Edit

Share via

Deploy to Azure App Service by using GitHub Actions

  • Article

Use GitHub Actions to automate your workflow and deploy to Azure App Service from GitHub.

Prerequisites

Set up GitHub Actions deployment when creating an app

GitHub Actions deployment is integrated into the default Create Web App process. Set Continuous deployment to Enable in the Deployment tab, and configure your chosen organization, repository, and branch.

Screenshot that shows how to enable GitHub Actions deployment in the App Service Deployment tab.

When you enable continuous deployment, the Create Web App process automatically picks the authentication method based on the basic authentication selection and configures your app and your GitHub repository accordingly:

Basic authentication selection Authentication method
Disable User-assigned identity (OpenID Connect) (recommended)
Enable Basic authentication

Note

When you create an app, you might receive an error that states that your Azure account doesn't have certain permissions. Your account might need the required permissions to create and configure the user-assigned identity. For an alternative, see the following section.

Set up GitHub Actions deployment from Deployment Center

For an existing app, you can quickly get started with GitHub Actions by using Deployment Center in App Service. This turnkey method generates a GitHub Actions workflow file based on your application stack and commits it to your GitHub repository.

By using Deployment Center, you can also easily configure the more secure OpenID Connect authentication with a user-assigned identity. For more information, see the user-assigned identity option.

If your Azure account has the needed permissions, you can create a user-assigned identity. Otherwise, you can select an existing user-assigned managed identity in the Identity dropdown menu. You can work with your Azure administrator to create a user-assigned managed identity with the Website Contributor role.

For more information, see Continuous deployment to Azure App Service.

Manually set up a GitHub Actions workflow

You can deploy a workflow without using Deployment Center. Perform these three steps:

  1. Generate deployment credentials.
  2. Configure the GitHub secret.
  3. Add the workflow file to your GitHub repository.

Generate deployment credentials

We recommend that you use OpenID Connect to authenticate with Azure App Service for GitHub Actions. This authentication method uses short-lived tokens. Setting up OpenID Connect with GitHub Actions is more complex but offers hardened security.

You can also authenticate with a user-assigned managed identity, a service principal, or a publish profile.

The following procedure describes the steps for creating a Microsoft Entra application, service principal, and federated credentials using Azure CLI statements. To learn how to create a Microsoft Entra application, service principal, and federated credentials in the Azure portal, see Connect GitHub and Azure.

  1. If you don't have an existing application, register a new Microsoft Entra application and service principal that can access resources. Create the Microsoft Entra application.

    az ad app create --display-name myApp

    This command returns a JSON output with an appId that is your client-id. Save the value to use as the AZURE_CLIENT_ID GitHub secret later.

    You use the objectId value when you create federated credentials with Graph API and reference it as the APPLICATION-OBJECT-ID.

  2. Create a service principal. Replace the $appID with the appId from your JSON output.

    This command generates a JSON output with a different objectId to use in the next step. The new objectId is the assignee-object-id.

    Copy the appOwnerTenantId to later use as a GitHub secret for AZURE_TENANT_ID.

    az ad sp create --id $appId

  3. Create a new role assignment by subscription and object. By default, the role assignment is tied to your default subscription. Replace $subscriptionId with your subscription ID, $resourceGroupName with your resource group name, $webappName with your web app name, and $assigneeObjectId with the generated id. Learn how to manage Azure subscriptions with the Azure CLI.

    az role assignment create --role contributor --subscription $subscriptionId --assignee-object-id  $assigneeObjectId --scope /subscriptions/$subscriptionId/resourceGroups/$resourceGroupName/providers/Microsoft.Web/sites/$webappName --assignee-principal-type ServicePrincipal

  4. Run the following command to create a new federated identity credential for your Microsoft Entra app.

    • Replace APPLICATION-OBJECT-ID with the appId that you generated during app creation for your Active Directory application.

    • Set a value for CREDENTIAL-NAME to reference later.

    • Set the subject. GitHub defines its value depending on your workflow:

      • For jobs in your GitHub Actions environment, use: repo:< Organization/Repository >:environment:< Name >
      • For jobs not tied to an environment, include the ref path for branch/tag based on the ref path used for triggering the workflow: repo:< Organization/Repository >:ref:< ref path>. For example, repo:n-username/ node_express:ref:refs/heads/my-branch or repo:n-username/ node_express:ref:refs/tags/my-tag.
      • For workflows triggered by a pull request event, use: repo:< Organization/Repository >:pull_request.
    az ad app federated-credential create --id <APPLICATION-OBJECT-ID> --parameters credential.json
("credential.json" contains the following content)
{
    "name": "<CREDENTIAL-NAME>",
    "issuer": "https://token.actions.githubusercontent.com",
    "subject": "repo:organization/repository:ref:refs/heads/main",
    "description": "Testing",
    "audiences": [
        "api://AzureADTokenExchange"
    ]
}

Configure the GitHub secret

You need to provide your application's Client ID, Tenant ID, and Subscription ID to the Azure/login action. These values can either be provided directly in the workflow or can be stored in GitHub secrets and referenced in your workflow. Saving the values as GitHub secrets is the more secure option.

  1. Open your GitHub repository and go to Settings > Security > Secrets and variables > Actions > New repository secret.

  2. Create secrets for AZURE_CLIENT_ID, AZURE_TENANT_ID, and AZURE_SUBSCRIPTION_ID. Use these values from your Active Directory application for your GitHub secrets:

    GitHub secret Active Directory application
    AZURE_CLIENT_ID Application (client) ID
    AZURE_TENANT_ID Directory (tenant) ID
    AZURE_SUBSCRIPTION_ID Subscription ID

  3. Select Add secret to save each secret.

Add the workflow file to your GitHub repository

A YAML (.yml) file in the /.github/workflows/ path in your GitHub repository defines a workflow. This definition contains the various steps and parameters that make up the workflow.

At a minimum, the workflow file has the following distinct steps:

  1. Authenticate with App Service by using the GitHub secret you created.
  2. Build the web app.
  3. Deploy the web app.

To deploy your code to an App Service app, use the azure/webapps-deploy@v3 action. The action requires the name of your web app in app-name and, depending on your language stack, the path of a *.zip, *.war, *.jar, or folder to deploy in package. For a complete list of possible inputs for the azure/webapps-deploy@v3 action, see action.yml.

The following examples show the part of the workflow that builds the web app, in different supported languages.

To deploy with OpenID Connect by using the managed identity you configured, use the azure/login@v2 action with the client-id, tenant-id, and subscription-id keys. Reference the GitHub secrets that you created earlier.

name: .NET Core

on: [push]

permissions:
      id-token: write
      contents: read

env:
  AZURE_WEBAPP_NAME: my-app    # Set this to your application's name
  AZURE_WEBAPP_PACKAGE_PATH: '.'      # Set this to the path to your web app project, defaults to the repository root
  DOTNET_VERSION: '6.0.x'           # Set this to the dot net version to use

jobs:
  build:
    runs-on: ubuntu-latest

    steps:
      # Check out the repo
      - uses: actions/checkout@main
      - uses: azure/login@v2
        with:
          client-id: ${{ secrets.AZURE_CLIENT_ID }}
          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}

      
      # Setup .NET Core SDK
      - name: Setup .NET Core
        uses: actions/setup-dotnet@v3
        with:
          dotnet-version: ${{ env.DOTNET_VERSION }} 
      
      # Run dotnet build and publish
      - name: dotnet build and publish
        run: |
          dotnet restore
          dotnet build --configuration Release
          dotnet publish -c Release --property:PublishDir='${{ env.AZURE_WEBAPP_PACKAGE_PATH }}/myapp' 
          
      # Deploy to Azure Web apps
      - name: 'Run Azure webapp deploy action using publish profile credentials'
        uses: azure/webapps-deploy@v3
        with: 
          app-name: ${{ env.AZURE_WEBAPP_NAME }} # Replace with your app name
          package: '${{ env.AZURE_WEBAPP_PACKAGE_PATH }}/myapp'
      
      - name: logout
        run: |
          az logout

Frequently asked questions

How do I deploy a WAR file through the Maven plugin?

If you configured your Java Tomcat project with the Maven plugin, you can also deploy to Azure App Service through this plugin. If you use the Azure CLI GitHub action, it makes use of your Azure credentials.

    - name: Azure CLI script file
      uses: azure/cli@v2
      with:
        inlineScript: |
          mvn package azure-webapp:deploy

For more information on how to use and configure the Maven plugin, see Maven plugin wiki for Azure App Service.

How do I deploy a WAR file through the Azure CLI?

If you prefer to use the Azure CLI to deploy to App Service, you can use the GitHub Action for the Azure CLI.

- name: Azure CLI script
  uses: azure/cli@v2
  with:
    inlineScript: |
      az webapp deploy --src-path '${{ github.workspace }}/target/yourpackage.war' --name ${{ env.AZURE_WEBAPP_NAME }} --resource-group ${{ env.RESOURCE_GROUP }}  --async true --type war

For more information on how to use and configure the GitHub action for the Azure CLI, see the Azure CLI GitHub action.

For more information on the az webapp deploy command, including how to use it and the parameter details, see az webapp deploy documentation.

How do I deploy a startup file?

Use the GitHub Action for the Azure CLI. For example:

- name: Deploy startup script
  uses: azure/cli@v2
  with:
    inlineScript: |
      az webapp deploy --src-path ${{ github.workspace }}/src/main/azure/createPasswordlessDataSource.sh --name ${{ env.AZURE_WEBAPP_NAME }} --resource-group ${{ env.RESOURCE_GROUP }} --type startup --track-status false

How do I deploy to a container?

With the Azure Web Deploy action, you can automate your workflow to deploy custom containers to App Service by using GitHub Actions. For more information, see Deploy to a container.

How do I update the Tomcat configuration after deployment?

If you want to update any of your web apps settings after deployment, you can use the App Service settings action.

    - uses: azure/appservice-settings@v1
      with:
        app-name: 'my-app'
        slot-name: 'staging'  # Optional and needed only if the settings have to be configured on the specific deployment slot
        app-settings-json: '[{ "name": "CATALINA_OPTS", "value": "-Dfoo=bar" }]' 
        connection-strings-json: '${{ secrets.CONNECTION_STRINGS }}'
        general-settings-json: '{"alwaysOn": "false", "webSocketsEnabled": "true"}' #'General configuration settings as Key Value pairs'
      id: settings

For more information on how to use and configure this action, see the App Service settings repository.

Related content

Check out the following references on Azure GitHub Actions and workflows: