Yes, you can deploy your code to Azure App Service from a CI/CD pipeline with GitHub Actions while also enabling access restrictions. One way to do this is by using a service principal or Open ID Connect for authentication. You can also use a publish profile, but this method requires more steps.
You can also use service endpoints to restrict access to selected Azure virtual network subnets. You can specify the Subscription, Virtual Network, and Subnet in the Azure portal, and match it with what you want to restrict access to.
Another way to restrict access is by using a service tag-based rule. In the Type drop-down list, select Service Tag. All available service tags are supported in access restriction rules. Each service tag represents a list of IP ranges from Azure services.
A more premium offering is using an App Service Environment to enable publishing to an App Service Environment by installing the GitHub Actions for Azure App Service extension. This extension allows you to deploy to an App Service Environment and configure custom domains.
Please let us know if you have further questions or concerns.