Create datadog-synthetics.yml

[danialzivehdadr]

Pick folder

Summary by CodeRabbit

• Chores
  • 配置了自动化综合测试工作流，在代码变更时自动运行端到端测试，确保质量检查流程的持续运行。

[gemini-code-assist]

Note

Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported.

[coderabbitai]

Walkthrough

新增 .github/workflows/datadog-synthetics.yml 工作流文件，在 main 分支的 push 与 pull_request 事件触发时，通过 DataDog/synthetics-ci-github-action 执行带有 tag:e2e-tests 标签的 Datadog Synthetic 测试，密钥从仓库 secrets 读取。

Changes

Datadog Synthetics CI 工作流接入

Layer / File(s)	Summary
Datadog Synthetics 工作流定义 .github/workflows/datadog-synthetics.yml	新增完整工作流：触发条件为 main 分支的 push/pull_request，步骤包含 actions/checkout@v4 与 DataDog/synthetics-ci-github-action@87b505388a22（v1.4.0），通过 DD_API_KEY、DD_APP_KEY secrets 鉴权，以 tag:e2e-tests 筛选待执行的合成测试。

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐇 小兔子跑进流水线，
标签 e2e-tests 挂耳间，
secrets 藏在口袋里，
Datadog 哨兵站岗严，
每次推送都把关，
合成测试绿灯闪！ ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	标题准确总结了此次变更的主要内容——创建一个新的 datadog-synthetics.yml 工作流文件。
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

Warning

⚠️ This pull request shows signs of AI-generated slop (description_diff_mismatch). It has been flagged by CodeRabbit slop detection and should be reviewed carefully.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/datadog-synthetics.yml:
- Line 27: The actions/checkout@v4 step is missing the persist-credentials
configuration which is a security best practice. Add the with clause to the
actions/checkout@v4 step and set persist-credentials to false to disable Git
credential persistence in the runner, preventing accidental leakage of the
GITHUB_TOKEN even though this workflow does not push code back to the
repository.
- Line 27: The actions/checkout action is currently pinned to version tag v4
instead of a specific commit hash, which poses a supply chain security risk
since version tags can be re-tagged. Replace the version tag reference in the
actions/checkout@v4 line with the full commit SHA hash that corresponds to the
v4 release. This ensures the workflow uses an immutable reference to a specific
commit rather than a mutable version tag.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 0e5ff518-b476-4bce-97a8-d92823435b6c

📥 Commits

Reviewing files that changed from the base of the PR and between 8578d00 and 2415b28.

📒 Files selected for processing (1)

• .github/workflows/datadog-synthetics.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

添加 persist-credentials: false 来禁用 Git 凭证持久化。

默认情况下，actions/checkout 会将 GITHUB_TOKEN 作为 Git 凭证保留在运行器中。虽然此工作流不会将代码推送回仓库，但禁用凭证持久化是一个安全最佳实践，可以降低意外泄露的风险。

🧰 Tools

🪛 zizmor (1.25.2)

[warning] 27-30: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

---

[error] 27-27: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/datadog-synthetics.yml at line 27, The actions/checkout@v4
step is missing the persist-credentials configuration which is a security best
practice. Add the with clause to the actions/checkout@v4 step and set
persist-credentials to false to disable Git credential persistence in the
runner, preventing accidental leakage of the GITHUB_TOKEN even though this
workflow does not push code back to the repository.

---

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

将 actions/checkout 操作固定到特定的提交哈希值。

当前配置使用版本标签 v4，而非提交哈希值。GitHub 的版本标签可以被重新标记，存在供应链安全风险。为确保安全性，应将其锁定到特定的提交 SHA。建议参照 Datadog 操作的做法，使用完整的提交哈希值。

🔐 建议的修复方案

     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@b4ffde65f46336ab88eb53b808aeb3b2f405076e # v4.1.1
+      with:
+        persist-credentials: false

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- uses: actions/checkout@v4
	steps:
	- uses: actions/checkout@b4ffde65f46336ab88eb53b808aeb3b2f405076e # v4.1.1
	with:
	persist-credentials: false

🧰 Tools

🪛 zizmor (1.25.2)

[warning] 27-30: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

---

[error] 27-27: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/datadog-synthetics.yml at line 27, The actions/checkout
action is currently pinned to version tag v4 instead of a specific commit hash,
which poses a supply chain security risk since version tags can be re-tagged.
Replace the version tag reference in the actions/checkout@v4 line with the full
commit SHA hash that corresponds to the v4 release. This ensures the workflow
uses an immutable reference to a specific commit rather than a mutable version
tag.