Azure/webapps-deployPublic

NotificationsYou must be signed in to change notification settings
Fork212
Star315

Enable GitHub developers to deploy to Azure WebApps using GitHub Actions

License

MIT license

315 stars 212 forks Branches Tags Activity

Star

Notifications

You must be signed in to change notification settings

Use this GitHub action with your project

Add this Action to an existing workflow or create a new one

View on Marketplace

Branches Tags

Folders and files

Name		Name	Last commit message	Last commit date
Latest commit History 195 Commits
.github		.github
__tests__		__tests__
lib		lib
src		src
.gitignore		.gitignore
CODE_OF_CONDUCT.md		CODE_OF_CONDUCT.md
LICENSE		LICENSE
README.md		README.md
SECURITY.md		SECURITY.md
action.yml		action.yml
jest.config.js		jest.config.js
package-lock.json		package-lock.json
package.json		package.json
tsconfig.json		tsconfig.json
webapp.svg		webapp.svg

Repository files navigation

GitHub Action for deploying to Azure Web App

With the Azure App Service Actions for GitHub, you can automate your workflow to deployAzure Web Apps orAzure Web Apps for Containers using GitHub Actions.

Get started today with afree Azure account.

This repository contains GitHub Action for Azure WebApp to deploy to an Azure WebApp (Windows or Linux). The action supports deploying a folder,*.jar,*.war, and *.zip files (except msBuild generated packages).

You can also use this GitHub Action to deploy your customized image into an Azure WebApps container.

For deploying container images to Kubernetes, consider usingKubernetes deploy action. This action requires that the cluster context be set earlier in the workflow by using either theAzure/aks-set-context action or theAzure/k8s-set-context action.

The definition of this GitHub Action is inaction.yml.startup-command is applicable only for Linux apps and not for Windows apps. Currentlystartup-command is supported only for Linux apps when SPN is provided and not when publish profile is provided.

NOTE: you must have write permissions to the repository in question. If you're using a sample repository from Microsoft, be sure to first fork the repository to your own GitHub account.

End-to-End Sample Workflows

Dependencies on other GitHub Actions

Checkout your Git repository content into GitHub Actions agent.
Authenticate usingAzure Web App Publish Profile or using theAzure Login Action. Examples of both are given later in this article.
The action supports using publish profile forAzure Web Apps (both Windows and Linux) andAzure Web Apps for Containers (both Windows and Linux).

Note: As of October 2020, Linux web apps will need the app settingWEBSITE_WEBDEPLOY_USE_SCM set totrue before downloading the publish profile from the portal. This requirement will be removed in the future.

The action does not support multi-container scenario with publish profile.

EnableRun from Package, otherwise remote build will take time and the deployment will take longer.
To build app code in a specific language based environment, use setup actions:
- Setup DotNet Sets up a dotnet environment by optionally downloading and caching a version of dotnet by SDK version and adding to PATH.
- Setup Node sets up a node environment by optionally downloading and caching a version of node - npm by version spec and add to PATH
- Setup Python sets up Python environment by optionally installing a version of python and adding to PATH.
- Setup Java sets up Java app environment optionally downloading and caching a version of java by version and adding to PATH. Downloads fromAzul's Zulu distribution.
To build and deploy a containerized app, usedocker-login to log in to a private container registry such asAzure Container registry.

Once login is done, the next set of Actions in the workflow can perform tasks such as building, tagging and pushing containers.

Create Azure Web App and deploy using GitHub Actions

Note: Workflow samples with sample application code and deployment procedure for variousruntime environments are given athttps://github.com/Azure/actions-workflow-samples/tree/master/AppService.

For example, if You want to deploy a Java WAR based app, You can follow the linkhttps://github.com/Azure-Samples/Java-application-petstore-ee7 in the sample workflow templates.

Review the pre-requisites outlined in the"Dependencies on Other Github Actions" section above.
Create a web app in Azure using app service. Follow the tutorialAzure Web Apps Quickstart.
Pick a template from the following table depends on your Azure web appruntime and place the template to.github/workflows/ in your project repository.
Changeapp-name to your Web app name created in the first step.
Commit and push your project to GitHub repository, you should see a new GitHub Action initiated inActions tab.

