refactor: use ProvenanceBundleFilename constant

Replace hardcoded '.provenance.jsonl' strings with exported
ProvenanceBundleFilename constant for consistency and maintainability.

The constant includes the dot prefix as it represents a filename suffix
that gets appended to artifact paths (e.g., artifact.tar.gz + .provenance.jsonl).

This addresses the linter warning about unused provenanceBundleFilename
by renaming and properly using it throughout the codebase.

Co-authored-by: Ona <no-reply@ona.com>

Author: leodido

pkg/leeway/provenance.go

@@ -23,14 +23,15 @@ import (
 )
 
 const (
-	// provenanceBundleFilename is the name of the attestation bundle file
-	// we store in the archived build artefacts.
+	// ProvenanceBundleFilename is the filename suffix for provenance bundles stored alongside artifacts.
+	// Provenance is stored as <artifact>.tar.gz + ProvenanceBundleFilename to keep it separate from the
+	// deterministic artifact tar.gz.
 	//
 	// BEWARE: when you change this value this will break consumers. Existing
 	//		   cached artefacts will not have the new filename which will break
 	//         builds. If you change this value, make sure you introduce a cache-invalidating
 	//         change, e.g. update the provenanceProcessVersion.
-	provenanceBundleFilename = "provenance-bundle.jsonl"
+	ProvenanceBundleFilename = ".provenance.jsonl"
 
 	// provenanceProcessVersion is the version of the provenance generating process.
 	// If provenance is enabled in a workspace, this version becomes part of the manifest,
@@ -76,7 +77,7 @@ func writeProvenance(p *Package, buildctx *buildContext, builddir string, subjec
 
 	// Write provenance alongside artifact: <artifact>.provenance.jsonl
 	// This keeps provenance metadata separate from the artifact for determinism
-	provenancePath := artifactPath + ".provenance.jsonl"
+	provenancePath := artifactPath + ProvenanceBundleFilename
 
 	// Ensure directory exists
 	dir := filepath.Dir(provenancePath)
@@ -155,7 +156,7 @@ func AccessAttestationBundleInCachedArchive(fn string, handler func(bundle io.Re
 		}
 	}()
 
-	provenancePath := fn + ".provenance.jsonl"
+	provenancePath := fn + ProvenanceBundleFilename
 	if !fileExists(provenancePath) {
 		return ErrNoAttestationBundle
 	}

pkg/leeway/provenance_test.go

@@ -24,7 +24,7 @@ func TestAccessAttestationBundleInCachedArchive(t *testing.T) {
 			name: "provenance exists outside tar.gz",
 			setupFunc: func(t *testing.T, dir string) string {
 				artifactPath := filepath.Join(dir, "test.tar.gz")
-				provenancePath := artifactPath + ".provenance.jsonl"
+				provenancePath := artifactPath + leeway.ProvenanceBundleFilename
 
 				// Create empty artifact
 				if err := os.WriteFile(artifactPath, []byte("fake tar.gz"), 0644); err != nil {
@@ -154,7 +154,7 @@ func TestProvenanceNotInTarGz(t *testing.T) {
 func TestProvenanceOutsideTarGz(t *testing.T) {
 	tmpDir := t.TempDir()
 	artifactPath := filepath.Join(tmpDir, "test.tar.gz")
-	provenancePath := artifactPath + ".provenance.jsonl"
+	provenancePath := artifactPath + leeway.ProvenanceBundleFilename
 
 	// Create a simple tar.gz WITHOUT provenance inside
 	f, err := os.Create(artifactPath)
@@ -267,7 +267,7 @@ func TestProvenancePathExtensionHandling(t *testing.T) {
 		t.Run(tt.name, func(t *testing.T) {
 			// The provenance path is always <artifact>.provenance.jsonl
 			// This is handled by AccessAttestationBundleInCachedArchive
-			expectedPath := tt.artifactPath + ".provenance.jsonl"
+			expectedPath := tt.artifactPath + leeway.ProvenanceBundleFilename
 			if expectedPath != tt.expectedProvPath {
 				t.Errorf("Expected provenance path %q, got %q", tt.expectedProvPath, expectedPath)
 			}
@@ -281,7 +281,7 @@ func TestProvenanceDirectoryCreation(t *testing.T) {
 	// Create nested directory structure
 	nestedDir := filepath.Join(tmpDir, "cache", "subdir", "nested")
 	artifactPath := filepath.Join(nestedDir, "test.tar.gz")
-	provenancePath := artifactPath + ".provenance.jsonl"
+	provenancePath := artifactPath + leeway.ProvenanceBundleFilename
 
 	// Directory doesn't exist yet
 	if _, err := os.Stat(nestedDir); !os.IsNotExist(err) {