This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
GitHub Actions is a suite of features in GitHub to automate your software development workflows. In this quickstart, you use the GitHub Actions for Azure Resource Manager deployment to automate deploying a Bicep file to Azure.
It provides a short introduction to GitHub actions and Bicep files. If you want more detailed steps on setting up the GitHub actions and project, see Deploy Azure resources by using Bicep and GitHub Actions.
Create a resource group. Later in this quickstart, you deploy your Bicep file to this resource group.
az group create -n exampleRG -l westus
To use Azure Login action with OIDC, you need to configure a federated identity credential on a Microsoft Entra application or a user-assigned managed identity.
Option 1: Microsoft Entra application
Option 2: User-assigned managed identity
You need to provide your application's Client ID, Directory (tenant) ID, and Subscription ID to the login action. These values can either be provided directly in the workflow or can be stored in GitHub secrets and referenced in your workflow. Saving the values as GitHub secrets is the more secure option.
In GitHub, go to your repository.
Select Security > Secrets and variables > Actions.
Select New repository secret.
Note
To enhance workflow security in public repositories, use environment secrets instead of repository secrets. If the environment requires approval, a job cannot access environment secrets until one of the required reviewers approves it.
Create secrets for AZURE_CLIENT_ID, AZURE_TENANT_ID, and AZURE_SUBSCRIPTION_ID. Copy these values from your Microsoft Entra application or user-assigned managed identity for your GitHub secrets:
| GitHub secret | Microsoft Entra application or user-assigned managed identity |
|---|---|
| AZURE_CLIENT_ID | Client ID |
| AZURE_SUBSCRIPTION_ID | Subscription ID |
| AZURE_TENANT_ID | Directory (tenant) ID |
Note
For security reasons, we recommend using GitHub Secrets rather than passing values directly to the workflow.
Add a Bicep file to your GitHub repository. The following Bicep file creates a storage account:
@minLength(3)
@maxLength(11)
param storagePrefix string
@allowed([
'Standard_LRS'
'Standard_GRS'
'Standard_RAGRS'
'Standard_ZRS'
'Premium_LRS'
'Premium_ZRS'
'Standard_GZRS'
'Standard_RAGZRS'
])
param storageSKU string = 'Standard_LRS'
param location string = resourceGroup().location
var uniqueStorageName = '${storagePrefix}${uniqueString(resourceGroup().id)}'
resource stg 'Microsoft.Storage/storageAccounts@2023-04-01' = {
name: uniqueStorageName
location: location
sku: {
name: storageSKU
}
kind: 'StorageV2'
properties: {
supportsHttpsTrafficOnly: true
}
}
output storageEndpoint object = stg.properties.primaryEndpoints
The Bicep file requires one parameter called storagePrefix with 3 to 11 characters.
You can put the file anywhere in the repository. The workflow sample in the next section assumes the Bicep file is named main.bicep, and it's stored at the root of your repository.
A workflow defines the steps to execute when triggered. It's a YAML (.yml) file in the .github/workflows/ path of your repository. The workflow file extension can be either .yml or .yaml.
To create a workflow, take the following steps:
From your GitHub repository, select Actions from the top menu.
Select New workflow.
Select set up a workflow yourself.
Rename the workflow file if you prefer a different name other than main.yml. For example: deployBicepFile.yml.
Replace the content of the yml file with the following code:
on: [push]
name: Azure ARM
permissions:
id-token: write
contents: read
jobs:
build-and-deploy:
runs-on: ubuntu-latest
steps:
# Checkout code
- uses: actions/checkout@main
# Log into Azure
- uses: azure/login@v2
with:
client-id: ${{ secrets.AZURE_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
# Deploy Bicep file
- name: deploy
uses: azure/arm-deploy@v1
with:
subscriptionId: ${{ secrets.AZURE_SUBSCRIPTION }}
resourceGroupName: ${{ secrets.AZURE_RG }}
template: ./main.bicep
parameters: 'storagePrefix=mystore storageSKU=Standard_LRS'
failOnStdErr: false
Select Commit changes.
Select Commit directly to the main branch.
Select Commit new file (or Commit changes).
Updating either the workflow file or Bicep file triggers the workflow. The workflow starts right after you commit the changes.
Status is Success.When your resource group and repository are no longer needed, clean up the resources you deployed by deleting the resource group and your GitHub repository.
az group delete --name exampleRG
Training
Module
Build your first Bicep deployment workflow by using GitHub Actions - Training
Build a basic deployment workflow for Bicep infrastructure as code templates by using Azure DevOps and GitHub Actions.
Certification
Microsoft Certified: Azure Developer Associate - Certifications
Build end-to-end solutions in Microsoft Azure to create Azure Functions, implement and manage web apps, develop solutions utilizing Azure storage, and more.
Documentation
CI/CD with Azure Pipelines, Bicep, and bicepparam files - Azure Resource Manager
In this quickstart, you learn how to configure continuous integration in Azure Pipelines by using Bicep and bicepparam files. It shows how to use an Azure CLI task to deploy a bicepparam file.
Quickstart: Use MSBuild tasks to convert Bicep files and parameters to JSON - Azure Resource Manager
Learn how to use MSBuild to convert Bicep files to JSON Azure Resource Manager templates.
Publish modules to private module registry - Azure Resource Manager
Publish Bicep modules to private module registry and use the modules.