Audit GH Workflows with zizmor (#780)

Ickerday · web-flow · commit 79a4e090d627 · 2026-06-18T15:27:06.000+02:00
diff --git a/.github/actions/run-appinspect/action.yml b/.github/actions/run-appinspect/action.yml
@@ -1,28 +1,22 @@
 name: Run Splunk AppInspect
 description: Package a mock app containing the SDK and its dependencies, then validate it with AppInspect.
 
-inputs:
-  mock-app-path:
-    description: Path to app packaged for scanning with AppInspect
-    required: true
-    default: ./tests/system/test_apps/generating_app
-
 runs:
   using: composite
   steps:
     - name: Install AppInspect dependencies
       shell: bash
       run: sudo apt-get install -y libmagic1
-    - name: Install the SDK and its dependencies into the mock app
+    - name: Install the SDK and its dependencies into a mock app
       shell: bash
       run: |
-        mkdir -p ${{ inputs.mock-app-path }}/bin/lib
-        uv pip install ".[openai, anthropic, google]" --target ${{ inputs.mock-app-path }}/bin/lib
+        mkdir -p ./tests/system/test_apps/generating_app/bin/lib
+        uv pip install ".[openai, anthropic, google]" --target ./tests/system/test_apps/generating_app/bin/lib
     - name: Package the mock app
       shell: bash
       run: |
-        cd ${{ inputs.mock-app-path }}
+        cd ./tests/system/test_apps/generating_app
         tar -czf mock_app.tgz --exclude="__pycache__" bin default metadata
     - name: Validate the mock app with AppInspect
       shell: bash
-      run: uvx splunk-appinspect inspect ${{ inputs.mock-app-path }}/mock_app.tgz --included-tags cloud
+      run: uvx splunk-appinspect inspect ./tests/system/test_apps/generating_app/mock_app.tgz --included-tags cloud
diff --git a/.github/actions/setup-sdk-environment/action.yml b/.github/actions/setup-sdk-environment/action.yml
@@ -2,10 +2,6 @@ name: Set up SDK environment
 description: Perform all the shared setup steps
 
 inputs:
-  python-version:
-    description: Python version used for this run
-    required: true
-    default: "3.13"
   deps-group:
     description: Dependency groups passed to `uv sync --group`
     required: true
@@ -17,12 +13,12 @@ runs:
     - uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57
       with:
         version: 0.11.6
-        python-version: ${{ inputs.python-version }}
+        python-version: 3.13
         activate-environment: true
         enable-cache: true
         cache-python: true
     - name: Install dependencies from the ${{ inputs.deps-group }} group
       env:
         SDK_DEPS_GROUP: ${{ inputs.deps-group }}
       shell: bash
-      run: SDK_DEPS_GROUP="${{ inputs.deps-group }}" make ci-install
+      run: make ci-install
diff --git a/.github/dependabot.yaml b/.github/dependabot.yaml
@@ -4,14 +4,18 @@ updates:
     directory: "/"
     target-branch: "develop"
     schedule:
-      interval: "weekly"
+      interval: "monthly"
     groups:
       github-actions:
-        patterns: ["*"]
+        update-types: ["major", "minor", "patch"]
+    cooldown:
+      default-days: 7
   - package-ecosystem: "uv"
     directory: "/"
     schedule:
-      interval: "weekly"
+      interval: "monthly"
     groups:
       python-uv-lock:
-        patterns: ["*"]
+        update-types: ["minor", "patch"]
+    cooldown:
+      default-days: 7
diff --git a/.github/workflows/appinspect.yml b/.github/workflows/appinspect.yml
@@ -5,19 +5,23 @@ on:
   pull_request:
   workflow_dispatch:
 
