Get started with GitHub Actions to automate your workflow and deploy to Azure App Service from GitHub.

Prerequisites

An Azure account with an active subscription. Create an account for free.
A GitHub account. If you don’t have one, sign up for free.

Set up GitHub Actions deployment when creating the app

GitHub Actions deployment is integrated into the default app creation wizard. You just need to set Continuous deployment to Enable in the Deployment tab, and configure the organization, repository, and branch you want.

![A screenshot showing how to enable GitHub Actions deployment in the App Service create wizard.][]

When you enable continuous deployment, the app creation wizard automatically picks the authentication method based on the basic authentication selection and configures your app and your GitHub repository accordingly:

Basic authentication selection	Authentication method
Disable	User-assigned identity (OpenID Connect) (recommended)
Enable	Basic authentication

[!NOTE] If you receive an error when creating your app saying that your Azure account doesn’t have certain permissions, it may not have the required permissions to create and configure the user-assigned identity. For an alternative, see Set up GitHub Actions deployment from the Deployment Center.

Set up GitHub Actions deployment from the Deployment Center

For an existing app, you can get started quickly with GitHub Actions by using the App Service Deployment Center. This turn-key method automatically generates a GitHub Actions workflow file based on your application stack and commits it to your GitHub repository.

The Deployment Center also lets you easily configure the more secure OpenID Connect authentication with the user-assigned identity option.

If your Azure account has the needed permissions, you can select to create a user-assigned identity. Otherwise, you can select an existing user-assigned managed identity in the Identity dropdown. You can work with your Azure administrator to create a user-assigned managed identity with the Website Contributor role.

For more information, see Continuous deployment to Azure App Service.

Set up a GitHub Actions workflow manually

You can also deploy a workflow without using the Deployment Center. In that case you need to perform 3 steps:

Generate deployment credentials
Configure the GitHub secret
Add the workflow file to your GitHub repository

1. Generate deployment credentials

The recommended way to authenticate with Azure App Services for GitHub Actions is with OpenID Connect. This is an authentication method that uses short-lived tokens. Setting up OpenID Connect with GitHub Actions is more complex but offers hardened security.

Alternatively, you can authenticate with a User-assigned Managed Identity, a service principal, or a publish profile.

OpenID Connect

The below runs you through the steps for creating an active directory application, service principal, and federated credentials using Azure CLI statements. To learn how to create an active directory application, service principal, and federated credentials in Azure portal, see Connect GitHub and Azure.

If you don’t have an existing application, register a new Active Directory application and service principal that can access resources. Create the Active Directory application.
```
az ad app create --display-name myApp
```
This command outputs a JSON with an appId that is your client-id. Save the value to use as the AZURE_CLIENT_ID GitHub secret later.

You’ll use the objectId value when creating federated credentials with Graph API and reference it as the APPLICATION-OBJECT-ID.
Create a service principal. Replace the $appID with the appId from your JSON output.

This command generates JSON output with a different objectId and will be used in the next step. The new objectId is the assignee-object-id.

Copy the appOwnerTenantId to use as a GitHub secret for AZURE_TENANT_ID later.
```
 az ad sp create --id $appId
```
Create a new role assignment by subscription and object. By default, the role assignment is tied to your default subscription. Replace $subscriptionId with your subscription ID, $resourceGroupName with your resource group name, $webappName with your web app name, and $assigneeObjectId with the generated id. Learn how to manage Azure subscriptions with the Azure CLI.
```
az role assignment create --role contributor --subscription $subscriptionId --assignee-object-id  $assigneeObjectId --scope /subscriptions/$subscriptionId/resourceGroups/$resourceGroupName/providers/Microsoft.Web/sites/$webappName --assignee-principal-type ServicePrincipal
```
Run the following command to create a new federated identity credential for your active directory application.
- Replace APPLICATION-OBJECT-ID with the appId (generated while creating app) for your Active Directory application.
- Set a value for CREDENTIAL-NAME to reference later.
- Set the subject. Its value is defined by GitHub depending on your workflow:
  - Jobs in your GitHub Actions environment: repo:< Organization/Repository >:environment:< Name >
  - For Jobs not tied to an environment, include the ref path for branch/tag based on the ref path used for triggering the workflow: repo:< Organization/Repository >:ref:< ref path>. For example, repo:n-username/ node_express:ref:refs/heads/my-branch or repo:n-username/ node_express:ref:refs/tags/my-tag.
  - For workflows triggered by a pull request event: repo:< Organization/Repository >:pull_request.
```
az ad app federated-credential create --id <APPLICATION-OBJECT-ID> --parameters credential.json
("credential.json
```