diff --git a/.github/actions/run-appinspect/action.yml b/.github/actions/run-appinspect/action.yml index 51147a6c..60b2713e 100644 --- a/.github/actions/run-appinspect/action.yml +++ b/.github/actions/run-appinspect/action.yml @@ -1,12 +1,6 @@ name: Run Splunk AppInspect description: Package a mock app containing the SDK and its dependencies, then validate it with AppInspect. -inputs: - mock-app-path: - description: Path to app packaged for scanning with AppInspect - required: true - default: ./tests/system/test_apps/generating_app - runs: using: composite steps: @@ -16,13 +10,13 @@ runs: - name: Install the SDK and its dependencies into the mock app shell: bash run: | - mkdir -p ${{ inputs.mock-app-path }}/bin/lib - uv pip install ".[openai, anthropic, google]" --target ${{ inputs.mock-app-path }}/bin/lib + mkdir -p ./tests/system/test_apps/generating_app/bin/lib + uv pip install ".[openai, anthropic, google]" --target ./tests/system/test_apps/generating_app/bin/lib - name: Package the mock app shell: bash run: | - cd ${{ inputs.mock-app-path }} + cd ./tests/system/test_apps/generating_app tar -czf mock_app.tgz --exclude="__pycache__" bin default metadata - name: Validate the mock app with AppInspect shell: bash - run: uvx splunk-appinspect inspect ${{ inputs.mock-app-path }}/mock_app.tgz --included-tags cloud + run: uvx splunk-appinspect inspect ./tests/system/test_apps/generating_app/mock_app.tgz --included-tags cloud diff --git a/.github/actions/setup-sdk-environment/action.yml b/.github/actions/setup-sdk-environment/action.yml index 04c7c1ba..30d8df44 100644 --- a/.github/actions/setup-sdk-environment/action.yml +++ b/.github/actions/setup-sdk-environment/action.yml @@ -2,10 +2,6 @@ name: Set up SDK environment description: Perform all the shared setup steps inputs: - python-version: - description: Python version used for this run - required: true - default: "3.13" deps-group: description: Dependency groups passed to `uv sync --group` required: true @@ -17,7 +13,7 @@ runs: - uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 with: version: 0.11.6 - python-version: ${{ inputs.python-version }} + python-version: 3.13 activate-environment: true enable-cache: true cache-python: true @@ -25,4 +21,4 @@ runs: env: SDK_DEPS_GROUP: ${{ inputs.deps-group }} shell: bash - run: SDK_DEPS_GROUP="${{ inputs.deps-group }}" make ci-install + run: make ci-install diff --git a/.github/dependabot.yaml b/.github/dependabot.yaml index bcae6e51..c3e7cb1d 100644 --- a/.github/dependabot.yaml +++ b/.github/dependabot.yaml @@ -8,6 +8,8 @@ updates: groups: github-actions: patterns: ["*"] + cooldown: + default-days: 7 - package-ecosystem: "uv" directory: "/" schedule: @@ -15,3 +17,5 @@ updates: groups: python-uv-lock: patterns: ["*"] + cooldown: + default-days: 7 diff --git a/.github/workflows/appinspect.yml b/.github/workflows/appinspect.yml index 02832e93..64e6e090 100644 --- a/.github/workflows/appinspect.yml +++ b/.github/workflows/appinspect.yml @@ -1,11 +1,18 @@ name: Validate SDK with Splunk AppInspect on: [push, workflow_dispatch] +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + +permissions: {} + env: PYTHON_VERSION: 3.13 jobs: appinspect: + name: AppInspect runs-on: ubuntu-latest steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml index d7d5114f..392eb56e 100644 --- a/.github/workflows/cd.yml +++ b/.github/workflows/cd.yml @@ -6,11 +6,18 @@ on: types: [published] workflow_dispatch: +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: false + +permissions: {} + env: DIST_DIR: dist/ jobs: build-distributables: + name: Build distributables # Why building is separate from publishing: # https://github.com/pypa/gh-action-pypi-publish/issues/217#issuecomment-1965727093 runs-on: ubuntu-latest @@ -27,9 +34,10 @@ jobs: - name: Set pre-release version id: set-version if: startsWith(github.ref, 'refs/tags/') != true + env: + RUN_NUMBER: ${{ github.run_number }} run: | VERSION_BASE="$(uv version --short)" - RUN_NUMBER="${{ github.run_number }}" uv version --frozen "${VERSION_BASE}.dev${RUN_NUMBER}" - name: Get current version id: get-version @@ -52,11 +60,12 @@ jobs: path: docs/_build/html publish-pre-release: + name: Publish pre-release to Test PyPI if: startsWith(github.ref, 'refs/tags/') == false needs: build-distributables runs-on: ubuntu-latest permissions: - id-token: write + id-token: write # Required for OIDC-based trusted publishing to PyPI environment: name: splunk-test-pypi url: https://test.pypi.org/project/splunk-sdk/ @@ -72,11 +81,12 @@ jobs: repository-url: https://test.pypi.org/legacy/ publish-release: + name: Publish release to PyPI if: startsWith(github.ref, 'refs/tags/') == true needs: build-distributables runs-on: ubuntu-latest permissions: - id-token: write + id-token: write # Required for OIDC-based trusted publishing to PyPI environment: name: splunk-pypi url: https://pypi.org/project/splunk-sdk/ diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 160dbaf6..5805bb4b 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -1,8 +1,15 @@ name: Python SDK Lint on: [push, workflow_dispatch] +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + +permissions: {} + jobs: lint: + name: Lint runs-on: ubuntu-latest steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index e5c0b8f1..bd47bad6 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -5,8 +5,11 @@ concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: true +permissions: {} + jobs: test: + name: Test runs-on: ubuntu-latest strategy: matrix: @@ -26,7 +29,9 @@ jobs: SPLUNKBASE_PASSWORD: ${{ secrets.SPLUNKBASE_PASSWORD }} run: uv run ./scripts/download_splunk_mcp_server_app.py - name: Launch Splunk Docker instance - run: SPLUNK_VERSION=${{ matrix.splunk-version }} docker compose up -d + env: + SPLUNK_VERSION: ${{ matrix.splunk-version }} + run: docker compose up -d - name: Set up .env run: cp .env.template .env - name: Write internal AI secrets to .env diff --git a/Makefile b/Makefile index 56b0b26b..1bae9a40 100644 --- a/Makefile +++ b/Makefile @@ -22,7 +22,11 @@ ci-install: UV_RUN_CMD := uv run --frozen --no-config .PHONY: lint -lint: lint-python # TODO: Add mbake +lint: lint-python lint-gh-actions # TODO: Add mbake + +.PHONY: lint-gh-actions +lint-gh-actions: + $(UV_RUN_CMD) zizmor --pedantic --collect=all --strict-collection . .PHONY: lint-python lint-python: @@ -32,7 +36,11 @@ lint-python: UV_RUN_CMD := uv run --frozen --no-config .PHONY: ci-lint -ci-lint: ci-lint-python # TODO: Add mbake +ci-lint: ci-lint-python ci-lint-gh-actions # TODO: Add mbake + +.PHONY: ci-lint-gh-actions +ci-lint-gh-actions: + $(UV_RUN_CMD) zizmor --pedantic --collect=all --strict-collection --fix . .PHONY: ci-lint-python ci-lint-python: diff --git a/pyproject.toml b/pyproject.toml index b45c5f6e..8ae74dfd 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -39,7 +39,7 @@ openai = ["splunk-sdk[ai]>=2.1.1", "langchain-openai>=1.2.1"] google = [ "splunk-sdk[ai]>=2.1.1", "langchain-google-genai==4.2.2", - "google-auth>=2.51.0", + "google-auth>=2.52.0", ] # Treat