From 7dec66dd31d7fb61fe1457cfed34a040f0c0c6e3 Mon Sep 17 00:00:00 2001
From: Pamela Fox <pamela.fox@gmail.com>
Date: Tue, 12 Mar 2024 10:25:25 -0700
Subject: [PATCH] Add Bicep validation

---
 .github/workflows/bicep-validation.yaml | 36 +++++++++++++++++++++++++
 .gitignore                              |  2 ++
 infra/main.bicep                        |  1 +
 3 files changed, 39 insertions(+)
 create mode 100644 .github/workflows/bicep-validation.yaml

diff --git a/.github/workflows/bicep-validation.yaml b/.github/workflows/bicep-validation.yaml
new file mode 100644
index 0000000..c07ecf0
--- /dev/null
+++ b/.github/workflows/bicep-validation.yaml
@@ -0,0 +1,36 @@
+name: Validate AZD template
+on:
+  push:
+    branches: [ main ]
+    paths:
+      - "infra/**"
+  pull_request:
+    branches: [ main ]
+    paths:
+      - "infra/**"
+
+jobs:
+  build:
+
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Build Bicep for linting
+        uses: azure/CLI@v1
+        with:
+          inlineScript: az config set bicep.use_binary_from_path=false && az bicep build -f infra/main.bicep --stdout
+          
+      - name: Run Microsoft Security DevOps Analysis
+        uses: microsoft/security-devops-action@preview
+        id: msdo
+        continue-on-error: true
+        with:
+          tools: templateanalyzer
+
+      - name: Upload alerts to Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        if: github.repository == 'Azure-Samples/langfuse-on-azure'
+        with:
+          sarif_file: ${{ steps.msdo.outputs.sarifFile }}
diff --git a/.gitignore b/.gitignore
index 68bc17f..194c886 100644
--- a/.gitignore
+++ b/.gitignore
@@ -158,3 +158,5 @@ cython_debug/
 #  and can be added to the global gitignore or merged into this file.  For a more nuclear
 #  option (not recommended) you can uncomment the following to ignore the entire idea folder.
 #.idea/
+
+.azure
\ No newline at end of file
diff --git a/infra/main.bicep b/infra/main.bicep
index 121c12f..5e61cb4 100644
--- a/infra/main.bicep
+++ b/infra/main.bicep
@@ -23,6 +23,7 @@ param salt string
 
 param useAuthentication bool = false
 param authClientId string = ''
+@secure()
 param authClientSecret string = ''
 param authTenantId string = ''