docs: update PROVENANCE.md for GitHub artifact attestations

[keelerm84]

Requirements

• I have added test coverage for new or changed functionality
• I have followed the repository's pull request submission guidelines
• I have validated my changes against all supported platform versions

N/A — documentation-only change.

Related issues

Companion to PR #19 / #20 which migrated the release workflow from slsa-framework/slsa-github-generator to actions/attest@v4.

Describe the solution you've provided

Updates PROVENANCE.md to reflect the migration from SLSA provenance to GitHub artifact attestations. The old instructions used slsa-verifier against a .intoto.jsonl file downloaded from the GitHub release assets. The new instructions use gh attestation verify, which queries GitHub's attestation API directly — no separate provenance file download is needed.

Key changes:

• Replaced all SLSA framework references with GitHub artifact attestation references
• Replaced slsa-verifier verify-artifact with gh attestation verify ... -R launchdarkly/openfeature-ruby-server
• Removed the curl step to download .intoto.jsonl (attestations are now stored in GitHub's API, not as release assets)
• Updated sample output to match gh attestation verify format
• Updated external doc links to point to GitHub's attestation docs

Describe alternatives you've considered

Could have kept the SLSA verifier instructions alongside the new ones for backward compatibility with older releases, but since the workflow has already been migrated, only the new instructions are relevant going forward.

Additional context

Items for reviewer attention

1. Sample output is representative, not captured from an actual run — since no release has been made with actions/attest yet in this repo, the gh attestation verify output shown is based on the documented format. Verify it matches reality after the first attested release.
2. gh attestation verify command syntax — confirm -R launchdarkly/openfeature-ruby-server is the correct owner/repo format per the GitHub CLI attestation docs.

Link to Devin session: https://app.devin.ai/sessions/7d5bda4d9dbe4ae0b950b30a50485e60
Requested by: @keelerm84

---

Note

Low Risk
Documentation-only change updating provenance verification guidance; no runtime code or release logic is modified.

Overview
Updates PROVENANCE.md to reflect a migration from SLSA .intoto.jsonl release-asset provenance to GitHub artifact attestations.

Replaces the slsa-verifier + curl download flow with gh attestation verify against GitHub’s attestation API, and refreshes the example output and external links accordingly.

^{Written by Cursor Bugbot for commit 522a33b. This will update automatically on new commits. Configure here.}

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring