Add SBOMs generation for Windows artifacts #99
Conversation
sethmlarson
changed the title
Best to assume it clones into
I think we get it from ensurepip? The embedded distro does not, as it's not really the point (you'd install packages when you build your app and then redistribute the whole thing ready to go).
Yes, but much easier if you push to the main repo rather than a fork. Then your branch will appear in the dropdown when you go to queue the build. To run from a fork you'd need to change the repo it's associated with, which would upset me because I'm also working in this pipeline at the moment and it would spoil my testing 😆 |
| - powershell: > | ||
| python | ||
| "$(Build.SourcesDirectory)\sbom.py" | ||
| (gci msi\*\python-*.exe | select -First 1) |
There was a problem hiding this comment.
Any reason we wouldn't/shouldn't just do all of them? (Omitting the select -First 1 should pass them all as separate args, and then sys.argv[1:] in Python can get them all.)
| - task: PublishPipelineArtifact@0 | ||
| displayName: 'Publish artifact: sbom' | ||
| inputs: | ||
| targetPath: '$(Build.BinariesDirectory)\sbom' | ||
| artifactName: sbom |
There was a problem hiding this comment.
| - task: PublishPipelineArtifact@0 | |
| displayName: 'Publish artifact: sbom' | |
| inputs: | |
| targetPath: '$(Build.BinariesDirectory)\sbom' | |
| artifactName: sbom | |
| - publish: '$(Build.BinariesDirectory)\sbom' | |
| artifact: sbom | |
| displayName: 'Publish artifact: sbom' |
This is the preferred format for simple cases now (should auto-update when they need to make changes to the publish task).
| @@ -218,7 +224,7 @@ stages: | |||
| - ${{ if eq(parameters.DoMSI, 'true') }}: | |||
| - stage: PublishPyDotOrg | |||
| displayName: Publish to python.org | |||
| dependsOn: ['Test_MSI', 'Test'] | |||
| dependsOn: ['SBOM', 'Test_MSI', 'Test'] | |||
| jobs: | |||
| - template: stage-publish-pythonorg.yml | |||
There was a problem hiding this comment.
I assume we're going to get chances to this template as well to SSH the files up to the server?
There was a problem hiding this comment.
Yeah that's the plan, I might do that in a follow-up PR though. Maybe I'll remove this dependsOn for now.
|
Thanks for the review @zooba, I've closed this PR and created a new one on this repo for easier testing and addressed your comments in the new PR. |
Requires python/cpython#115789 to be checked in to work.
checkout.ymlessentially pull CPython's source code into therelease-toolsdirectory?ensurepipfor the embed artifactsmasterso I can test this code before enabling it for future releases?cc @zooba