Deploy to Azure Container Apps with GitHub Actions

Azure Container Apps allows you to use GitHub Actions to publish revisions to your container app. As commits are pushed to your GitHub repository, a workflow is triggered which updates the container image in the container registry. Azure Container Apps creates a new revision based on the updated container image.

Changes to a GitHub repo trigger an action to create a new revision.

The GitHub Actions workflow is triggered by commits to a specific branch in your repository. When creating the workflow, you decide which branch triggers the workflow.

This article shows you how to create a fully customizable workflow. To generate a starter GitHub Actions workflow with Azure CLI, see Generate GitHub Actions workflow with Azure CLI.

Azure Container Apps GitHub action

To build and deploy your container app, you add the azure/container-apps-deploy-action action to your GitHub Actions workflow.

The action supports the following scenarios:

  • Build from a Dockerfile and deploy to Container Apps
  • Build from source code without a Dockerfile and deploy to Container Apps. Supported languages include .NET, Java, Node.js, PHP, and Python
  • Deploy an existing container image to Container Apps

Usage examples

Here are some common scenarios for using the action. For more information, see the action's GitHub Marketplace page.

Build and deploy to Container Apps

The following snippet shows how to build a container image from source code and deploy it to Container Apps.

steps:

  - name: Log in to Azure
    uses: azure/login@v1
    with:
      creds: ${{ secrets.AZURE_CREDENTIALS }}

  - name: Build and deploy Container App
    uses: azure/container-apps-deploy-action@v1
    with:
      appSourcePath: ${{ github.workspace }}/src
      acrName: myregistry
      containerAppName: my-container-app
      resourceGroup: my-rg

The action uses the Dockerfile in appSourcePath to build the container image. If no Dockerfile is found, the action attempts to build the container image from source code in appSourcePath.

Deploy an existing container image to Container Apps

The following snippet shows how to deploy an existing container image to Container Apps.

steps:

  - name: Log in to Azure
    uses: azure/login@v1
    with:
      creds: ${{ secrets.AZURE_CREDENTIALS }}

  - name: Build and deploy Container App
    uses: azure/container-apps-deploy-action@v1
    with:
      acrName: myregistry
      containerAppName: my-container-app
      resourceGroup: my-rg
      imageToDeploy: myregistry.azurecr.io/app:${{ github.sha }}

Important

If you're building a container image in a separate step, make sure you use a unique tag such as the commit SHA instead of a stable tag like latest. For more information, see Image tag best practices.

Authenticate with Azure Container Registry

The Azure Container Apps action needs to authenticate with your Azure Container Registry to push the container image. The container app also needs to authenticate with your Azure Container Registry to pull the container image.

To push images, the action automatically authenticates with the container registry specified in acrName using the credentials provided to the azure/login action.

To pull images, Azure Container Apps uses either managed identity (recommended) or admin credentials to authenticate with the Azure Container Registry. To use managed identity, the container app the action is deploying must be configured to use managed identity. To authenticate with the registry's admin credentials, set the action's acrUsername and acrPassword inputs.

Configuration

You take the following steps to configure a GitHub Actions workflow to deploy to Azure Container Apps.

  • Create a GitHub repository for your app
  • Create a container app with managed identity enabled
  • Assign the AcrPull role for the Azure Container Registry to the container app's managed identity
  • Configure secrets in your GitHub repository
  • Create a GitHub Actions workflow

Prerequisites

Requirement Instructions
Azure account If you don't have one, create an account for free. You need the Contributor or Owner permission on the Azure subscription to proceed. Refer to Assign Azure roles using the Azure portal for details.
GitHub Account Sign up for free.
Azure CLI Install the Azure CLI.

Create a GitHub repository and clone source code

Before you create the workflow, the source code for your app must be in a GitHub repository.

