Bicep Security Scan workflow (Azure-Samples/rag-postgres-openai-python)
The Bicep Security Scan workflow from Azure-Samples/rag-postgres-openai-python, explained and optimized by Latchkey.
CI health: C - fair
Point runs-on at Latchkey and get run de-duplication, job timeouts, SHA-pinned actions, self-healing for flaky steps, and up to 58% lower cost, applied automatically.
What it does
This is the Bicep Security Scan workflow from the Azure-Samples/rag-postgres-openai-python repository, a real project running GitHub Actions. It is shown here with attribution under its MIT license.
Below, Latchkey shows a faster, safer version produced by its optimization engine.
The workflow
name: Bicep Security Scan
on:
push:
branches: [ main ]
paths:
- "infra/**"
pull_request:
branches: [ main ]
paths:
- "infra/**"
workflow_dispatch:
jobs:
build:
runs-on: ubuntu-latest
permissions:
security-events: write
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Build Bicep for linting
uses: azure/CLI@v2
with:
inlineScript: |
export DOTNET_SYSTEM_GLOBALIZATION_INVARIANT=1
az config set bicep.use_binary_from_path=false && az bicep build -f infra/main.bicep --stdout
- name: Run Microsoft Security DevOps Analysis
uses: microsoft/security-devops-action@preview
id: msdo
continue-on-error: true
with:
tools: templateanalyzer
- name: Upload alerts to Security tab
uses: github/codeql-action/upload-sarif@v3
if: github.repository == 'Azure-Samples/azure-search-openai-demo'
with:
sarif_file: ${{ steps.msdo.outputs.sarifFile }}
The same workflow, on Latchkey
Removes redundant runs and caps runaway jobs. Added and changed lines are highlighted.
name: Bicep Security Scan on: push: branches: [ main ] paths: - "infra/**" pull_request: branches: [ main ] paths: - "infra/**" workflow_dispatch: concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true jobs: build: timeout-minutes: 30 runs-on: latchkey-small permissions: security-events: write steps: - name: Checkout uses: actions/checkout@v4 - name: Build Bicep for linting uses: azure/CLI@v2 with: inlineScript: | export DOTNET_SYSTEM_GLOBALIZATION_INVARIANT=1 az config set bicep.use_binary_from_path=false && az bicep build -f infra/main.bicep --stdout - name: Run Microsoft Security DevOps Analysis uses: microsoft/security-devops-action@preview id: msdo continue-on-error: true with: tools: templateanalyzer - name: Upload alerts to Security tab uses: github/codeql-action/upload-sarif@v3 if: github.repository == 'Azure-Samples/azure-search-openai-demo' with: sarif_file: ${{ steps.msdo.outputs.sarifFile }}
What changed
- Run on Latchkey managed runners with one line (
runs-on), which apply the fixes below automatically and self-heal transient failures. This example useslatchkey-small; pick the runner size that fits the job. - Cancel superseded runs when a branch or PR gets a newer push.
- Add a job timeout so a hung step cannot burn hours of runner time.
2 third-party actions are referenced by a movable tag. Pin them to the commit SHA (Latchkey resolves and applies this automatically) so a repointed tag cannot change what runs.
This workflow runs 1 job per trigger. On Latchkey the same minutes cost up to 58% less than GitHub-hosted, with zero queue time.