Update CI/CD workflow to use OIDC for ACR login and streamline Docker… #12
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI/CD for Azure Web App | |
| on: | |
| push: | |
| branches: | |
| - main | |
| permissions: | |
| attestations: write | |
| id-token: write | |
| contents: write | |
| packages: write | |
| security-events: write | |
| env: | |
| AZURE_WEBAPP_NAME: app-gh-aspnet-webapp-001 # set this to your application's name | |
| SRC_PROJECT_PATH: "/webapp01/webapp01.csproj" | |
| AZURE_WEBAPP_PACKAGE_PATH: "./src" # set this to the path to your web app project, defaults to the repository root | |
| DOTNET_VERSION: "9.0.x" # set this to the dot net version to use | |
| AZURE_ACR_NAME: crdevsecopscldev001 # set this to your Azure Container Registry name | |
| jobs: | |
| cicd: | |
| name: Build and Deploy to Azure Web App | |
| runs-on: ubuntu-latest | |
| steps: | |
| # Checkout the repo | |
| - uses: actions/checkout@v5 | |
| # Setup .NET Core SDK | |
| - name: Setup .NET Core | |
| uses: actions/setup-dotnet@v4 | |
| with: | |
| dotnet-version: ${{ env.DOTNET_VERSION }} | |
| # Run dotnet build and publish | |
| - name: dotnet build and publish | |
| run: | | |
| dotnet restore ${{ env.AZURE_WEBAPP_PACKAGE_PATH }}${{ env.SRC_PROJECT_PATH }} | |
| dotnet build --configuration Release ${{ env.AZURE_WEBAPP_PACKAGE_PATH }}${{ env.SRC_PROJECT_PATH }} | |
| dotnet publish -c Release --property:PublishDir='bin/publish' ${{ env.AZURE_WEBAPP_PACKAGE_PATH }}${{ env.SRC_PROJECT_PATH }} | |
| - name: Azure Login | |
| uses: azure/login@v2 | |
| with: | |
| client-id: ${{ secrets.AZURE_CLIENT_ID }} | |
| tenant-id: ${{ secrets.AZURE_TENANT_ID }} | |
| subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} | |
| # Deploy to Azure Web apps | |
| - name: "Run Azure webapp deploy action using publish profile credentials" | |
| if: false # This disables the action | |
| uses: azure/webapps-deploy@v3 | |
| with: | |
| app-name: ${{ env.AZURE_WEBAPP_NAME }} # Replace with your app name | |
| package: "${{ env.AZURE_WEBAPP_PACKAGE_PATH }}/webapp01/bin/publish" | |
| - name: ACR Login via OIDC | |
| run: az acr login --name ${{ env.AZURE_ACR_NAME }} | |
| - name: Build and Push Docker Image | |
| run: | | |
| docker build ./src/webapp01 --file ./src/webapp01/Dockerfile -t ${{ env.AZURE_ACR_NAME }}.azurecr.io/webapp01:${{ github.sha }} | |
| docker tag ${{ env.AZURE_ACR_NAME }}.azurecr.io/webapp01:${{ github.sha }} ${{ env.AZURE_ACR_NAME }}.azurecr.io/webapp01:latest | |
| docker push ${{ env.AZURE_ACR_NAME }}.azurecr.io/webapp01:${{ github.sha }} | |
| docker push ${{ env.AZURE_ACR_NAME }}.azurecr.io/webapp01:latest | |
| - name: Azure Web Apps Deploy | |
| uses: azure/webapps-deploy@v3 | |
| with: | |
| app-name: ${{ env.AZURE_WEBAPP_NAME }} | |
| images: "${{ env.AZURE_ACR_NAME }}.azurecr.io/webapp01:${{ github.sha }}" | |
| - name: logout | |
| run: | | |
| az logout | |
| # https://docs.github.com/en/actions/security-for-github-actions/using-artifact-attestations/using-artifact-attestations-and-reusable-workflows-to-achieve-slsa-v1-build-level-3 | |
| container-build-publish: | |
| name: Build and Publish Container Image | |
| uses: devopsabcs-engineering/devsecops-reusable-workflows/.github/workflows/container.yml@main | |
| with: | |
| # This is used for tagging the container image | |
| version: v1.0.0 | |
| container-file: ./src/webapp01/Dockerfile | |
| container-context: ./src/webapp01 | |
| container-name: "${{ github.repository }}/webapp01" |