From 32dc4d0da53da2b8f05b29c6782fd595b0c1f263 Mon Sep 17 00:00:00 2001
From: Andrew Klatzke <aklatzke@launchdarkly.com>
Date: Mon, 18 May 2026 13:14:50 -0800
Subject: [PATCH] chore: (optimization) add provenance file + register with
 release please

---
 packages/optimization/PROVENANCE.md | 49 +++++++++++++++++++++++++++++
 release-please-config.json          |  5 ++-
 2 files changed, 53 insertions(+), 1 deletion(-)
 create mode 100644 packages/optimization/PROVENANCE.md

diff --git a/packages/optimization/PROVENANCE.md b/packages/optimization/PROVENANCE.md
new file mode 100644
index 00000000..9a771f97
--- /dev/null
+++ b/packages/optimization/PROVENANCE.md
@@ -0,0 +1,49 @@
+## Verifying SDK build provenance with GitHub artifact attestations
+
+LaunchDarkly uses [GitHub artifact attestations](https://docs.github.com/en/actions/security-for-github-actions/using-artifact-attestations/using-artifact-attestations-to-establish-provenance-for-builds) to help developers make their supply chain more secure by ensuring the authenticity and build integrity of our published SDK packages.
+
+LaunchDarkly publishes provenance about our SDK package builds using [GitHub's `actions/attest` action](https://github.com/actions/attest). These attestations are stored in GitHub's attestation API and can be verified using the [GitHub CLI](https://cli.github.com/).
+
+To verify build provenance attestations, we recommend using the [GitHub CLI `attestation verify` command](https://cli.github.com/manual/gh_attestation_verify). Example usage for verifying SDK packages is included below:
+
+<!-- x-release-please-start-version -->
+```
+# Set the version of the library to verify
+VERSION=0.1.0
+```
+<!-- x-release-please-end -->
+
+```
+# Download package from PyPI
+$ pip download --only-binary=:all: launchdarkly-ai-optimizer==${VERSION}
+
+# Verify provenance using the GitHub CLI
+$ gh attestation verify launchdarkly_ai_optimizer-${VERSION}-py3-none-any.whl --owner launchdarkly
+```
+
+Below is a sample of expected output.
+
+```
+Loaded digest sha256:... for file://launchdarkly_ai_optimizer-0.1.0-py3-none-any.whl
+Loaded 1 attestation from GitHub API
+
+The following policy criteria will be enforced:
+- Predicate type must match:................ https://slsa.dev/provenance/v1
+- Source Repository Owner URI must match:... https://github.com/launchdarkly
+- Subject Alternative Name must match regex: (?i)^https://github.com/launchdarkly/
+- OIDC Issuer must match:................... https://token.actions.githubusercontent.com
+
+✓ Verification succeeded!
+
+The following 1 attestation matched the policy criteria
+
+- Attestation #1
+  - Build repo:..... launchdarkly/python-server-sdk-ai
+  - Build workflow:. .github/workflows/release-please.yml
+  - Signer repo:.... launchdarkly/python-server-sdk-ai
+  - Signer workflow: .github/workflows/release-please.yml
+```
+
+For more information, see [GitHub's documentation on verifying artifact attestations](https://docs.github.com/en/actions/security-for-github-actions/using-artifact-attestations/using-artifact-attestations-to-establish-provenance-for-builds#verifying-artifact-attestations-with-the-github-cli).
+
+**Note:** These instructions do not apply when building our libraries from source.
diff --git a/release-please-config.json b/release-please-config.json
index 3cb7adc0..2574d618 100644
--- a/release-please-config.json
+++ b/release-please-config.json
@@ -38,7 +38,10 @@
       "versioning": "default",
       "bump-minor-pre-major": true,
       "include-v-in-tag": false,
-      "extra-files": ["src/ldai_optimizer/__init__.py"],
+      "extra-files": [
+        "src/ldai_optimizer/__init__.py",
+        "PROVENANCE.md"
+      ],
       "component": "ldai_optimizer"
     }
   }