Fix all security issues found with zizmor

Author: Ickerday

.github/actions/run-appinspect/action.yml

@@ -1,12 +1,6 @@
 name: Run Splunk AppInspect
 description: Package a mock app containing the SDK and its dependencies, then validate it with AppInspect.
 
-inputs:
-  mock-app-path:
-    description: Path to app packaged for scanning with AppInspect
-    required: true
-    default: ./tests/system/test_apps/generating_app
-
 runs:
   using: composite
   steps:
@@ -16,13 +10,13 @@ runs:
     - name: Install the SDK and its dependencies into the mock app
       shell: bash
       run: |
-        mkdir -p ${{ inputs.mock-app-path }}/bin/lib
-        uv pip install ".[openai, anthropic, google]" --target ${{ inputs.mock-app-path }}/bin/lib
+        mkdir -p ./tests/system/test_apps/generating_app/bin/lib
+        uv pip install ".[openai, anthropic, google]" --target ./tests/system/test_apps/generating_app/bin/lib
     - name: Package the mock app
       shell: bash
       run: |
-        cd ${{ inputs.mock-app-path }}
+        cd ./tests/system/test_apps/generating_app
         tar -czf mock_app.tgz --exclude="__pycache__" bin default metadata
     - name: Validate the mock app with AppInspect
       shell: bash
-      run: uvx splunk-appinspect inspect ${{ inputs.mock-app-path }}/mock_app.tgz --included-tags cloud
+      run: uvx splunk-appinspect inspect ./tests/system/test_apps/generating_app/mock_app.tgz --included-tags cloud

.github/actions/setup-sdk-environment/action.yml

@@ -2,10 +2,6 @@ name: Set up SDK environment
 description: Perform all the shared setup steps
 
 inputs:
-  python-version:
-    description: Python version used for this run
-    required: true
-    default: "3.13"
   deps-group:
     description: Dependency groups passed to `uv sync --group`
     required: true
@@ -17,12 +13,12 @@ runs:
     - uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57
       with:
         version: 0.11.6
-        python-version: ${{ inputs.python-version }}
+        python-version: 3.13
         activate-environment: true
         enable-cache: true
         cache-python: true
     - name: Install dependencies from the ${{ inputs.deps-group }} group
       env:
         SDK_DEPS_GROUP: ${{ inputs.deps-group }}
       shell: bash
-      run: SDK_DEPS_GROUP="${{ inputs.deps-group }}" make ci-install
+      run: make ci-install

.github/dependabot.yaml

@@ -8,10 +8,14 @@ updates:
     groups:
       github-actions:
         patterns: ["*"]
+    cooldown:
+      default-days: 7
   - package-ecosystem: "uv"
     directory: "/"
     schedule:
       interval: "weekly"
     groups:
       python-uv-lock:
         patterns: ["*"]
+    cooldown:
+      default-days: 7

.github/workflows/appinspect.yml

@@ -1,11 +1,18 @@
 name: Validate SDK with Splunk AppInspect
 on: [push, workflow_dispatch]
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+permissions: {}
+
 env:
   PYTHON_VERSION: 3.13
 
 jobs:
   appinspect:
+    name: AppInspect
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd

.github/workflows/cd.yml

@@ -6,11 +6,18 @@ on:
     types: [published]
   workflow_dispatch:
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: false
+
+permissions: {}
+
 env:
   DIST_DIR: dist/
 
 jobs:
   build-distributables:
+    name: Build distributables
     # Why building is separate from publishing:
     # https://github.com/pypa/gh-action-pypi-publish/issues/217#issuecomment-1965727093
     runs-on: ubuntu-latest
@@ -26,15 +33,17 @@ jobs:
           deps-group: release
       - name: Set pre-release version
         if: startsWith(github.ref, 'refs/tags/') != true
+        env:
+          RUN_NUMBER: ${{ github.run_number }}
         run: |
           VERSION_BASE="$(uv version --short)"
-          RUN_NUMBER="${{ github.run_number }}"
           uv version "${VERSION_BASE}.dev${RUN_NUMBER}"
       - name: Set release version
         if: startsWith(github.ref, 'refs/tags/') == true
+        env:
+          VERSION_TAG: ${{ github.event.release.tag_name }}
         run: |
-          VERSION_TAG="${{ github.event.release.tag_name }}"
-          [[ $VERSION_TAG != $(uv version --short) ]] && {
+          [[ ${VERSION_TAG} != $(uv version --short) ]] && {
             printf "Git tag should be identical to version field in pyproject.toml"
             exit 1
           }
@@ -60,11 +69,12 @@ jobs:
           path: docs/_build/html
 
   publish-pre-release:
+    name: Publish pre-release to Test PyPI
     if: startsWith(github.ref, 'refs/tags/') == false
     needs: build-distributables
     runs-on: ubuntu-latest
     permissions:
-      id-token: write
+      id-token: write # Required for OIDC-based trusted publishing to PyPI
     environment:
       name: splunk-test-pypi
       url: https://test.pypi.org/project/splunk-sdk/
@@ -80,11 +90,12 @@ jobs:
           repository-url: https://test.pypi.org/legacy/
 
   publish-release:
+    name: Publish release to PyPI
     if: startsWith(github.ref, 'refs/tags/') == true
     needs: build-distributables
     runs-on: ubuntu-latest
     permissions:
-      id-token: write
+      id-token: write # Required for OIDC-based trusted publishing to PyPI
     environment:
       name: splunk-pypi
       url: https://pypi.org/project/splunk-sdk/

.github/workflows/lint.yml

@@ -1,8 +1,15 @@
 name: Python SDK Lint
 on: [push, workflow_dispatch]
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+permissions: {}
+
 jobs:
   lint:
+    name: Lint
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd

.github/workflows/test.yml

@@ -5,8 +5,11 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: true
 
+permissions: {}
+
 jobs:
   test:
+    name: Test
     runs-on: ubuntu-latest
     strategy:
       matrix:
@@ -26,7 +29,9 @@ jobs:
           SPLUNKBASE_PASSWORD: ${{ secrets.SPLUNKBASE_PASSWORD }}
         run: uv run ./scripts/download_splunk_mcp_server_app.py
       - name: Launch Splunk Docker instance
-        run: SPLUNK_VERSION=${{ matrix.splunk-version }} docker compose up -d
+        env:
+          SPLUNK_VERSION: ${{ matrix.splunk-version }}
+        run: docker compose up -d
       - name: Set up .env
         run: cp .env.template .env
       - name: Write internal AI secrets to .env