diff --git a/.github/actions/run-appinspect/action.yml b/.github/actions/run-appinspect/action.yml index 51147a6c..60b2713e 100644 --- a/.github/actions/run-appinspect/action.yml +++ b/.github/actions/run-appinspect/action.yml @@ -1,12 +1,6 @@ name: Run Splunk AppInspect description: Package a mock app containing the SDK and its dependencies, then validate it with AppInspect. -inputs: - mock-app-path: - description: Path to app packaged for scanning with AppInspect - required: true - default: ./tests/system/test_apps/generating_app - runs: using: composite steps: @@ -16,13 +10,13 @@ runs: - name: Install the SDK and its dependencies into the mock app shell: bash run: | - mkdir -p ${{ inputs.mock-app-path }}/bin/lib - uv pip install ".[openai, anthropic, google]" --target ${{ inputs.mock-app-path }}/bin/lib + mkdir -p ./tests/system/test_apps/generating_app/bin/lib + uv pip install ".[openai, anthropic, google]" --target ./tests/system/test_apps/generating_app/bin/lib - name: Package the mock app shell: bash run: | - cd ${{ inputs.mock-app-path }} + cd ./tests/system/test_apps/generating_app tar -czf mock_app.tgz --exclude="__pycache__" bin default metadata - name: Validate the mock app with AppInspect shell: bash - run: uvx splunk-appinspect inspect ${{ inputs.mock-app-path }}/mock_app.tgz --included-tags cloud + run: uvx splunk-appinspect inspect ./tests/system/test_apps/generating_app/mock_app.tgz --included-tags cloud diff --git a/.github/actions/setup-sdk-environment/action.yml b/.github/actions/setup-sdk-environment/action.yml index 04c7c1ba..30d8df44 100644 --- a/.github/actions/setup-sdk-environment/action.yml +++ b/.github/actions/setup-sdk-environment/action.yml @@ -2,10 +2,6 @@ name: Set up SDK environment description: Perform all the shared setup steps inputs: - python-version: - description: Python version used for this run - required: true - default: "3.13" deps-group: description: Dependency groups passed to `uv sync --group` required: true @@ -17,7 +13,7 @@ runs: - uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 with: version: 0.11.6 - python-version: ${{ inputs.python-version }} + python-version: 3.13 activate-environment: true enable-cache: true cache-python: true @@ -25,4 +21,4 @@ runs: env: SDK_DEPS_GROUP: ${{ inputs.deps-group }} shell: bash - run: SDK_DEPS_GROUP="${{ inputs.deps-group }}" make ci-install + run: make ci-install diff --git a/.github/dependabot.yaml b/.github/dependabot.yaml index bcae6e51..c3e7cb1d 100644 --- a/.github/dependabot.yaml +++ b/.github/dependabot.yaml @@ -8,6 +8,8 @@ updates: groups: github-actions: patterns: ["*"] + cooldown: + default-days: 7 - package-ecosystem: "uv" directory: "/" schedule: @@ -15,3 +17,5 @@ updates: groups: python-uv-lock: patterns: ["*"] + cooldown: + default-days: 7 diff --git a/.github/workflows/appinspect.yml b/.github/workflows/appinspect.yml index 02832e93..64e6e090 100644 --- a/.github/workflows/appinspect.yml +++ b/.github/workflows/appinspect.yml @@ -1,11 +1,18 @@ name: Validate SDK with Splunk AppInspect on: [push, workflow_dispatch] +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + +permissions: {} + env: PYTHON_VERSION: 3.13 jobs: appinspect: + name: AppInspect runs-on: ubuntu-latest steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml index f1b18bc8..0ee168d3 100644 --- a/.github/workflows/cd.yml +++ b/.github/workflows/cd.yml @@ -6,11 +6,18 @@ on: types: [published] workflow_dispatch: +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: false + +permissions: {} + env: DIST_DIR: dist/ jobs: build-distributables: + name: Build distributables # Why building is separate from publishing: # https://github.com/pypa/gh-action-pypi-publish/issues/217#issuecomment-1965727093 runs-on: ubuntu-latest @@ -26,15 +33,17 @@ jobs: deps-group: release - name: Set pre-release version if: startsWith(github.ref, 'refs/tags/') != true + env: + RUN_NUMBER: ${{ github.run_number }} run: | VERSION_BASE="$(uv version --short)" - RUN_NUMBER="${{ github.run_number }}" uv version "${VERSION_BASE}.dev${RUN_NUMBER}" - name: Set release version