If you thinking of using Azure for your static website and need a way to keep it update with constantly pushing all the files manually to your storage, creating CI/CD pipeline with Github actions is the way to go.

🤝 Phase 1: Azure Setup (The Introduction)

This is where you create the identity GitHub needs to talk to Azure securely.

  1. Create a Service Principal (SP) or Managed Identity: Go into Microsoft Entra ID and create an App Registration. This is the identity your workflow will use.

  2. Assign Roles: Use the Azure CLI (az role assignment create) to give that SP the right permissions, like Storage Blob Data Contributor, scoped to your Storage Account’s Resource Group. (This step often requires the CLI because the Portal UI can be buggy.)

  • Critical Note: Use <Object ID> to search for registered member (Service Principal - App) This for the Azure portal
  1. Establish OIDC Trust: Configure a Federated Identity Credential on that App Registration. This tells Azure: “Only trust authentication tokens that come specifically from my GitHub repo (<ORG>/<REPO>) on the main branch.” This is the modern, secret-less way to connect.
  • Critical Note: Click on the tab that says all applications. In the environment value select Branch instead of Environment
  1. Grab the IDs: Collect three critical GUIDs: Client ID, Tenant ID, and your Subscription ID.

🔐 Phase 2: GitHub Secrets (Storing the Keys)

You need to securely store those three IDs in GitHub.

  1. Go to Settings: Navigate to your repo’s Settings > Secrets and variables > Actions.
  2. Create Three Secrets: Add the following three repository secrets and paste the corresponding Azure GUIDs as their values:
    • AZURE_CLIENT_ID
    • AZURE_SUBSCRIPTION_ID
    • AZURE_TENANT_ID

⚙️ Phase 3: The Workflow Script (The Action)

This is the YAML file (.github/workflows/deploy.yml) that defines the automation sequence.

name: Azure Static Site Deployment via GitHub Actions

on:
  push:
    branches:
      - main # Change this if your primary branch is named differently (e.g., master)

permissions:
  id-token: write # Required for secure OIDC authentication with Azure
  contents: read  # Required to check out the repository code

jobs:
  build-and-deploy:
    runs-on: ubuntu-latest
    
    steps:
    - name: Checkout Code
      uses: actions/checkout@v3

    # 1. AUTHENTICATE with Azure via OIDC
    - name: Azure Login (OIDC)
      uses: azure/login@v2
      with:
        # These reference the GitHub Secrets you created in the repo settings
        client-id: ${{ secrets.AZURE_CLIENT_ID }}
        tenant-id: ${{ secrets.AZURE_TENANT_ID }}
        subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}

    # 2. DEPLOY files to the $web container
    - name: Upload to Blob Storage
      uses: azure/CLI@v1
      with:
        inlineScript: |
          # The command copies all files in the current directory (s .) to the $web container (d '$web')
          az storage blob upload-batch \
          --account-name <YOUR_STORAGE_ACCOUNT_NAME> \
          --auth-mode login \
          -d '$web' \
          -s . 

    # 3. OPTIONAL: Purge CDN Cache
    # Uncomment this block and replace the placeholders if you are using Azure CDN
    #- name: Purge CDN Endpoint Cache
    #  uses: azure/CLI@v1
    #  with:
    #    inlineScript: |
    #      az cdn endpoint purge --content-paths "/*" \
    #      --profile-name "CDN_PROFILE_NAME" \
    #      --name "CDN_ENDPOINT_NAME" \
    #      --resource-group "RESOURCE_GROUP"

    # 4. LOGOUT
    - name: Azure Logout
      run: az logout
      if: always() # Ensure this runs even if previous steps fail

Once that YAML file is committed, any change pushed to the main branch will automatically execute this script, keeping your static site up-to-date!