-env:
-  PYTHON_VERSION: 3.13
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+permissions: {}
 
 jobs:
   appinspect:
+    name: Run AppInspect
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
         with:
           persist-credentials: false
       - uses: ./.github/actions/setup-sdk-environment
         with:
-          python-version: ${{ env.PYTHON_VERSION }}
+          python-version: 3.13
           deps-group: lint
       - name: Run AppInspect
         uses: ./.github/actions/run-appinspect
diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml
@@ -1,16 +1,20 @@
-name: Python CD
+name: Python SDK CD
 on:
   push:
     branches: [develop]
   release:
     types: [published]
   workflow_dispatch:
 
-env:
-  DIST_DIR: dist/
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: false
+
+permissions: {}
 
 jobs:
   build-distributables:
+    name: Build release distributables
     # Why building is separate from publishing:
     # https://github.com/pypa/gh-action-pypi-publish/issues/217#issuecomment-1965727093
     runs-on: ubuntu-latest
@@ -26,15 +30,17 @@ jobs:
           deps-group: release
       - name: Set pre-release version
         if: startsWith(github.ref, 'refs/tags/') != true
+        env:
+          RUN_NUMBER: ${{ github.run_number }}
         run: |
           VERSION_BASE="$(uv version --short)"
-          RUN_NUMBER="${{ github.run_number }}"
           uv version "${VERSION_BASE}.dev${RUN_NUMBER}"
       - name: Set release version
         if: startsWith(github.ref, 'refs/tags/') == true
+        env:
+          VERSION_TAG: ${{ github.event.release.tag_name }}
         run: |
-          VERSION_TAG="${{ github.event.release.tag_name }}"
-          [[ $VERSION_TAG != $(uv version --short) ]] && {
+          [[ ${VERSION_TAG} != $(uv version --short) ]] && {
             printf "Git tag should be identical to version field in pyproject.toml"
             exit 1
           }
@@ -50,7 +56,7 @@ jobs:
         uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a
         with:
           name: splunk-sdk-${{ steps.get-version.outputs.version }}
-          path: ${{ env.DIST_DIR }}
+          path: dist/
       - name: Generate API reference
         run: make -C ./docs zip
       - name: Upload docs artifact
@@ -60,11 +66,12 @@ jobs:
           path: docs/_build/splunk-sdk-python-docs.zip
 
   publish-pre-release:
+    name: Publish pre-release to Test PyPI
     if: startsWith(github.ref, 'refs/tags/') == false
     needs: build-distributables
     runs-on: ubuntu-latest
     permissions:
-      id-token: write
+      id-token: write # Required for OIDC-based trusted publishing to PyPI
     environment:
       name: splunk-test-pypi
       url: https://test.pypi.org/project/splunk-sdk/
@@ -73,18 +80,19 @@ jobs:
         uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c
         with:
           name: splunk-sdk-${{ needs.build-distributables.outputs.version }}
-          path: ${{ env.DIST_DIR }}
+          path: dist/
       - name: Publish packages to Test PyPI
         uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b
         with:
           repository-url: https://test.pypi.org/legacy/
 
   publish-release:
+    name: Publish release to PyPI
     if: startsWith(github.ref, 'refs/tags/') == true
     needs: build-distributables
     runs-on: ubuntu-latest
     permissions:
-      id-token: write
+      id-token: write # Required for OIDC-based trusted publishing to PyPI
     environment:
       name: splunk-pypi
       url: https://pypi.org/project/splunk-sdk/
@@ -93,7 +101,7 @@ jobs:
         uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c
         with:
           name: splunk-sdk-${{ needs.build-distributables.outputs.version }}
-          path: ${{ env.DIST_DIR }}
+          path: dist/
       - name: Publish packages to PyPI
         uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b
         with:
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -5,8 +5,15 @@ on:
   pull_request:
   workflow_dispatch:
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+permissions: {}
+
 jobs:
   lint:
+    name: Run linters
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -9,8 +9,11 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: true
 
+permissions: {}
+
 jobs:
   test:
+    name: Run test suite
     runs-on: ubuntu-latest
     strategy:
       matrix:
@@ -30,7 +33,9 @@ jobs:
           SPLUNKBASE_PASSWORD: ${{ secrets.SPLUNKBASE_PASSWORD }}
         run: uv run ./scripts/download_splunk_mcp_server_app.py
       - name: Launch Splunk Docker instance
-        run: SPLUNK_VERSION=${{ matrix.splunk-version }} docker compose up -d
+        env:
+          SPLUNK_VERSION: ${{ matrix.splunk-version }}
+        run: docker compose up -d
       - name: Set up .env
         run: cp .env.template .env
       - name: Write internal AI secrets to .env
@@ -51,10 +56,8 @@ jobs:
         uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae
         with:
           path: .pytest_cache
-          key: pytest-cache-${{ runner.os }}-py${{ matrix.python-version }}-${{ github.ref_name }}-${{
-            github.sha }}
-          restore-keys: |
-            pytest-cache-${{ runner.os }}-py${{ matrix.python-version }}-${{ github.ref_name }}-
+          key: pytest-cache-${{ runner.os }}-py${{ matrix.python-version }}-${{ github.ref_name }}-${{ github.sha }}
+          restore-keys: pytest-cache-${{ runner.os }}-py${{ matrix.python-version }}-${{ github.ref_name }}-
       - name: Run unit tests
         run: make test-unit
       - name: Run integration/system tests
diff --git a/.gitignore b/.gitignore
@@ -279,6 +279,7 @@ $RECYCLE.BIN/
 
 .vscode/
 docs/_build/
+.claude/
 
 !*.conf.spec
 **/metadata/local.meta
diff --git a/Makefile b/Makefile
@@ -2,9 +2,13 @@
 
 ## VIRTUALENV MANAGEMENT
 
-# https://docs.astral.sh/uv/reference/cli/#uv-run--upgrade
+# https://docs.astral.sh/uv/reference/cli/#uv-sync
 # --no-config skips Splunk's internal PyPI mirror
 UV_SYNC_CMD := uv sync --no-config
+# https://docs.astral.sh/uv/reference/cli/#uv-run
+UV_RUN_CMD := uv run
+# https://docs.zizmor.sh/usage
+ZIZMOR_CMD := $(UV_RUN_CMD) zizmor --pedantic --strict-collection
 
 .PHONY: install
 install:
@@ -20,9 +24,12 @@ upgrade:
 ci-install:
 	$(UV_SYNC_CMD) --frozen --group $(SDK_DEPS_GROUP)
 
-UV_RUN_CMD := uv run
 .PHONY: lint
-lint: lint-python # TODO: Add mbake
+lint: lint-python lint-gh-actions # TODO: Add mbake
+
+.PHONY: lint-gh-actions
+lint-gh-actions:
+	$(ZIZMOR_CMD) ./.github
 
 .PHONY: lint-python
 lint-python:
@@ -31,7 +38,11 @@ lint-python:
 	$(UV_RUN_CMD) basedpyright
 
 .PHONY: ci-lint
-ci-lint: ci-lint-python # TODO: Add mbake
+ci-lint: ci-lint-python ci-lint-gh-actions # TODO: Add mbake
+
+.PHONY: ci-lint-gh-actions
+ci-lint-gh-actions:
+	$(ZIZMOR_CMD) ./.github
 
 .PHONY: ci-lint-python
 ci-lint-python:
diff --git a/pyproject.toml b/pyproject.toml
@@ -53,7 +53,12 @@ test = [
   "vcrpy>=8.1.1",
 ]
 release = ["build>=1.5.0", "jinja2>=3.1.6", "sphinx>=9.1.0", "twine>=6.2.0"]
-lint = ["basedpyright>=1.39.4", "ruff>=0.15.12", "mbake>=1.4.6"]
+lint = [
+  "basedpyright>=1.39.4",
+  "ruff>=0.15.12",
+  "mbake>=1.4.6",
+  "zizmor==1.25.2",
+]
 dev = [
   "rich>=15.0.0",
   { include-group = "test" },
diff --git a/uv.lock b/uv.lock
