Create codeql.yml

[smarthomespropertieske-pixel]

        - name: Azure App Service Settings for Node20

You may pin to the exact commit or the version.

uses: devops-actions/azure-appservice-settings@61bbd93

uses: devops-actions/azure-appservice-settings@v1.0.2
with:
# Name of the Azure Web App
app-name:
# Name of an existing slot other than the production slot. Default value is production
slot-name: # optional
# Application settings using the JSON syntax set as value of secret variable: APP_SETTINGS
app-settings-json: # optional
# Connection Strings using the JSON syntax set as value of secret variable: CONNECTION_STRINGS
connection-strings-json: # optional
# General configuration settings using dictionary syntax - Key Value pairs
general-settings-json: # optional
# Set it to false if you want to provide input jsons as plain text/you do not want input json values to be masked. This will apply to app-settings-json and connection-strings-json. Default is true
mask-inputs: # optional, default is true
# Set to true to skip creating/updating settings with empty or blank values. Default is false.
treat-empty-as-not-set: # optional, default is false

[coderabbitai]

📝 Walkthrough

Walkthrough

This pull request adds a new GitHub Actions workflow file that automates Datadog synthetic test execution. The workflow triggers on push and pull request events to the main branch, checks out the repository, and invokes the Datadog Synthetics CI action using API and app key secrets. The action is configured to run tests matching the tag:e2e-tests query, enabling continuous validation of end-to-end test scenarios as part of the CI pipeline.

🚥 Pre-merge checks | ✅ 2 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The title 'Create codeql.yml' does not match the actual changeset, which adds a Datadog Synthetics workflow, not a CodeQL configuration file.	Update the title to accurately reflect the changes, such as 'Add Datadog Synthetics CI workflow' or 'Configure Datadog synthetic tests on push and pull request'.
Description check	⚠️ Warning	The description discusses Azure App Service Settings configuration, which is unrelated to the actual changeset that adds a Datadog Synthetics CI workflow.	Replace the description with content relevant to the Datadog Synthetics workflow being added, explaining its purpose and configuration.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

Warning

⚠️ This pull request might be slop. It has been flagged by CodeRabbit slop detection and should be reviewed carefully.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

.github/workflows/datadog-synthetics.yml (1)

16-24: ⚡ Quick win

Add explicit least-privilege permissions for this workflow/job.

Lines 16–24 rely on default GITHUB_TOKEN scopes. Set explicit read-only permissions for this job to avoid accidental broad token access.

Suggested patch

 on:
   push:
     branches: [ "main" ]
   pull_request:
     branches: [ "main" ]

+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/datadog-synthetics.yml around lines 16 - 24, Add explicit
least-privilege GitHub token permissions by adding a permissions block to the
workflow (prefer at the top-level) that grants only read access needed for this
job; for example add "permissions: contents: read" (and optionally
"pull-requests: read" or "checks: read" if the job uses those scopes) above the
jobs section so the existing jobs.build entry uses a read-only GITHUB_TOKEN
instead of the default broad scopes.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/datadog-synthetics.yml:
- Line 27: Replace the mutable actions/checkout@v4 reference with a pinned
commit SHA for the same action and add the persist-credentials: false setting to
that checkout step; specifically, locate the step that uses actions/checkout@v4
and change the uses value to the full commit SHA (e.g.,
actions/checkout@<commit-sha>) and add the key persist-credentials: false under
that step to prevent credentials from being left configured for later steps.

---

Nitpick comments:
In @.github/workflows/datadog-synthetics.yml:
- Around line 16-24: Add explicit least-privilege GitHub token permissions by
adding a permissions block to the workflow (prefer at the top-level) that grants
only read access needed for this job; for example add "permissions: contents:
read" (and optionally "pull-requests: read" or "checks: read" if the job uses
those scopes) above the jobs section so the existing jobs.build entry uses a
read-only GITHUB_TOKEN instead of the default broad scopes.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: e5efe924-48d8-4be3-b334-b9ddd86e6072

📥 Commits

Reviewing files that changed from the base of the PR and between fe9955e and 621246d.

📒 Files selected for processing (1)

• .github/workflows/datadog-synthetics.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Read-only verification: find unpinned GitHub Actions and checkout steps missing persist-credentials:false
rg -n --glob '.github/workflows/*.yml' --glob '.github/workflows/*.yaml' 'uses:\s*actions/checkout@'
rg -n --glob '.github/workflows/*.yml' --glob '.github/workflows/*.yaml' -A3 -B1 'uses:\s*actions/checkout@'
rg -n --glob '.github/workflows/*.yml' --glob '.github/workflows/*.yaml' 'uses:\s*[^@]+@v[0-9]+(\.[0-9]+)?(\.[0-9]+)?\s*$'

Repository: tinyfish-io/bigset

Length of output: 509

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== workflows files =="
ls -la .github || true
ls -la .github/workflows || true
rg -n --hidden --no-ignore -S "datadog-synthetics" .github/workflows || true

echo "== show workflow file =="
if [ -f ".github/workflows/datadog-synthetics.yml" ]; then
  nl -ba .github/workflows/datadog-synthetics.yml | sed -n '1,160p'
else
  echo "Missing: .github/workflows/datadog-synthetics.yml"
  exit 1
fi

echo "== targeted pin/persist checks =="
rg -n --glob '.github/workflows/*.yml' --glob '.github/workflows/*.yaml' 'uses:\s*actions/checkout@' .github/workflows || true
rg -n --glob '.github/workflows/*.yml' --glob '.github/workflows/*.yaml' -C 3 'uses:\s*actions/checkout@' .github/workflows || true
rg -n --glob '.github/workflows/*.yml' --glob '.github/workflows/*.yaml' -C 2 'persist-credentials:\s*(false|true)' .github/workflows || true

Repository: tinyfish-io/bigset

Length of output: 1045

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== show workflow file with line numbers =="
awk '{printf "%5d\t%s\n", NR, $0}' .github/workflows/datadog-synthetics.yml | sed -n '1,200p'

echo "== targeted pin/persist checks =="
rg -n --glob '.github/workflows/*.yml' --glob '.github/workflows/*.yaml' 'uses:\s*actions/checkout@' .github/workflows
rg -n --glob '.github/workflows/*.yml' --glob '.github/workflows/*.yaml' -C 3 'uses:\s*actions/checkout@' .github/workflows
rg -n --glob '.github/workflows/*.yml' --glob '.github/workflows/*.yaml' 'persist-credentials:\s*(false|true)' .github/workflows

Repository: tinyfish-io/bigset

Length of output: 3784

---

Pin actions/checkout to a commit SHA and disable credential persistence

In .github/workflows/datadog-synthetics.yml step (line 27), actions/checkout@v4 is used as a mutable tag and persist-credentials: false is not set, which can leave credentials configured for later steps. Pin to a full commit SHA and add persist-credentials: false.

Suggested patch

-    - uses: actions/checkout@v4
+    - uses: actions/checkout@<FULL_COMMIT_SHA_FOR_V4>
+      with:
+        persist-credentials: false

🧰 Tools

🪛 zizmor (1.25.2)

[warning] 27-30: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

---

[error] 27-27: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/datadog-synthetics.yml at line 27, Replace the mutable
actions/checkout@v4 reference with a pinned commit SHA for the same action and
add the persist-credentials: false setting to that checkout step; specifically,
locate the step that uses actions/checkout@v4 and change the uses value to the
full commit SHA (e.g., actions/checkout@<commit-sha>) and add the key
persist-credentials: false under that step to prevent credentials from being
left configured for later steps.

Source: Linters/SAST tools