Deploy a custom container to App Service using GitHub Actions

GitHub Actions gives you the flexibility to build an automated software development workflow. With the Azure Web Deploy action, you can automate your workflow to deploy custom containers to App Service using GitHub Actions.

A workflow is defined by a YAML (.yml) file in the /.github/workflows/ path in your repository. This definition contains the various steps and parameters that are in the workflow.

For an Azure App Service container workflow, the file has three sections:

Section Tasks
Authentication 1. Retrieve a service principal or publish profile.
2. Create a GitHub secret.
Build 1. Create the environment.
2. Build the container image.
Deploy 1. Deploy the container image.

Prerequisites

Generate deployment credentials

The recommended way to authenticate with Azure App Services for GitHub Actions is with a publish profile. You can also authenticate with a service principal but the process requires more steps.

Save your publish profile credential or service principal as a GitHub secret to authenticate with Azure. You'll access the secret within your workflow.

A publish profile is an app-level credential. Set up your publish profile as a GitHub secret.

  1. Go to your app service in the Azure portal.

  2. On the Overview page, select Get Publish profile.

    Note

    As of October 2020, Linux web apps will need the app setting WEBSITE_WEBDEPLOY_USE_SCM set to true before downloading the file. This requirement will be removed in the future.

  3. Save the downloaded file. You'll use the contents of the file to create a GitHub secret.

Configure the GitHub secret

In GitHub, browse your repository, select Settings > Secrets > Add a new secret.

Paste the contents of the JSON output as the value of secret variable. Give the secret the name like AZURE_CREDENTIALS.

When you configure the workflow file later, you use the secret for the input creds of the Azure Login action. For example:

- uses: azure/login@v1
  with:
    creds: ${{ secrets.AZURE_CREDENTIALS }}

Configure the GitHub secret for authentication

In GitHub, browse your repository, select Settings > Secrets > Add a new secret.

To use app-level credentials, paste the contents of the downloaded publish profile file into the secret's value field. Name the secret AZURE_WEBAPP_PUBLISH_PROFILE.

When you configure your GitHub workflow, you use the AZURE_WEBAPP_PUBLISH_PROFILE in the deploy Azure Web App action. For example:

- uses: azure/webapps-deploy@v2
  with:
    publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }}

Configure GitHub secrets for your registry

Define secrets to use with the Docker Login action.

  1. Go to your container in the Azure portal or Docker and copy the username and password.

  2. Define a new secret for the registry username named REGISTRY_USERNAME.

  3. Define a new secret for the registry password named REGISTRY_PASSWORD.

Build the Container image

The following example show part of the workflow that builds a Node.JS Docker image. Use Docker Login to log into a private container registry. This example uses Azure Container Registry but the same action works for other registries.

name: Linux Container Node Workflow

on: [push]

jobs:
  build:
    runs-on: ubuntu-latest

    steps:
    - uses: actions/checkout@v2
    - uses: azure/docker-login@v1
      with:
        login-server: mycontainer.azurecr.io
        username: ${{ secrets.REGISTRY_USERNAME }}
        password: ${{ secrets.REGISTRY_PASSWORD }}
    - run: |
        docker build . -t mycontainer.azurecr.io/myapp:${{ github.sha }}
        docker push mycontainer.azurecr.io/myapp:${{ github.sha }}     

You can also use Docker Login to log into multiple container registries at the same time. This example includes two new GitHub secrets for authentication with docker.io.

name: Linux Container Node Workflow

on: [push]

jobs:
  build:
    runs-on: ubuntu-latest

    steps:
    - uses: actions/checkout@v2
    - uses: azure/docker-login@v1
      with:
        login-server: mycontainer.azurecr.io
        username: ${{ secrets.REGISTRY_USERNAME }}
        password: ${{ secrets.REGISTRY_PASSWORD }}
    - uses: azure/docker-login@v1
      with:
        login-server: index.docker.io
        username: ${{ secrets.DOCKERIO_USERNAME }}
        password: ${{ secrets.DOCKERIO_PASSWORD }}
    - run: |
        docker build . -t mycontainer.azurecr.io/myapp:${{ github.sha }}
        docker push mycontainer.azurecr.io/myapp:${{ github.sha }}     

Deploy to an App Service container

To deploy your image to a custom container in App Service, use the azure/webapps-deploy@v2 action. This action has seven parameters:

Parameter Explanation
app-name (Required) Name of the App Service app
publish-profile (Optional) Applies to Web Apps(Windows and Linux) and Web App Containers(linux). Multi container scenario not supported. Publish profile (*.publishsettings) file contents with Web Deploy secrets
slot-name (Optional) Enter an existing Slot other than the Production slot
package (Optional) Applies to Web App only: Path to package or folder. *.zip, *.war, *.jar or a folder to deploy
images (Required) Applies to Web App Containers only: Specify the fully qualified container image(s) name. For example, 'myregistry.azurecr.io/nginx:latest' or 'python:3.7.2-alpine/'. For a multi-container app, multiple container image names can be provided (multi-line separated)
configuration-file (Optional) Applies to Web App Containers only: Path of the Docker-Compose file. Should be a fully qualified path or relative to the default working directory. Required for multi-container apps.
startup-command (Optional) Enter the start-up command. For ex. dotnet run or dotnet filename.dll
name: Linux Container Node Workflow

on: [push]

jobs:
  build:
    runs-on: ubuntu-latest

    steps:
    - uses: actions/checkout@v2

    - uses: azure/docker-login@v1
      with:
        login-server: mycontainer.azurecr.io
        username: ${{ secrets.REGISTRY_USERNAME }}
        password: ${{ secrets.REGISTRY_PASSWORD }}

    - run: |
        docker build . -t mycontainer.azurecr.io/myapp:${{ github.sha }}
        docker push mycontainer.azurecr.io/myapp:${{ github.sha }}     

    - uses: azure/webapps-deploy@v2
      with:
        app-name: 'myapp'
        publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }}
        images: 'mycontainer.azurecr.io/myapp:${{ github.sha }}'

Next steps

You can find our set of Actions grouped into different repositories on GitHub, each one containing documentation and examples to help you use GitHub for CI/CD and deploy your apps to Azure.