[discussion] rename provenance-path to attestations-path for all builders

[laurentsimon]

See https://github.com/slsa-framework/slsa-verifier/pull/495#discussion_r1122445010

Need to have a list of pros and cons. Please comment.

[asraa]

Pros IMO are that provenance is very SLSA build specific to me - provenance is one type of attestation referring, I think, specifically to a build process

Provenance is a claim that some entity (builder) produced one or more software artifacts (Statement’s subject) by executing some recipe, using some other artifacts as input (materials).

Verifying threats that SLSA covers may not just include the build process (although this happens to be the main one). We may want to include more attestations, like:

• Builder attestations (an attestation that a builder or 3P auditor produces to claim properties)
• Registry attestations (did the registry attest to the package publish?)
• Source attestations (what are the properties of the source repository?)

[asraa]

We currently support provenance-name option for our generators. This might end up being confusing, but I don't know the context of why attestation-name was deprecated. Moreover, the generators DO produce provenance specifically, so maybe it's OK