Skip to content
Latchkey

Deploying to Azure from GitHub Actions

Azure deploys use a federated credential on an app registration for keyless login.

Azure supports the same keyless model: register an app, add a federated credential trusting GitHub OIDC, and log in with azure/login. This lesson shows the auth setup and a deploy to Azure App Service.

Federated credentials

On an Azure AD app registration (or managed identity), you add a federated credential that trusts tokens from your GitHub repo and branch. The azure/login action then authenticates with OIDC, requesting no client secret. Standing credentials never live in GitHub.

Authenticate and deploy

Log in with OIDC, then deploy to App Service:

.github/workflows/deploy-azure.yml
permissions: { id-token: write, contents: read }
jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: azure/login@v2
        with:
          client-id: ${{ secrets.AZURE_CLIENT_ID }}
          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
      - uses: azure/webapps-deploy@v3
        with:
          app-name: my-app
          package: ./dist

Azure deploy targets

  • App Service: managed web apps via azure/webapps-deploy.
  • Container Apps: serverless containers with revisions and traffic splitting.
  • AKS: Kubernetes deploys with kubectl or Helm.
  • Functions: event-driven serverless via azure/functions-action.

Deployment slots

App Service slots give you blue-green for free: deploy to a staging slot, validate, then swap it with production. The swap is near-instant and reversible by swapping back.

Key takeaways

  • A federated credential on an app registration enables keyless Azure login.
  • Use azure/login then a target-specific deploy action for App Service, AKS, or Functions.
  • App Service deployment slots provide blue-green swaps out of the box.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →