Skip to content

Add SBOMs generation for Windows artifacts#100

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
sethmlarson merged 11 commits into from
Apr 10, 2024
Merged

Add SBOMs generation for Windows artifacts #100

sethmlarson merged 11 commits into from
Apr 10, 2024

Conversation

@sethmlarson
Copy link
Collaborator

@sethmlarsonsethmlarson commented Feb 23, 2024

Moved the branch to this repo to allow testing before merging in Azure Pipelines. Requires python/cpython#115789 to be checked in to work.

@sethmlarsonsethmlarson changed the title Add SBOMs generation for Windows artifacts #99 Add SBOMs generation for Windows artifactsFeb 23, 2024
@sethmlarsonsethmlarson mentioned this pull request Feb 23, 2024
Closed
@sethmlarsonsethmlarson marked this pull request as ready for review February 23, 2024 22:02
zooba
zooba reviewed Apr 3, 2024
View reviewed changes
zooba
zooba reviewed Apr 5, 2024
View reviewed changes
Copy link
Member

@zoobazooba left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm confident enough we need the & in there that I'll wait for that change before running another build.

You're using gci fine, btw (it's short for Get-ChildItem which is also aliased as dir and ls, because who needs only one way to do things...)

@sethmlarsonsethmlarson requested a review from zoobaApril 5, 2024 14:00
@zooba
Copy link
Member

zooba commented Apr 8, 2024

New test build running at https://dev.azure.com/Python/cpython/_build/results?buildId=152746&view=results

zooba
zooba reviewed Apr 8, 2024
View reviewed changes
@sethmlarsonsethmlarson requested a review from zoobaApril 8, 2024 17:42
@sethmlarson
Copy link
CollaboratorAuthor

sethmlarson commented Apr 8, 2024
edited
Loading

@zooba Thanks for the run, the joys of developing CI workflow definitions continues :)

zooba
zooba reviewed Apr 8, 2024
View reviewed changes
@zooba
Copy link
Member

zooba commented Apr 8, 2024

Looking at the most recent failure, it seems you probably want $(Build.SourceBranchName) rather than $(Build.SourceBranch). (I really wish Git had a better way to just clone a single known commit, but apparently not...)

@sethmlarson
Copy link
CollaboratorAuthor

sethmlarson commented Apr 9, 2024

The SBOM artifacts are getting uploaded into the sbom artifact name as expected: https://dev.azure.com/Python/cpython/_build/results?buildId=152774&view=artifacts&pathAsName=false&type=publishedArtifacts

I downloaded them all and gave them a look, they contain the components I expect and SBOM tooling accepts them. This PR can be ready to go as-is or we could also add the "upload" step in this PR too.

@sethmlarsonsethmlarson requested a review from zoobaApril 9, 2024 22:14
zooba
zooba approved these changes Apr 9, 2024
View reviewed changes
Copy link
Member

@zoobazooba left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we should just be able to add a *.spdx.json wildcard to $exe in uploadrelease.ps1 to pick up the SBOMs, right? Or maybe add a new parameter like $embed to specify the directory, to save copying them into the main directory.

TBH, I don't love the whole upload script, I just haven't looked at it in years (and it was written for a local build, which doesn't look like the automated one). Take a look and see whether you have a desperate desire to rewrite it, in which case we can do a new PR, or if you can easily hack it in then we can do it now.

@sethmlarsonsethmlarson merged commit e945180 into masterApr 10, 2024
@sethmlarsonsethmlarson deleted the windows-externals branch April 10, 2024 15:16
Sign up for freeto join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@zoobazoobazooba approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@sethmlarson@zooba