Add GitHub Actions workflow to validate AZD template

[Copilot]

Purpose

Validates Azure infrastructure templates on every change and on a weekly schedule using Azure CLI Bicep build and Microsoft Security DevOps template analyzer. Results upload to GitHub Security tab for tracking.

Does this introduce a breaking change?

[ ] Yes
[x] No

Pull Request Type

[ ] Bugfix
[x] Feature
[ ] Code style update (formatting, local variables)
[ ] Refactoring (no functional changes, no api changes)
[ ] Documentation content changes
[ ] Other... Please describe:

How to Test

• Get the code

git clone [repo-address]
cd [repo-name]
git checkout [branch-name]

• Test the code

Workflow triggers automatically on:

• Push/PR to main when azure.yaml or infra/** files change
• Scheduled run every Sunday at 9 PM UTC
• Manual dispatch via Actions tab

To verify locally:

az bicep install
az config set bicep.use_binary_from_path=false
az bicep build -f infra/main.bicep --stdout

What to Check

Verify that the following are valid

• Workflow file syntax is valid YAML
• Bicep CLI is installed before use
• Bicep template builds without errors
• Security DevOps action runs with templateanalyzer tool
• SARIF results upload to Security tab with proper permissions
• Scheduled trigger is configured for Sunday at 9 PM UTC

Other Information

Workflow structure:

• Installs Azure CLI
• Installs Bicep CLI with az bicep install
• Configures Bicep per project requirements
• Validates infra/main.bicep with az bicep build --stdout
• Runs microsoft/security-devops-action@v1 targeting IaC categories
• Uploads SARIF via github/codeql-action/upload-sarif@v3

Workflow triggers:

• Push/PR to main when azure.yaml or infra/** change
• Scheduled run every Sunday at 9 PM UTC (cron: 0 21 * * 0)
• Manual workflow dispatch

Permissions:

• contents: read - checkout code
• security-events: write - upload SARIF results
• actions: read - workflow metadata

Bug fix applied:

• Added explicit az bicep install step to resolve "Bicep CLI not found" error that was causing workflow failures

Action versions pinned for reproducibility.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Create a workflow pipeline to validate the AZD template</issue_title>
<issue_description>- include the ./azure.yaml and ./infra

• use az cli with az config set bicep.use_binary_from_path=false && az bicep build -f infra/main.bicep --stdout
• Run microsoft/security-devops-action@latest with templateanalyzer
• Uplodate alerts to security tab with github/codeql-action/upload-sarif@v3</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes Create a workflow pipeline to validate the AZD template #20

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

[diberry]

Add a scheduled run every sunday night.

[Copilot]

Add a scheduled run every sunday night.

Added scheduled run every Sunday at 9 PM UTC (cron: '0 21 * * 0'). Commit: ed10cdb

[diberry]

Add a scheduled run every sunday night.

[diberry]

The fails with 'ERROR: Bicep CLI not found. Install it now by running "az bicep install".' @copilot fix this issue in the PR

[diberry]

@copilot Look at the failing check and fix it.

[Copilot]

The fails with 'ERROR: Bicep CLI not found. Install it now by running "az bicep install".' @copilot fix this issue in the PR

Fixed by adding explicit az bicep install step before attempting to configure or use Bicep. Commit: cc91fc5

@copilot Look at the failing check and fix it.

Fixed the Bicep CLI installation error. Added az bicep install step to ensure Bicep is available before configuration. Commit: cc91fc5