"],
       "include-component-in-tag": false
     }
   }

Original file line number	Diff line number	Diff line change
`@@ -4,7 +4,7 @@`
`4`	`4`	`"release-type": "python",`
`5`	`5`	`"versioning": "default",`
`6`	`6`	`"include-v-in-tag": false,`
`7`		`- "extra-files": ["ldclient/version.py"],`
	`7`	`+ "extra-files": ["ldclient/version.py", "PROVENANCE.md"],`
`8`	`8`	`"include-component-in-tag": false`
`9`	`9`	`}`
`10`	`10`	`}`