From 77156f597d2202d48e3af21e773fc9277cadb118 Mon Sep 17 00:00:00 2001
From: "mkeeler@launchdarkly.com" <keelerm84@gmail.com>
Date: Wed, 1 Apr 2026 21:44:51 +0000
Subject: [PATCH 1/2] docs: update PROVENANCE.md for GitHub artifact
 attestations

---
 PROVENANCE.md | 31 ++++++++++++-------------------
 1 file changed, 12 insertions(+), 19 deletions(-)

diff --git a/PROVENANCE.md b/PROVENANCE.md
index d3482ae..3684fdf 100644
--- a/PROVENANCE.md
+++ b/PROVENANCE.md
@@ -1,10 +1,10 @@
-## Verifying SDK build provenance with the SLSA framework
+## Verifying SDK build provenance with GitHub artifact attestations
 
-LaunchDarkly uses the [SLSA framework](https://slsa.dev/spec/v1.0/about) (Supply-chain Levels for Software Artifacts) to help developers make their supply chain more secure by ensuring the authenticity and build integrity of our published SDK packages.
+LaunchDarkly uses [GitHub artifact attestations](https://docs.github.com/en/actions/security-for-github-actions/using-artifact-attestations/using-artifact-attestations-to-establish-provenance-for-builds) to help developers make their supply chain more secure by ensuring the authenticity and build integrity of our published SDK packages.
 
-As part of [SLSA requirements for level 3 compliance](https://slsa.dev/spec/v1.0/requirements), LaunchDarkly publishes provenance about our SDK package builds using [GitHub's generic SLSA3 provenance generator](https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/generic/README.md#generation-of-slsa3-provenance-for-arbitrary-projects) for distribution alongside our packages. These attestations are available for download from the GitHub release page for the release version under Assets > `multiple-provenance.intoto.jsonl`.
+LaunchDarkly publishes provenance about our SDK package builds using [GitHub's `actions/attest` action](https://github.com/actions/attest). These attestations are stored in GitHub's attestation API and can be verified using the [GitHub CLI](https://cli.github.com/).
 
-To verify SLSA provenance attestations, we recommend using [slsa-verifier](https://github.com/slsa-framework/slsa-verifier). Example usage for verifying SDK packages is included below:
+To verify build provenance attestations, we recommend using the [GitHub CLI `attestation verify` command](https://cli.github.com/manual/gh_attestation_verify). Example usage for verifying SDK packages is included below:
 
 <!-- x-release-please-start-version -->
 ```
@@ -17,27 +17,20 @@ SDK_VERSION=0.1.0
 # Download gem
 $ gem fetch launchdarkly-openfeature-server-sdk -v $SDK_VERSION
 
-# Download provenance from Github release
-$ curl --location -O \
-  https://github.com/launchdarkly/openfeature-ruby-server/releases/download/${SDK_VERSION}/launchdarkly-openfeature-server-sdk-${SDK_VERSION}.gem.intoto.jsonl
-
-# Run slsa-verifier to verify provenance against package artifacts 
-$ slsa-verifier verify-artifact \
---provenance-path launchdarkly-openfeature-server-sdk-${SDK_VERSION}.gem.intoto.jsonl \
---source-uri github.com/launchdarkly/openfeature-ruby-server \
-launchdarkly-openfeature-server-sdk-${SDK_VERSION}.gem
+# Verify provenance using the GitHub CLI
+$ gh attestation verify launchdarkly-openfeature-server-sdk-${SDK_VERSION}.gem -R launchdarkly/openfeature-ruby-server
 ```
 
 Below is a sample of expected output.
 
 ```
-Verified signature against tlog entry index 118580648 at URL: https://rekor.sigstore.dev/api/v1/log/entries/24296fb24b8ad77a86b957c02c3834833e7b54e28152fa35cc2a5884994566f7897807c390a9ad83
-Verified build using builder "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@refs/tags/v1.10.0" at commit c1b4bd786f6f7b44d46642f901e6ca95ce4bd170
-Verifying artifact launchdarkly-openfeature-server-sdk-0.1.0.gem: PASSED
+Loaded digest sha256:... for file://launchdarkly-openfeature-server-sdk-0.1.0.gem
+Loaded 1 attestation from GitHub API
+✓ Verification succeeded!
 
-PASSED: Verified SLSA provenance
+launchdarkly-openfeature-server-sdk-0.1.0.gem was attested by a trusted GitHub Actions workflow
 ```
 
-Alternatively, to verify the provenance manually, the SLSA framework specifies [recommendations for verifying build artifacts](https://slsa.dev/spec/v1.0/verifying-artifacts) in their documentation.
+For more information, see [GitHub's documentation on verifying artifact attestations](https://docs.github.com/en/actions/security-for-github-actions/using-artifact-attestations/using-artifact-attestations-to-establish-provenance-for-builds#verifying-artifact-attestations-with-the-github-cli).
 
-**Note:** These instructions do not apply when building our SDKs from source. 
+**Note:** These instructions do not apply when building our SDKs from source.  

From 522a33bd61401784cac9b123852e3ab93e9feacf Mon Sep 17 00:00:00 2001
From: "mkeeler@launchdarkly.com" <keelerm84@gmail.com>
Date: Wed, 1 Apr 2026 21:52:51 +0000
Subject: [PATCH 2/2] docs: use real gh attestation verify output template and
 --owner flag

---
 PROVENANCE.md | 19 ++++++++++++++++---
 1 file changed, 16 insertions(+), 3 deletions(-)

diff --git a/PROVENANCE.md b/PROVENANCE.md
index 3684fdf..eba2a98 100644
--- a/PROVENANCE.md
+++ b/PROVENANCE.md
@@ -18,7 +18,7 @@ SDK_VERSION=0.1.0
 $ gem fetch launchdarkly-openfeature-server-sdk -v $SDK_VERSION
 
 # Verify provenance using the GitHub CLI
-$ gh attestation verify launchdarkly-openfeature-server-sdk-${SDK_VERSION}.gem -R launchdarkly/openfeature-ruby-server
+$ gh attestation verify launchdarkly-openfeature-server-sdk-${SDK_VERSION}.gem --owner launchdarkly
 ```
 
 Below is a sample of expected output.
@@ -26,11 +26,24 @@ Below is a sample of expected output.
 ```
 Loaded digest sha256:... for file://launchdarkly-openfeature-server-sdk-0.1.0.gem
 Loaded 1 attestation from GitHub API
+
+The following policy criteria will be enforced:
+- Predicate type must match:................ https://slsa.dev/provenance/v1
+- Source Repository Owner URI must match:... https://github.com/launchdarkly
+- Subject Alternative Name must match regex: (?i)^https://github.com/launchdarkly/
+- OIDC Issuer must match:................... https://token.actions.githubusercontent.com
+
 ✓ Verification succeeded!
 
-launchdarkly-openfeature-server-sdk-0.1.0.gem was attested by a trusted GitHub Actions workflow
+The following 1 attestation matched the policy criteria
+
+- Attestation #1
+  - Build repo:..... launchdarkly/openfeature-ruby-server
+  - Build workflow:. .github/workflows/release-please.yml
+  - Signer repo:.... launchdarkly/openfeature-ruby-server
+  - Signer workflow: .github/workflows/release-please.yml
 ```
 
 For more information, see [GitHub's documentation on verifying artifact attestations](https://docs.github.com/en/actions/security-for-github-actions/using-artifact-attestations/using-artifact-attestations-to-establish-provenance-for-builds#verifying-artifact-attestations-with-the-github-cli).
 
-**Note:** These instructions do not apply when building our SDKs from source.  
+**Note:** These instructions do not apply when building our SDKs from source.