Runtime	Template
DotNet	dotnet.yml
Node	node.yml
Java	java_jar.yml
Java	java_war.yml
Python	python.yml
PHP	php.yml
DOCKER	docker.yml
GO	go.yml
SiteContainers	SiteContainers.yml
SiteContainers with Blessed App	SiteContainersWithBlessed.yml

Sample workflow to build and deploy a Node.js Web app to Azure using publish profile

# File: .github/workflows/workflow.ymlon:pushjobs:build-and-deploy:runs-on:ubuntu-lateststeps:# checkout the repo    -name:'Checkout Github Action'uses:actions/checkout@master    -name:Setup Node 10.xuses:actions/setup-node@v1with:node-version:'10.x'    -name:'npm install, build, and test'run:|        npm install        npm run build --if-present        npm run test --if-present    -name:'Run Azure webapp deploy action using publish profile credentials'uses:azure/webapps-deploy@v2with:app-name:node-rnpublish-profile:${{ secrets.azureWebAppPublishProfile }}

Sample workflow to build and deploy a Node.js app to Containerized WebApp using publish profile

on:[push]name:Linux_Container_Node_Workflowjobs:build-and-deploy:runs-on:ubuntu-lateststeps:# checkout the repo    -name:'Checkout Github Action'uses:actions/checkout@master    -uses:azure/docker-login@v1with:login-server:contoso.azurecr.iousername:${{ secrets.REGISTRY_USERNAME }}password:${{ secrets.REGISTRY_PASSWORD }}    -run:|        docker build . -t contoso.azurecr.io/nodejssampleapp:${{ github.sha }}        docker push contoso.azurecr.io/nodejssampleapp:${{ github.sha }}    -uses:azure/webapps-deploy@v2with:app-name:'node-rnc'publish-profile:${{ secrets.azureWebAppPublishProfile }}images:'contoso.azurecr.io/nodejssampleapp:${{ github.sha }}'

Webapps deploy Actions is supported for the Azure public cloud as well as Azure government clouds ('AzureUSGovernment' or 'AzureChinaCloud') and Azure Stack ('AzureStack') Hub. Before running this action, login to the respective Azure Cloud usingAzure Login by setting appropriate value for theenvironment parameter.

Configure deployment credentials:

For any credentials like Azure Service Principal, Publish Profile etc add them assecrets in the GitHub repository and then use them in the workflow.

The above example uses app-level credentials i.e., publish profile file for deployment.

Follow the steps to configure the secret:

Note: As of October 2020, Linux web apps will need the app settingWEBSITE_WEBDEPLOY_USE_SCM set totrue before continuing with next step of downloading the publish profile. This requirement will be removed in the future.
Download the publish profile for the WebApp from the portal (Get Publish profile option)
While deploying to slot, download the publish profile for slot. Also specify theslot-name field with the name of the slot.
Define a new secret under your repository settings, Add secret menu
Paste the contents for the downloaded publish profile file into the secret's value field
Now in the workflow file in your branch:.github/workflows/workflow.yml replace the secret for the inputpublish-profile: of the deploy Azure WebApp action (Refer to the example above)

Sample workflow to build and deploy a Node.js app to Containerized WebApp using Azure service principal

UseAzure Login with a service principal that's authorized for Web app deployment. Once login is done, the next set of Azure actions in the workflow can re-use the same session within the job.

on:[push]name:Linux_Container_Node_Workflowjobs:build-and-deploy:runs-on:ubuntu-lateststeps:# checkout the repo    -name:'Checkout Github Action'uses:actions/checkout@master    -name:'Login via Azure CLI'uses:azure/login@v1with:creds:${{ secrets.AZURE_CREDENTIALS }}    -uses:azure/docker-login@v1with:login-server:contoso.azurecr.iousername:${{ secrets.REGISTRY_USERNAME }}password:${{ secrets.REGISTRY_PASSWORD }}    -run:|        docker build . -t contoso.azurecr.io/nodejssampleapp:${{ github.sha }}        docker push contoso.azurecr.io/nodejssampleapp:${{ github.sha }}    -uses:azure/webapps-deploy@v2with:app-name:'node-rnc'images:'contoso.azurecr.io/nodejssampleapp:${{ github.sha }}'

Configure deployment credentials:

The previous sample workflow depends on user-level credentials stored as asecret namedAZURE_CREDENTIALS in your repository. The value of this secret is expected to be a JSON object that represents a service principal (an identifer for an application or process) that authenticates the workflow with Azure.