  1. Sign in to Azure with the Azure CLI.

    az login
    
  2. Next, install the latest Azure Container Apps extension for the CLI.

    az extension add --name containerapp --upgrade
    
  3. If you don't have your own GitHub repository, create one from a sample.

    1. Navigate to the following location to create a new repository:
    2. Name your repository my-container-app.
  4. Clone the repository to your local machine.

    git clone https://github.com/<YOUR_GITHUB_ACCOUNT_NAME>/my-container-app.git
    

Create a container app with managed identity enabled

Create your container app using the az containerapp up command in the following steps. This command creates Azure resources, builds the container image, stores the image in a registry, and deploys to a container app.

After you create your app, you can add a managed identity to the app and assign the identity the AcrPull role to allow the identity to pull images from the registry.

  1. Change into the src folder of the cloned repository.

    cd my-container-app
    cd src
    
  2. Create Azure resources and deploy a container app with the az containerapp up command.

    az containerapp up \
      --name my-container-app \
      --source . \
      --ingress external 
    
  3. In the command output, note the name of the Azure Container Registry.

  4. Get the full resource ID of the container registry.

    az acr show --name <ACR_NAME> --query id --output tsv
    

    Replace <ACR_NAME> with the name of your registry.

  5. Enable managed identity for the container app.

    az containerapp identity assign \
      --name my-container-app \
      --resource-group my-container-app-rg \
      --system-assigned
    

    Note the principal ID of the managed identity in the command output.

  6. Assign the AcrPull role for the Azure Container Registry to the container app's managed identity.

    az role assignment create \
      --assignee <MANAGED_IDENTITY_PRINCIPAL_ID> \
      --role AcrPull \
      --scope <ACR_RESOURCE_ID>
    

    Replace <MANAGED_IDENTITY_PRINCIPAL_ID> with the principal ID of the managed identity and <ACR_RESOURCE_ID> with the resource ID of the Azure Container Registry.

  7. Configure the container app to use the managed identity to pull images from the Azure Container Registry.

    az containerapp registry set \
      --name my-container-app \
      --resource-group my-container-app-rg \
      --server <ACR_NAME>.azurecr.io \
      --identity system
    

    Replace <ACR_NAME> with the name of your Azure Container Registry.

Configure secrets in your GitHub repository

The GitHub workflow requires a secret named AZURE_CREDENTIALS to authenticate with Azure. The secret contains the credentials for a service principal with the Contributor role on the resource group containing the container app and container registry.

  1. Create a service principal with the Contributor role on the resource group that contains the container app and container registry.

    az ad sp create-for-rbac \
      --name my-app-credentials \
      --role contributor \
      --scopes /subscriptions/<SUBSCRIPTION_ID>/resourceGroups/my-container-app-rg \
      --json-auth \
      --output json
    

    Replace <SUBSCRIPTION_ID> with the ID of your Azure subscription. If your container registry is in a different resource group, specify both resource groups in the --scopes parameter.

  2. Copy the JSON output from the command.

  3. In the GitHub repository, navigate to Settings > Secrets > Actions and select New repository secret.

  4. Enter AZURE_CREDENTIALS as the name and paste the contents of the JSON output as the value.

  5. Select Add secret.

Create a GitHub Actions workflow

  1. In the GitHub repository, navigate to Actions and select New workflow.

  2. Select Set up a workflow yourself.

  3. Paste the following YAML into the editor.

    name: Azure Container Apps Deploy
    
    on:
      push:
        branches:
          - main
    
    jobs:
      build:
        runs-on: ubuntu-latest
    
        steps:
          - uses: actions/checkout@v3
    
          - name: Log in to Azure
            uses: azure/login@v1
            with:
              creds: ${{ secrets.AZURE_CREDENTIALS }}
    
          - name: Build and deploy Container App
            uses: azure/container-apps-deploy-action@v1
            with:
              appSourcePath: ${{ github.workspace }}/src
              acrName: <ACR_NAME>
              containerAppName: my-container-app
              resourceGroup: my-container-app-rg
    

    Replace <ACR_NAME> with the name of your Azure Container Registry. Confirm that the branch name under branches and values for appSourcePath, containerAppName, and resourceGroup match the values for your repository and Azure resources.

  4. Commit the changes to the main branch.

A GitHub Actions workflow run should start to build and deploy your container app. To check its progress, navigate to Actions.

To deploy a new revision of your app, push a new commit to the main branch.