Edit

GitHub Actions

Automate Azure deployments with Bicep and GitHub Actions. Latest best practices, real-world DevOps/SRE examples, and security tips for 2025.

Automate your Azure infrastructure deployments using Bicep and GitHub Actions. This guide covers modern DevOps/SRE best practices, secure authentication, and real-world workflow examples.

Why Use GitHub Actions with Bicep?

  • CI/CD Automation: Trigger deployments on code changes, PRs, or schedules

  • Security: Use OIDC for passwordless authentication

  • Multi-Environment: Deploy to dev, test, and prod with parameter files

  • Observability: Integrate deployment status and logs into PRs

Prerequisites

  • Azure subscription

  • GitHub repository

  • Bicep files in your repo (e.g., bicep/main.bicep)

  • Service principal or OIDC setup for authentication

Initial Setup

1. Create a Resource Group

2. Configure Authentication

Option A: Service Principal (legacy, less secure)

Store the output as the AZURE_CREDENTIALS secret in GitHub.

Option B: OIDC (recommended)

  • Use federated credentials for passwordless, short-lived tokens. See Microsoft Docs for setup.

Example: Basic Bicep Deployment Workflow

Example: Multi-Environment Deployment

Example: Preview Changes with What-If

Security Best Practices

  • Use OIDC for authentication (no secrets in repo)

  • Assign least-privilege roles to service principals

  • Mark sensitive parameters with @secure() in Bicep

  • Store secrets in GitHub Secrets, not in code

Monitoring & Troubleshooting

  • Add deployment status comments to PRs using actions/github-script

  • Upload deployment logs as artifacts for traceability

  • Use az deployment group show to fetch outputs after deployment

Bicep & Azure Jokes

Bicep Joke: Why did the pipeline use Bicep? To flex on ARM templates!

Azure Joke: Why did the engineer love Azure deployments? Because they always had a resourceful day!

References

PreviousCI/CD Integration - Automating Bicep deploymentsNextAzure Pipelines

Last updated