sbom.py writes Windows SBOM files beside each artifact using the full artifact
filename plus .spdx.json. For example:
python-3.14.0-amd64.exe.spdx.json
windows-release/merge-and-upload.py currently searches with
Path.with_suffix(".spdx.json"), which maps that artifact to:
python-3.14.0-amd64.spdx.json
As a result, the upload step can skip the SBOM file that was generated for the
artifact.
Expected behavior
The Windows upload step should look for <artifact>.spdx.json and upload that
file next to the artifact.
sbom.pywrites Windows SBOM files beside each artifact using the full artifactfilename plus
.spdx.json. For example:windows-release/merge-and-upload.pycurrently searches withPath.with_suffix(".spdx.json"), which maps that artifact to:As a result, the upload step can skip the SBOM file that was generated for the
artifact.
Expected behavior
The Windows upload step should look for
<artifact>.spdx.jsonand upload thatfile next to the artifact.