the same as NPM's `devDependencies` @@ -53,7 +53,7 @@ test = [ "vcrpy>=8.1.1", ] release = ["build>=1.5.0", "jinja2>=3.1.6", "sphinx>=9.1.0", "twine>=6.2.0"] -lint = ["basedpyright>=1.39.3", "ruff>=0.15.12", "mbake>=1.4.6"] +lint = ["basedpyright>=1.39.3","mbake>=1.4.6", "ruff>=0.15.12", "zizmor==1.24.1"] dev = [ "rich>=15.0.0", { include-group = "test" }, diff --git a/uv.lock b/uv.lock index a5c79c9e..ede2e4e4 100644 --- a/uv.lock +++ b/uv.lock @@ -396,15 +396,15 @@ wheels = [ [[package]] name = "google-auth" -version = "2.51.0" +version = "2.52.0" source = { registry = "https://pypi.org/simple" } dependencies = [ { name = "cryptography" }, { name = "pyasn1-modules" }, ] -sdist = { url = "https://files.pythonhosted.org/packages/d4/12/25485f2df4797103154e5acc1680da895ceb0423904b3b62d9dfea57aa25/google_auth-2.51.0.tar.gz", hash = "sha256:a8191008d6aaace30f0823daa3f0073c734f8b4da8b8de074b5151aa9aa732c5", size = 334735, upload-time = "2026-05-07T08:03:48.833Z" } +sdist = { url = "https://files.pythonhosted.org/packages/d4/f8/80d2493cbedece1c623dc3e3cb1883300871af0dcdae254409522985ac23/google_auth-2.52.0.tar.gz", hash = "sha256:01f30e1a9e3638698d89464f5e603ce29d18e1c0e63ec31ac570aba4e164aaf5", size = 335027, upload-time = "2026-05-07T19:45:24.033Z" } wheels = [ - { url = "https://files.pythonhosted.org/packages/fa/27/49871f7e3f6021fac32faba996a77b2dbaf94c7f164c294035a28f450f1d/google_auth-2.51.0-py3-none-any.whl", hash = "sha256:230bd016f50d4c0b82fda2f50db5d372bc02cfd9bdab4ce5a9ce0d8c0f06bba5", size = 245526, upload-time = "2026-05-07T08:02:15.407Z" }, + { url = "https://files.pythonhosted.org/packages/ee/fc/2cdc74252746f547f81ff3f02d4d4234a3f411b5de5b61af97e633a060b9/google_auth-2.52.0-py3-none-any.whl", hash = "sha256:aee92803ba0ff93a70a3b8a35c7b4797837751cd6380b63ff38372b98f3ed627", size = 245614, upload-time = "2026-05-07T19:45:21.914Z" }, ] [package.optional-dependencies] @@ -1829,11 +1829,13 @@ dev = [ { name = "splunk-sdk", extra = ["anthropic", "google", "openai"] }, { name = "twine" }, { name = "vcrpy" }, + { name = "zizmor" }, ] lint = [ { name = "basedpyright" }, { name = "mbake" }, { name = "ruff" }, + { name = "zizmor" }, ] release = [ { name = "build" }, @@ -1852,7 +1854,7 @@ test = [ [package.metadata] requires-dist = [ - { name = "google-auth", marker = "extra == 'google'", specifier = ">=2.51.0" }, + { name = "google-auth", marker = "extra == 'google'", specifier = ">=2.52.0" }, { name = "httpx", marker = "extra == 'ai'", specifier = "==0.28.1" }, { name = "langchain", marker = "extra == 'ai'", specifier = ">=1.2.16" }, { name = "langchain-anthropic", marker = "extra == 'anthropic'", specifier = ">=1.4.3" }, @@ -1883,11 +1885,13 @@ dev = [ { name = "splunk-sdk", extras = ["openai", "anthropic", "google"], specifier = ">=2.1.1" }, { name = "twine", specifier = ">=6.2.0" }, { name = "vcrpy", specifier = ">=8.1.1" }, + { name = "zizmor", specifier = "==1.24.1" }, ] lint = [ { name = "basedpyright", specifier = ">=1.39.3" }, { name = "mbake", specifier = ">=1.4.6" }, { name = "ruff", specifier = ">=0.15.12" }, + { name = "zizmor", specifier = "==1.24.1" }, ] release = [ { name = "build", specifier = ">=1.5.0" }, @@ -2286,6 +2290,24 @@ wheels = [ { url = "https://files.pythonhosted.org/packages/74/35/698e7e3ff38e22992ea24870a511d8762474fb6783627a2910ff22a185c2/xxhash-3.7.0-cp314-cp314t-win_arm64.whl", hash = "sha256:468f0fc114faaa4b36699f8e328bbc3bb11dc418ba94ac52c26dd736d4b6c637", size = 28807, upload-time = "2026-04-25T11:09:11.234Z" }, ] +[[package]] +name = "zizmor" +version = "1.24.1" +source = { registry = "https://pypi.org/simple" } +sdist = { url = "https://files.pythonhosted.org/packages/27/98/21be481ab5c08d976e59409828cfcb460a32a737415cf4e9c3f3280acc0b/zizmor-1.24.1.tar.gz", hash = "sha256:54ebb7a7061ebaa3a373126dcbafe970c9228fe274cfc40776a9714d2095b5e6", size = 501427, upload-time = "2026-04-13T18:01:34.666Z" } +wheels = [ + { url = "https://files.pythonhosted.org/packages/6a/0d/c932a14dfe7d3fed5dbf26a7bf1b7b9dbf277cef1d0b76fbcddae386442d/zizmor-1.24.1-py3-none-macosx_10_12_x86_64.whl", hash = "sha256:fd7c4953aa438aae599db69ed70ac687995e9e3314208bf1be5336479d556c8e", size = 9123014, upload-time = "2026-04-13T18:01:28.834Z" }, + { url = "https://files.pythonhosted.org/packages/5c/cc/f87ff2ccb9c57f4a1e5e9bd0351f9c84dc724fbd61b8ef70bc7e8abc1e0e/zizmor-1.24.1-py3-none-macosx_11_0_arm64.whl", hash = "sha256:f44379019188b1a18d560614ab8abac7ce10553ad2ab57d519fa1c214881ff95", size = 8664275, upload-time = "2026-04-13T18:01:24.588Z" }, + { url = "https://files.pythonhosted.org/packages/d2/64/1dfa166dea03ddff23ee3d6c6ebce8322766f7188e008aa0d3612af3e709/zizmor-1.24.1-py3-none-manylinux_2_24_aarch64.whl", hash = "sha256:9b0689c55854edb0f3e6430321a93ca0081d8e34028cdcb47b9504f8a8559c27", size = 8837100, upload-time = "2026-04-13T18:01:18.708Z" }, + { url = "https://files.pythonhosted.org/packages/65/67/cc411d605fec63b70558d572eb3fc2dbe4e596753e747b74daf5b795c1ed/zizmor-1.24.1-py3-none-manylinux_2_28_armv7l.whl", hash = "sha256:61f39674d5ea29640c4b09f3c239b3c9824c646bc790fa3680022e7bb569b375", size = 8430633, upload-time = "2026-04-13T18:01:20.757Z" }, + { url = "https://files.pythonhosted.org/packages/76/86/f8dfffc7a5348c41bc17dea1f1796ac1a56d5e448f26a4193bc65996f571/zizmor-1.24.1-py3-none-manylinux_2_28_x86_64.whl", hash = "sha256:73083efc7a65e5a58f4439dd781cdcb0394b05a3750e664c7f7e414589dc49b1", size = 9263074, upload-time = "2026-04-13T18:01:31.403Z" }, + { url = "https://files.pythonhosted.org/packages/14/62/db19dd027b412e92bbea8bd311b733d7726402ee3c734033c714125348f1/zizmor-1.24.1-py3-none-musllinux_1_2_aarch64.whl", hash = "sha256:d36a2ba3b6d839acd4542f1a8f42bc34ff902cbff302cdf7916cb4e49dc8c5cc", size = 8863996, upload-time = "2026-04-13T18:01:35.929Z" }, + { url = "https://files.pythonhosted.org/packages/8d/28/c4f220a14cb100ecc965ea0faed1c1229139861a55e792522274221988b3/zizmor-1.24.1-py3-none-musllinux_1_2_armv7l.whl", hash = "sha256:ff5acdd10c66ac27396c0fe14e4604933f6c622ffda38a6aa2857b99c75f5108", size = 8382934, upload-time = "2026-04-13T18:01:27.014Z" }, + { url = "https://files.pythonhosted.org/packages/a1/df/9593e8851424738a3b682be8958abf0e6a2c170e0c880d7b3bfb5d9eaf15/zizmor-1.24.1-py3-none-musllinux_1_2_x86_64.whl", hash = "sha256:b2d873816137296ca5633ad240a574ce49374009a39d43f78a1675e2dba1ab52", size = 9352624, upload-time = "2026-04-13T18:01:16.672Z" }, + { url = "https://files.pythonhosted.org/packages/ee/b9/2c4fe526fc02926206903bfc72dbfbc215f01728eccef8135363d57890c9/zizmor-1.24.1-py3-none-win32.whl", hash = "sha256:c87812173fef2a3449d269e50e93b67b2f40826d10464c7add0c0fd7f0523a2c", size = 7496962, upload-time = "2026-04-13T18:01:22.773Z" }, + { url = "https://files.pythonhosted.org/packages/ed/24/710149e5d64d474103165b9eef6f7698827ef2fbb762b034ebc02b11a816/zizmor-1.24.1-py3-none-win_amd64.whl", hash = "sha256:9a0e552bf84f146699a0231dc42cf2cd5cfe140e3f08ff867ac154f62fc1ac2e", size = 8550658, upload-time = "2026-04-13T18:01:33.13Z" }, +] + [[package]] name = "zstandard" version = "0.25.0"