Add SBOMs generation for Windows artifacts

[sethmlarson]

Moved the branch to this repo to allow testing before merging in Azure Pipelines. Requires python/cpython#115789 to be checked in to work.

[zooba]

I'm confident enough we need the & in there that I'll wait for that change before running another build.

You're using gci fine, btw (it's short for Get-ChildItem which is also aliased as dir and ls, because who needs only one way to do things...)

[zooba]

New test build running at https://dev.azure.com/Python/cpython/_build/results?buildId=152746&view=results

[sethmlarson]

@zooba Thanks for the run, the joys of developing CI workflow definitions continues :)

[zooba]

Looking at the most recent failure, it seems you probably want $(Build.SourceBranchName) rather than $(Build.SourceBranch). (I really wish Git had a better way to just clone a single known commit, but apparently not...)

[sethmlarson]

The SBOM artifacts are getting uploaded into the sbom artifact name as expected: https://dev.azure.com/Python/cpython/_build/results?buildId=152774&view=artifacts&pathAsName=false&type=publishedArtifacts

I downloaded them all and gave them a look, they contain the components I expect and SBOM tooling accepts them. This PR can be ready to go as-is or we could also add the "upload" step in this PR too.

[zooba]

I think we should just be able to add a *.spdx.json wildcard to $exe in uploadrelease.ps1 to pick up the SBOMs, right? Or maybe add a new parameter like $embed to specify the directory, to save copying them into the main directory.

TBH, I don't love the whole upload script, I just haven't looked at it in years (and it was written for a local build, which doesn't look like the automated one). Take a look and see whether you have a desperate desire to rewrite it, in which case we can do a new PR, or if you can easily hack it in then we can do it now.