Add SPDX SBOM files to python.org releases

sethmlarson · sethmlarson · commit c94bd5e4b55e · 2024-01-17T16:26:41.000-06:00
diff --git a/add-to-pydotorg.py b/add-to-pydotorg.py
@@ -188,6 +188,9 @@ def build_file_dict(release, rfile, rel_pk, file_desc, os_pk,
     # Upload Sigstore bundle
     if os.path.exists(ftp_root + "%s/%s.sigstore" % (base_version(release), rfile)):
         d["sigstore_bundle_file"] = download_root + '%s/%s.sigstore' % (base_version(release), rfile)
+    # Upload SPDX SBOM file
+    if os.path.exists(ftp_root + "%s/%s.spdx.json" % (base_version(release), rfile)):
+        d["sbom_spdx2_file"] = download_root + '%s/%s.spdx.json' % (base_version(release), rfile)
 
     return d
 
@@ -197,7 +200,7 @@ def list_files(release):
     for rfile in os.listdir(path.join(ftp_root, reldir)):
         if not path.isfile(path.join(ftp_root, reldir, rfile)):
             continue
-        if rfile.endswith(('.asc', '.sig', '.crt', '.sigstore')):
+        if rfile.endswith(('.asc', '.sig', '.crt', '.sigstore', '.spdx.json')):
             continue
         for prefix in ('python', 'Python'):
             if rfile.startswith(prefix):
