.github/workflows/bicep-audit.yml

name: Validate bicep templates
on:
  push:
    branches: 
      - main
    paths:
      - "**/*.bicep"
  pull_request:
    branches: 
      - main
    paths:
      - "**/*.bicep"
  workflow_dispatch:

jobs:
  build:
    runs-on: ubuntu-latest
    permissions:
      security-events: write
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Run PSRule analysis
        uses: microsoft/ps-rule@v2.9.0
        with:
          modules: PSRule.Rules.Azure
          baseline: Azure.Pillar.Security
          inputPath: infra/*.test.bicep
          outputFormat: Sarif
          outputPath: reports/ps-rule-results.sarif
          summary: true
        continue-on-error: true
          
        env:
          PSRULE_CONFIGURATION_AZURE_BICEP_FILE_EXPANSION: 'true'
          PSRULE_CONFIGURATION_AZURE_BICEP_FILE_EXPANSION_TIMEOUT: '30'

      - name: Upload results to security tab
        uses: github/codeql-action/upload-sarif@v3
        if: github.repository_owner == 'Azure-Samples'
        with:
          sarif_file: reports/ps-rule-results.sarif