Add ARM template validation with GitHub Actions and PSRule

[Copilot]

This PR adds comprehensive automated validation for ARM templates as requested in the issue. The implementation includes:

🔍 New GitHub Actions Workflow

• Created a new .github/workflows/arm-template-validation.yml that will trigger on PRs affecting templates (currently disabled for Phase 1)
• The workflow validates ARM templates using multiple tools:
  • PSRule.Rules.Azure for best practices and security validation
  • ARM-TTK for common deployment issues (pinned to stable version 20250401)
  • Azure CLI validation for deployment verification without actual deployments

🛠️ New PowerShell Validation Script

• Added src/scripts/Test-ArmTemplate.ps1 for local template validation
• The script uses the same validation tools as the GitHub Actions workflow
• It automatically installs required modules if they're missing
• Provides detailed validation errors to help developers fix issues quickly
• Supports validation levels (Strict/Lenient) for experimental features

📝 Documentation Updates

• Added a new section to docs-wiki/Build-and-test.md about ARM template validation
• Updated the scripts README with documentation for the new Test-ArmTemplate script
• Included examples for running validation locally
• Added "What's Being Validated" section explaining specific checks performed

🚀 Phased Rollout Plan

Due to existing validation errors in our templates, we're implementing a phased rollout:

Phase 1 (This PR):

• ✅ Validation tools available for local use only
• ✅ CI/CD workflow disabled (manual dispatch only)
• ✅ ARM-TTK downloads to release/.tools/ (gitignored)
• ✅ Documentation updated with phased approach

Phase 2 (Issue #1696):

• Fix ~25 validation errors found in existing templates
• Address API version updates, hardcoded locations, trailing whitespace

Phase 3 (Future):

• Enable CI/CD workflow for all PRs
• Monitor and iterate based on team feedback

Testing

To test validation locally:

# Validate all templates
./src/scripts/Test-ArmTemplate.ps1

# Validate specific template
./src/scripts/Test-ArmTemplate.ps1 -TemplatePath "release/finops-hub/azuredeploy.json"

# Use lenient mode for experimental features
./src/scripts/Test-ArmTemplate.ps1 -ValidationLevel Lenient

This implementation gives developers the ability to validate templates locally while ensuring we don't block current development with existing validation errors.

Fixes #2.

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[MSBrett]

Replace azure/setup-azure-cli@v1 with the latest supported version. As of now, the latest version is azure/setup-azure-cli@v3. Update the workflow as follows:

• name: Setup Azure CLI
  uses: azure/setup-azure-cli@v3

[MSBrett]

Here's the corrected part:

jobs:
validate_templates:
name: Validate ARM Templates
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v3

  - name: Setup Az PowerShell module
    shell: pwsh
    run: |
      Install-Module -Name Az -Force -AllowClobber -Scope CurrentUser
      Install-Module -Name PSRule.Rules.Azure -Force -Scope CurrentUser

  - name: Setup Azure CLI
    uses: azure/setup-azure-cli@v3  # Updated version

  - name: Setup Bicep
    uses: anthony-c-martin/setup-bicep@v0.5

[Copilot]

I've updated the Azure CLI setup action from v1 to v3 as requested. The change can be found in commit 3356e4b.

[Copilot]

The Azure CLI setup action has already been updated from v1 to v3 as requested. This change was implemented in commit 3356e4b.