Deploy ARM templates by using GitHub Actions

GitHub Actions is a suite of features in GitHub to automate your software development workflows in the same place you store code and collaborate on pull requests and issues.

Use the Deploy Azure Resource Manager Template Action to automate deploying an Azure Resource Manager template (ARM template) to Azure.


Workflow file overview

A workflow is defined by a YAML (.yml) file in the /.github/workflows/ path in your repository. This definition contains the various steps and parameters that make up the workflow.

The file has two sections:

Section Tasks
Authentication 1. Define a service principal.
2. Create a GitHub secret.
Deploy 1. Deploy the Resource Manager template.

Generate deployment credentials

You can create a service principal with the az ad sp create-for-rbac command in the Azure CLI. Run this command with Azure Cloud Shell in the Azure portal or by selecting the Try it button.

Create a resource group if you do not already have one.

    az group create -n {MyResourceGroup} -l {location}

Replace the placeholder myApp with the name of your application.

   az ad sp create-for-rbac --name {myApp} --role contributor --scopes /subscriptions/{subscription-id}/resourceGroups/{MyResourceGroup} --sdk-auth

In the example above, replace the placeholders with your subscription ID and resource group name. The output is a JSON object with the role assignment credentials that provide access to your App Service app similar to below. Copy this JSON object for later. You will only need the sections with the clientId, clientSecret, subscriptionId, and tenantId values.

    "clientId": "<GUID>",
    "clientSecret": "<GUID>",
    "subscriptionId": "<GUID>",
    "tenantId": "<GUID>",


It is always a good practice to grant minimum access. The scope in the previous example is limited to the resource group.

Configure the GitHub secrets

You need to create secrets for your Azure credentials, resource group, and subscriptions.

  1. In GitHub, browse your repository.

  2. Select Settings > Secrets > New secret.

  3. Paste the entire JSON output from the Azure CLI command into the secret's value field. Give the secret the name AZURE_CREDENTIALS.

  4. Create another secret named AZURE_RG. Add the name of your resource group to the secret's value field (example: myResourceGroup).

  5. Create an additional secret named AZURE_SUBSCRIPTION. Add your subscription ID to the secret's value field (example: 90fd3f9d-4c61-432d-99ba-1273f236afa2).

Add Resource Manager template

Add a Resource Manager template to your GitHub repository. This template creates a storage account.

You can put the file anywhere in the repository. The workflow sample in the next section assumes the template file is named azuredeploy.json, and it is stored at the root of your repository.

Create workflow

The workflow file must be stored in the .github/workflows folder at the root of your repository. The workflow file extension can be either .yml or .yaml.

  1. From your GitHub repository, select Actions from the top menu.

  2. Select New workflow.

  3. Select set up a workflow yourself.

  4. Rename the workflow file if you prefer a different name other than main.yml. For example: deployStorageAccount.yml.

  5. Replace the content of the yml file with the following:

    on: [push]
    name: Azure ARM
        runs-on: ubuntu-latest
          # Checkout code
        - uses: actions/checkout@main
          # Log into Azure
        - uses: azure/login@v1
            creds: ${{ secrets.AZURE_CREDENTIALS }}
          # Deploy ARM template
        - name: Run ARM deploy
          uses: azure/arm-deploy@v1
            subscriptionId: ${{ secrets.AZURE_SUBSCRIPTION }}
            resourceGroupName: ${{ secrets.AZURE_RG }}
            template: ./azuredeploy.json
            parameters: storageAccountType=Standard_LRS
          # output containerName variable from template
        - run: echo ${{ steps.deploy.outputs.containerName }}


    You can specify a JSON format parameters file instead in the ARM Deploy action (example: .azuredeploy.parameters.json).

    The first section of the workflow file includes:

    • name: The name of the workflow.
    • on: The name of the GitHub events that triggers the workflow. The workflow is trigger when there is a push event on the main branch, which modifies at least one of the two files specified. The two files are the workflow file and the template file.
  6. Select Start commit.

  7. Select Commit directly to the main branch.

  8. Select Commit new file (or Commit changes).

Because the workflow is configured to be triggered by either the workflow file or the template file being updated, the workflow starts right after you commit the changes.

Check workflow status

  1. Select the Actions tab. You will see a Create deployStorageAccount.yml workflow listed. It takes 1-2 minutes to run the workflow.
  2. Select the workflow to open it.
  3. Select Run ARM deploy from the menu to verify the deployment.

Clean up resources

When your resource group and repository are no longer needed, clean up the resources you deployed by deleting the resource group and your GitHub repository.

Next steps