if: startsWith(github.ref, 'refs/tags/') == true + env: + VERSION_TAG: ${{ github.event.release.tag_name }} run: | - VERSION_TAG="${{ github.event.release.tag_name }}" - [[ $VERSION_TAG != $(uv version --short) ]] && { + [[ ${VERSION_TAG} != $(uv version --short) ]] && { printf "Git tag should be identical to version field in pyproject.toml" exit 1 } @@ -60,11 +69,12 @@ jobs: path: docs/_build/html publish-pre-release: + name: Publish pre-release to Test PyPI if: startsWith(github.ref, 'refs/tags/') == false needs: build-distributables runs-on: ubuntu-latest permissions: - id-token: write + id-token: write # Required for OIDC-based trusted publishing to PyPI environment: name: splunk-test-pypi url: https://test.pypi.org/project/splunk-sdk/ @@ -80,11 +90,12 @@ jobs: repository-url: https://test.pypi.org/legacy/ publish-release: + name: Publish release to PyPI if: startsWith(github.ref, 'refs/tags/') == true needs: build-distributables runs-on: ubuntu-latest permissions: - id-token: write + id-token: write # Required for OIDC-based trusted publishing to PyPI environment: name: splunk-pypi url: https://pypi.org/project/splunk-sdk/ diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 160dbaf6..5805bb4b 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -1,8 +1,15 @@ name: Python SDK Lint on: [push, workflow_dispatch] +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + +permissions: {} + jobs: lint: + name: Lint runs-on: ubuntu-latest steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index e5c0b8f1..bd47bad6 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -5,8 +5,11 @@ concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: true +permissions: {} + jobs: test: + name: Test runs-on: ubuntu-latest strategy: matrix: @@ -26,7 +29,9 @@ jobs: SPLUNKBASE_PASSWORD: ${{ secrets.SPLUNKBASE_PASSWORD }} run: uv run ./scripts/download_splunk_mcp_server_app.py - name: Launch Splunk Docker instance - run: SPLUNK_VERSION=${{ matrix.splunk-version }} docker compose up -d + env: + SPLUNK_VERSION: ${{ matrix.splunk-version }} + run: docker compose up -d - name: Set up .env run: cp .env.template .env - name: Write internal AI secrets to .env diff --git a/Makefile b/Makefile index 56b0b26b..1bae9a40 100644 --- a/Makefile +++ b/Makefile @@ -22,7 +22,11 @@ ci-install: UV_RUN_CMD := uv run --frozen --no-config .PHONY: lint -lint: lint-python # TODO: Add mbake +lint: lint-python lint-gh-actions # TODO: Add mbake + +.PHONY: lint-gh-actions +lint-gh-actions: + $(UV_RUN_CMD) zizmor --pedantic --collect=all --strict-collection . .PHONY: lint-python lint-python: @@ -32,7 +36,11 @@ lint-python: UV_RUN_CMD := uv run --frozen --no-config .PHONY: ci-lint -ci-lint: ci-lint-python # TODO: Add mbake +ci-lint: ci-lint-python ci-lint-gh-actions # TODO: Add mbake + +.PHONY: ci-lint-gh-actions +ci-lint-gh-actions: + $(UV_RUN_CMD) zizmor --pedantic --collect=all --strict-collection --fix . .PHONY: ci-lint-python ci-lint-python: diff --git a/pyproject.toml b/pyproject.toml index 65f43caf..2474d70e 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -53,7 +53,12 @@ test = [ "vcrpy>=8.1.1", ] release = ["build>=1.5.0", "jinja2>=3.1.6", "sphinx>=9.1.0", "twine>=6.2.0"] -lint = ["basedpyright>=1.39.4", "ruff>=0.15.12", "mbake>=1.4.6"] +lint = [ + "basedpyright>=1.39.4", + "ruff>=0.15.12", + "mbake>=1.4.6", + "zizmor==1.24.1", +] dev = [ "rich>=15.0.0", { include-group = "test" }, diff --git a/uv.lock b/uv.lock index 389a6526..5edccd1b 100644 --- a/uv.lock +++ b/uv.lock @@ -1829,11 +1829,13 @@ dev = [ { name = "splunk-sdk", extra = ["anthropic", "google", "openai"] }, { name = "twine" }, { name = "vcrpy" }, + { name = "zizmor" }, ] lint = [ { name = "basedpyright" }, { name = "mbake" }, { name = "ruff" }, + { name = "zizmor" }, ] release = [ { name = "build" }, @@ -1883,11 +1885,13 @@ dev = [ { name = "splunk-sdk", extras = ["openai", "anthropic", "google"], specifier = ">=2.1.1" }, { name = "twine", specifier = ">=6.2.0" }, { name = "vcrpy", specifier = ">=8.1.1" }, + { name = "zizmor", specifier = "==1.24.1" }, ] lint = [ { name = "basedpyright", specifier = ">=1.39.4" }, { name = "mbake", specifier = ">=1.4.6" }, { name = "ruff", specifier = ">=0.15.12" }, + { name = "zizmor", specifier = "==1.24.1" }, ] release = [ { name = "build", specifier = ">=1.5.0" }, @@ -2328,6 +2332,24 @@ wheels = [ { url = "https://files.pythonhosted.org/packages/74/35/698e7e3ff38e22992ea24870a511d8762474fb6783627a2910ff22a185c2/xxhash-3.7.0-cp314-cp314t-win_arm64.whl", hash = "sha256:468f0fc114faaa4b36699f8e328bbc3bb11dc418ba94ac52c26dd736d4b6c637", size = 28807, upload-time = "2026-04-25T11:09:11.234Z" }, ] +[[package]] +name = "zizmor" +version = "1.24.1" +source = { registry = "https://pypi.org/simple" } +sdist = { url = "https://files.pythonhosted.org/packages/27/98/21be481ab5c08d976e59409828cfcb460a32a737415cf4e9c3f3280acc0b/zizmor-1.24.1.tar.gz", hash = "sha256:54ebb7a7061ebaa3a373126dcbafe970c9228fe274cfc40776a9714d2095b5e6", size = 501427, upload-time = "2026-04-13T18:01:34.666Z" } +wheels = [ + { url = "https://files.pythonhosted.org/packages/6a/0d/c932a14dfe7d3fed5dbf26a7bf1b7b9dbf277cef1d0b76fbcddae386442d/zizmor-1.24.1-py3-none-macosx_10_12_x86_64.whl", hash = "sha256:fd7c4953aa438aae599db69ed70ac687995e9e3314208bf1be5336479d556c8e", size = 9123014, upload-time = "2026-04-13T18:01:28.834Z" }, + { url = "https://files.pythonhosted.org/packages/5c/cc/f87ff2ccb9c57f4a1e5e9bd0351f9c84dc724fbd61b8ef70bc7e8abc1e0e/zizmor-1.24.1-py3-none-macosx_11_0_arm64.whl", hash = "sha256:f44379019188b1a18d560614ab8abac7ce10553ad2ab57d519fa1c214881ff95", size = 8664275, upload-time = "2026-04-13T18:01:24.588Z" }, + { url = "https://files.pythonhosted.org/packages/d2/64/1dfa166dea03ddff23ee3d6c6ebce8322766f7188e008aa0d3612af3e709/zizmor-1.24.1-py3-none-manylinux_2_24_aarch64.whl", hash = "sha256:9b0689c55854edb0f3e6430321a93ca0081d8e34028cdcb47b9504f8a8559c27", size = 8837100, upload-time = "2026-04-13T18:01:18.708Z" }, + { url = "https://files.pythonhosted.org/packages/65/67/cc411d605fec63b70558d572eb3fc2dbe4e596753e747b74daf5b795c1ed/zizmor-1.24.1-py3-none-manylinux_2_28_armv7l.whl", hash = "sha256:61f39674d5ea29640c4b09f3c239b3c9824c646bc790fa3680022e7bb569b375", size = 8430633, upload-time = "2026-04-13T18:01:20.757Z" }, + { url = "https://files.pythonhosted.org/packages/76/86/f8dfffc7a5348c41bc17dea1f1796ac1a56d5e448f26a4193bc65996f571/zizmor-1.24.1-py3-none-manylinux_2_28_x86_64.whl", hash = "sha256:73083efc7a65e5a58f4439dd781cdcb0394b05a3750e664c7f7e414589dc49b1", size = 9263074, upload-time = "2026-04-13T18:01:31.403Z" }, + { url = "https://files.pythonhosted.org/packages/14/62/db19dd027b412e92bbea8bd311b733d7726402ee3c734033c714125348f1/zizmor-1.24.1-py3-none-musllinux_1_2_aarch64.whl", hash = "sha256:d36a2ba3b6d839acd4542f1a8f42bc34ff902cbff302cdf7916cb4e49dc8c5cc", size = 8863996, upload-time = "2026-04-13T18:01:35.929Z" }, + { url = "https://files.pythonhosted.org/packages/8d/28/c4f220a14cb100ecc965ea0faed1c1229139861a55e792522274221988b3/zizmor-1.24.1-py3-none-musllinux_1_2_armv7l.whl", hash = "sha256:ff5acdd10c66ac27396c0fe14e4604933f6c622ffda38a6aa2857b99c75f5108", size = 8382934, upload-time = "2026-04-13T18:01:27.014Z" }, + { url = "https://files.pythonhosted.org/packages/a1/df/9593e8851424738a3b682be8958abf0e6a2c170e0c880d7b3bfb5d9eaf15/zizmor-1.24.1-py3-none-musllinux_1_2_x86_64.whl", hash = "sha256:b2d873816137296ca5633ad240a574ce49374009a39d43f78a1675e2dba1ab52", size = 9352624, upload-time = "2026-04-13T18:01:16.672Z" }, + { url = "https://files.pythonhosted.org/packages/ee/b9/2c4fe526fc02926206903bfc72dbfbc215f01728eccef8135363d57890c9/zizmor-1.24.1-py3-none-win32.whl", hash = "sha256:c87812173fef2a3449d269e50e93b67b2f40826d10464c7add0c0fd7f0523a2c", size = 7496962, upload-time = "2026-04-13T18:01:22.773Z" }, + { url = "https://files.pythonhosted.org/packages/ed/24/710149e5d64d474103165b9eef6f7698827ef2fbb762b034ebc02b11a816/zizmor-1.24.1-py3-none-win_amd64.whl", hash = "sha256:9a0e552bf84f146699a0231dc42cf2cd5cfe140e3f08ff867ac154f62fc1ac2e", size = 8550658, upload-time = "2026-04-13T18:01:33.13Z" }, +] + [[package]] name = "zstandard" version = "0.25.0"