Address review feedback

sethmlarson · sethmlarson · commit 41541f8f6ca3 · 2024-02-23T10:44:25.000-06:00
diff --git a/sbom.py b/sbom.py
@@ -627,12 +627,16 @@ def create_sbom_for_windows_artifact(exe_path):
 
 
 def main() -> None:
-    artifact_path = sys.argv[1]
-    if artifact_path.endswith(".exe"):
-        sbom_data = create_sbom_for_windows_artifact(artifact_path)
-    else:
-        sbom_data = create_sbom_for_source_tarball(artifact_path)
-    print(json.dumps(sbom_data, indent=2, sort_keys=True))
+    artifact_paths = sys.argv[1:]
+    for artifact_path in artifact_paths:
+        if artifact_path.endswith(".exe"):
+            sbom_data = create_sbom_for_windows_artifact(artifact_path)
+        else:
+            sbom_data = create_sbom_for_source_tarball(artifact_path)
+
+        with open(artifact_path + ".spdx.json", mode="w") as f:
+            f.truncate()
+            print(json.dumps(sbom_data, indent=2, sort_keys=True))
 
 
 if __name__ == "__main__":
diff --git a/windows-release/azure-pipelines.yml b/windows-release/azure-pipelines.yml
@@ -224,7 +224,7 @@ stages:
     - ${{ if eq(parameters.DoMSI, 'true') }}:
       - stage: PublishPyDotOrg
         displayName: Publish to python.org
-        dependsOn: ['SBOM', 'Test_MSI', 'Test']
+        dependsOn: ['Test_MSI', 'Test']
         jobs:
         - template: stage-publish-pythonorg.yml
 
diff --git a/windows-release/stage-sbom.yml b/windows-release/stage-sbom.yml
@@ -34,12 +34,19 @@ jobs:
   - powershell: >
       python
       "$(Build.SourcesDirectory)\sbom.py"
-      (gci msi\*\python-*.exe | select -First 1)
+      (gci msi\*\python-*.exe)
     workingDirectory: $(Build.BinariesDirectory)
     displayName: 'Create SBOMs for binaries'
 
-  - task: PublishPipelineArtifact@0
-    displayName: 'Publish artifact: sbom'
+  - task: CopyFiles@2
+    displayName: 'Layout Artifact: sbom'
     inputs:
-      targetPath: '$(Build.BinariesDirectory)\sbom'
-      artifactName: sbom
+      sourceFolder: $(Build.BinariesDirectory)\bin
+      targetFolder: $(Build.ArtifactStagingDirectory)\sbom
+      flatten: true
+      contents: |
+        **\*.spdx.json
+
+  - publish: '$(Build.ArtifactStagingDirectory)\sbom'
+    artifact: sbom
+    displayName: 'Publish artifact: sbom'
