Upload Windows SBOMs to python.org (#117)

sethmlarson · web-flow · commit 5a49b0beeae5 · 2024-04-24T23:22:30.000+01:00
diff --git a/windows-release/stage-publish-pythonorg.yml b/windows-release/stage-publish-pythonorg.yml
@@ -57,6 +57,17 @@ jobs:
         buildVersionToDownload: specific
         buildId: ${{ parameters.BuildToPublish }}
 
+    - task: DownloadBuildArtifacts@0
+      displayName: 'Download artifact from ${{ parameters.BuildToPublish }}: sbom'
+      inputs:
+        artifactName: sbom
+        downloadPath: $(Build.BinariesDirectory)\sbom
+        buildType: specific
+        project: $(System.TeamProject)
+        pipeline: $(Build.DefinitionName)
+        buildVersionToDownload: specific
+        buildId: ${{ parameters.BuildToPublish }}
+
   - ${{ else }}:
     - task: DownloadPipelineArtifact@1
       displayName: 'Download artifact: Doc'
@@ -77,6 +88,12 @@ jobs:
         artifactName: embed
         downloadPath: $(Build.BinariesDirectory)
 
+    # Note that sbom is a 'build' artifact, not a 'pipeline' artifact
+    - task: DownloadBuildArtifacts@0
+      displayName: 'Download artifact: sbom'
+      inputs:
+        artifactName: sbom
+        downloadPath: $(Build.BinariesDirectory)\sbom
 
   # Note that ARM64 MSIs are skipped at build when this option is specified
   - powershell: 'gci *embed-arm*.zip | %{ Write-Host "Not publishing: $($_.Name)"; gi $_ } | del'
@@ -133,6 +150,7 @@ jobs:
       -keyfile "$(sshkey.secureFilePath)"
       -doc_htmlhelp doc\htmlhelp
       -embed embed
+      -sbom sbom
     workingDirectory: $(Build.BinariesDirectory)
     condition: and(succeeded(), eq(variables['IsRealSigned'], 'true'))
     displayName: 'Upload files to python.org'
diff --git a/windows-release/uploadrelease.ps1 b/windows-release/uploadrelease.ps1
@@ -30,6 +30,7 @@ param(
     [string]$tests=${env:TEMP},
     [string]$doc_htmlhelp=$null,
     [string]$embed=$null
+    [string]$sbom=$null
 )
 
 if (-not $build) { throw "-build option is required" }
@@ -87,19 +88,28 @@ $dirs = gci "$build" -Directory
 if ($embed) {
     $dirs = ($dirs, (gi $embed)) | %{ $_ }
 }
+if ($sbom) {
+    $dirs = ($dirs, $sbom) | %{ $_ }
+}
 
 foreach ($a in $dirs) {
     "Uploading files from $($a.FullName)"
     pushd "$($a.FullName)"
     $exe = gci *.exe, *.exe.asc, *.zip, *.zip.asc
     $msi = gci *.msi, *.msi.asc, *.msu, *.msu.asc
+    $spdx_json = gci *.spdx.json
     popd
 
     if ($exe) {
         & $pscp -batch -hostkey $hostkey -noagent -i $keyfile $exe.FullName "$user@${server}:$d"
         if (-not $?) { throw "Failed to upload $exe" }
     }
 
+    if ($spdx_json) {
+        & $pscp -batch -hostkey $hostkey -noagent -i $keyfile $spdx_json.FullName "$user@${server}:$d"
+        if (-not $?) { Write-Host "##[warning]Failed to upload $spdx_json" }
+    }
+
     if ($msi) {
         $sd = "$d$($a.Name)$($p[1])/"
         & $plink -batch -hostkey $hostkey -noagent -i $keyfile "$user@$server" mkdir $sd