To function correctly, this service principal must be assigned the Contributor role for the web app or the resource group that contains the web app.

The following steps describe how to create the service principal, assign the role, and create a secret in your repository with the resulting credentials.

Open the Azure Cloud Shell athttps://shell.azure.com. You can alternately use theAzure CLI if you've installed it locally. (For more information on Cloud Shell, see theCloud Shell Overview.)
Use theaz ad sp create-for-rbac command to create a service principal and assign a Contributor role:
```
az ad sp create-for-rbac --name "{sp-name}" --sdk-auth --role contributor \    --scopes /subscriptions/{subscription-id}/resourceGroups/{resource-group}/providers/Microsoft.Web/sites/{app-name}
```
Replace the following:
- {sp-name} with a suitable name for your service principal, such as the name of the app itself. The name must be unique within your organization.
- {subscription-id} with the subscription you want to use
- {resource-group} the resource group containing the web app.
- {app-name} with the name of the web app.
This command invokes Azure Active Directory (via thead part of the command) to create a service principal (viasp) specifically forRole-Based Access Control (RBAC) (viacreate-for-rbac).
The--role argument specifies the permissions to grant to the service principal at the specified--scope. In this case, you grant the built-inContributor role at the scope of the web app in the specified resource group in the specified subscription.
If desired, you can omit the part of the scope starting with/providers/... to grant the service principal the Contributor role for the entire resource group:
```
az ad sp create-for-rbac --name "{sp-name}" --sdk-auth --role contributor \    --scopes /subscriptions/{subscription-id}/resourceGroups/{resource-group}
```
For security purposes, however, it's always preferable to grant permissions at the most restrictive scope possible.
When complete, theaz ad sp create-for-rbac command displays JSON output in the following form (which is specified by the--sdk-auth argument):
```
{"clientId":"<GUID>","clientSecret":"<GUID>","subscriptionId":"<GUID>","tenantId":"<GUID>",(...)}
```
In your repository, useAdd secret to create a new secret namedAZURE_CREDENTIALS (as shown in the example workflow), or using whatever name is in your workflow file.
Paste the entire JSON object produced by theaz ad sp create-for-rbac command as the secret value and save the secret.

NOTE: to manage service principals created withaz ad sp create-for-rbac, visit theAzure portal, navigate to your Azure Active Directory, then selectManage >App registrations on the left-hand menu. Your service principal should appear in the list. Select a principal to navigate to its properties. You can also manage role assignments using theaz role assignment command.

Configure web app private registry credentials

This sample assumes thenode-rnc web application has been previously configured to authenticate against the private registry. If you wish to set private registry authentication settings on the workflow, you can either use:

The commandaz webapp config container to configure the registry url, username and password.
Setup the authentication settings usingazure/appservice-settings action, like this for example

    -name:Set Web App ACR authenticationuses:Azure/appservice-settings@v1with:app-name:'node-rnc'app-settings-json:|         [             {                 "name": "DOCKER_REGISTRY_SERVER_PASSWORD",                 "value": "${{ secrets.REGISTRY_PASSWORD }}",                 "slotSetting":false             },             {                 "name": "DOCKER_REGISTRY_SERVER_URL",                 "value": "https://contoso.azurecr.io",                 "slotSetting":false             },             {                 "name": "DOCKER_REGISTRY_SERVER_USERNAME",                 "value": "${{ secrets.REGISTRY_USERNAME  }}",                 "slotSetting":false             }         ]

Contributing

This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visithttps://cla.opensource.microsoft.com.

When you submit a pull request, a CLA bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., status check, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA.

This project has adopted theMicrosoft Open Source Code of Conduct. For more information see theCode of Conduct FAQ or contactopencode@microsoft.com with any additional questions or comments.