Deploying to Azure from GitHub Actions
Azure deploys use a federated credential on an app registration for keyless login.
Azure supports the same keyless model: register an app, add a federated credential trusting GitHub OIDC, and log in with azure/login. This lesson shows the auth setup and a deploy to Azure App Service.
Federated credentials
On an Azure AD app registration (or managed identity), you add a federated credential that trusts tokens from your GitHub repo and branch. The azure/login action then authenticates with OIDC, requesting no client secret. Standing credentials never live in GitHub.
Authenticate and deploy
Log in with OIDC, then deploy to App Service:
permissions: { id-token: write, contents: read }
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: azure/login@v2
with:
client-id: ${{ secrets.AZURE_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
- uses: azure/webapps-deploy@v3
with:
app-name: my-app
package: ./distAzure deploy targets
- App Service: managed web apps via azure/webapps-deploy.
- Container Apps: serverless containers with revisions and traffic splitting.
- AKS: Kubernetes deploys with kubectl or Helm.
- Functions: event-driven serverless via azure/functions-action.
Deployment slots
App Service slots give you blue-green for free: deploy to a staging slot, validate, then swap it with production. The swap is near-instant and reversible by swapping back.
Key takeaways
- A federated credential on an app registration enables keyless Azure login.
- Use azure/login then a target-specific deploy action for App Service, AKS, or Functions.
- App Service deployment slots provide blue-green swaps out of the box.