docs: reworking provenance documentation after feedback

Author: rsoberano-ld

PROVENANCE.md

@@ -0,0 +1,7 @@
+## Validating SDK packages with the SLSA framework (Supply-chain Levels for Software Artifacts)
+
+LaunchDarkly uses the [SLSA framework](https://slsa.dev/spec/v1.0/about) to help developers make their supply chain more secure by ensuring the authenticity and build integrity of our published SDK packages.
+
+As part of [SLSA requirements for level 3 compliance](https://slsa.dev/spec/v1.0/requirements), LaunchDarkly publishes provenance attestations about our SDK package builds to npm for distribution alongside our packages. 
+
+For npm packages that are published with provenance, npm automatically [validates the authenticity of the package using Sigstore](https://docs.npmjs.com/generating-provenance-statements#about-npm-provenance). 

packages/sdk/akamai-base/README.md

@@ -30,6 +30,10 @@ yarn && yarn build && cd packages/sdk/akamai-base
 yarn test
 ```
 
+## Validating SDK packages with the SLSA framework (Supply-chain Levels for Software Artifacts)
+
+LaunchDarkly uses the [SLSA framework](https://slsa.dev/spec/v1.0/about) to help developers make their supply chain more secure by ensuring the authenticity and build integrity of our published SDK packages. To learn more, see the [provenance guide](PROVENANCE.md). 
+
 ## About LaunchDarkly
 
 - LaunchDarkly is a continuous delivery platform that provides feature flags as a service and allows developers to iterate quickly and safely. We allow you to easily flag your features and manage them from the LaunchDarkly dashboard. With LaunchDarkly, you can:

packages/sdk/akamai-edgekv/README.md

@@ -30,6 +30,10 @@ yarn && yarn build && cd packages/sdk/akamai-edgekv
 yarn test
 ```
 
+## Validating SDK packages with the SLSA framework (Supply-chain Levels for Software Artifacts)
+
+LaunchDarkly uses the [SLSA framework](https://slsa.dev/spec/v1.0/about) to help developers make their supply chain more secure by ensuring the authenticity and build integrity of our published SDK packages. To learn more, see the [provenance guide](PROVENANCE.md). 
+
 ## About LaunchDarkly
 
 - LaunchDarkly is a continuous delivery platform that provides feature flags as a service and allows developers to iterate quickly and safely. We allow you to easily flag your features and manage them from the LaunchDarkly dashboard. With LaunchDarkly, you can:

packages/sdk/cloudflare/README.md

@@ -59,6 +59,10 @@ yarn && yarn build && cd packages/sdk/cloudflare
 yarn test
 ```
 
+## Validating SDK packages with the SLSA framework (Supply-chain Levels for Software Artifacts)
+
+LaunchDarkly uses the [SLSA framework](https://slsa.dev/spec/v1.0/about) to help developers make their supply chain more secure by ensuring the authenticity and build integrity of our published SDK packages. To learn more, see the [provenance guide](PROVENANCE.md). 
+
 ## About LaunchDarkly
 
 - LaunchDarkly is a continuous delivery platform that provides feature flags as a service and allows developers to iterate quickly and safely. We allow you to easily flag your features and manage them from the LaunchDarkly dashboard. With LaunchDarkly, you can:

packages/sdk/react-native/README.md

@@ -98,29 +98,9 @@ echo "MOBILE_KEY=mob-abc" >> packages/sdk/react-native/example/.env
 yarn && yarn ios-go
 ```
 
-## Validating SDK packages with the SLSA framework
-
-LaunchDarkly uses the [SLSA framework](https://slsa.dev/spec/v1.0/about) to help developers make their supply chain more secure by ensuring the authenticity of our published SDK packages. As part of [SLSA requirements for level 3 compliance](https://slsa.dev/spec/v1.0/requirements), LaunchDarkly publishes provenance about our SDK package builds to NPM for distribution alongside our packages. 
-
-The SLSA framework specifies some [recommendations for verifying build artifacts](https://slsa.dev/spec/v1.0/verifying-artifacts) in their documentation. For npm packages that are published with provenance, npm already [validates the authenticity of the package using Sigstore](https://docs.npmjs.com/generating-provenance-statements#about-npm-provenance). In addition to npm's validation, we recommend the following steps:
-- Ensure that the @launchdarkly/react-native-client-sdk version you're downloading was published with npm-verified provenance  
-  - Check the [versions tab in npm](https://www.npmjs.com/package/@launchdarkly/react-native-client-sdk?activeTab) and ensure the version you're installing has a green checkmark 
-- Use the provenance published in npm to verify the authenticity of the build:
-  - Check the source commit for: 
-    - Source repository is a LaunchDarkly-owned repository
-    - Commit author is a LaunchDarkly entity
-    - (Optional) Code changes in the commit are trustworthy
-  - Check the build file and build summary for:
-    - Build is triggered by a LaunchDarkly-owned repository
-    - Build is executed by a LaunchDarkly-owned Github Actions workflow 
-    - Build steps are trustworthy
-  - Check the public ledger's transparency log entry to ensure the build provenance is authentic:
-    - Signature issuer is Sigstore 
-    - OIDC issuer is `https://token.actions.githubusercontent.com`
-    - GitHub Workflow Repository is a LaunchDarkly-owned repository
-    - GitHub Workflow SHA matches the SHA of the source commit
-
-The recommendations above may be adjusted to fit your organization's needs and supply chain security policies. For additional questions, please contact [[email protected]](mailto:[email protected]).
+## Validating SDK packages with the SLSA framework (Supply-chain Levels for Software Artifacts)
+
+LaunchDarkly uses the [SLSA framework](https://slsa.dev/spec/v1.0/about) to help developers make their supply chain more secure by ensuring the authenticity and build integrity of our published SDK packages. To learn more, see the [provenance guide](PROVENANCE.md). 
 
 ## About LaunchDarkly
 

packages/sdk/server-node/README.md

@@ -36,6 +36,10 @@ We run integration tests for all our SDKs using a centralized test harness. This
 
 We encourage pull requests and other contributions from the community. Check out our [contributing guidelines](CONTRIBUTING.md) for instructions on how to contribute to this SDK.
 
+## Validating SDK packages with the SLSA framework (Supply-chain Levels for Software Artifacts)
+
+LaunchDarkly uses the [SLSA framework](https://slsa.dev/spec/v1.0/about) to help developers make their supply chain more secure by ensuring the authenticity and build integrity of our published SDK packages. To learn more, see the [provenance guide](PROVENANCE.md). 
+
 ## About LaunchDarkly
 
 - LaunchDarkly is a continuous delivery platform that provides feature flags as a service and allows developers to iterate quickly and safely. We allow you to easily flag your features and manage them from the LaunchDarkly dashboard. With LaunchDarkly, you can:

packages/sdk/vercel/README.md

@@ -66,6 +66,10 @@ yarn && yarn build && cd packages/sdk/vercel
 yarn test
 ```
 
+## Validating SDK packages with the SLSA framework (Supply-chain Levels for Software Artifacts)
+
+LaunchDarkly uses the [SLSA framework](https://slsa.dev/spec/v1.0/about) to help developers make their supply chain more secure by ensuring the authenticity and build integrity of our published SDK packages. To learn more, see the [provenance guide](PROVENANCE.md). 
+
 ## About LaunchDarkly
 
 - LaunchDarkly is a continuous delivery platform that provides feature flags as a service and allows developers to iterate quickly and safely. We allow you to easily flag your features and manage them from the LaunchDarkly dashboard. With LaunchDarkly, you can:

packages/shared/common/README.md

@@ -12,6 +12,10 @@ This library is a beta version and should not be considered ready for production
 
 See [Contributing](../CONTRIBUTING.md).
 
+## Validating SDK packages with the SLSA framework (Supply-chain Levels for Software Artifacts)
+
+LaunchDarkly uses the [SLSA framework](https://slsa.dev/spec/v1.0/about) to help developers make their supply chain more secure by ensuring the authenticity and build integrity of our published SDK packages. To learn more, see the [provenance guide](PROVENANCE.md). 
+
 ## About LaunchDarkly
 
 - LaunchDarkly is a continuous delivery platform that provides feature flags as a service and allows developers to iterate quickly and safely. We allow you to easily flag your features and manage them from the LaunchDarkly dashboard. With LaunchDarkly, you can:

packages/shared/sdk-server-edge/README.md

@@ -12,6 +12,10 @@ This library is a beta version and should not be considered ready for production
 
 See [Contributing](../CONTRIBUTING.md).
 
+## Validating SDK packages with the SLSA framework (Supply-chain Levels for Software Artifacts)
+
+LaunchDarkly uses the [SLSA framework](https://slsa.dev/spec/v1.0/about) to help developers make their supply chain more secure by ensuring the authenticity and build integrity of our published SDK packages. To learn more, see the [provenance guide](PROVENANCE.md). 
+
 ## About LaunchDarkly
 
 - LaunchDarkly is a continuous delivery platform that provides feature flags as a service and allows developers to iterate quickly and safely. We allow you to easily flag your features and manage them from the LaunchDarkly dashboard. With LaunchDarkly, you can:

packages/shared/sdk-server/README.md

@@ -10,6 +10,10 @@ This project contains Typescript classes and interfaces that are applicable to s
 
 See [Contributing](../CONTRIBUTING.md).
 
+## Validating SDK packages with the SLSA framework (Supply-chain Levels for Software Artifacts)
+
+LaunchDarkly uses the [SLSA framework](https://slsa.dev/spec/v1.0/about) to help developers make their supply chain more secure by ensuring the authenticity and build integrity of our published SDK packages. To learn more, see the [provenance guide](PROVENANCE.md). 
+
 ## About LaunchDarkly
 
 - LaunchDarkly is a continuous delivery platform that provides feature flags as a service and allows developers to iterate quickly and safely. We allow you to easily flag your features and manage them from the LaunchDarkly dashboard. With LaunchDarkly, you can: