This directory contains GitHub Actions workflows for automated CI/CD deployment to Azure App Services using OIDC authentication.
This repo uses a small set of primary operational workflows, with additional support workflows for setup, validation, and troubleshooting.
| Workflow | Triggers On | Deploys To | Description |
|---|---|---|---|
ci.yml |
Pull requests to dev/staging/main | Validation only | PR build/test gate for the .NET solution plus React frontend typecheck, tests, and build |
azure-initial-setup.yml |
Manual | One-time setup | See README-AZURE-INITIAL-SETUP.md - Phase 0 (GitHub App), Phase 1a (OIDC), Phase 1b (secrets) |
azure-bootstrap.yml |
Manual | Infrastructure + deploy | See README-AZURE-BOOTSTRAP.md - Phase 2 (infrastructure), API/UI deploy, Phase X (cleanup) |
configure-github-secrets.yml |
Called by initial-setup | Secret configuration | See README-CONFIGURE-GITHUB-SECRETS.md - GitHub App setup and secret management (can run independently) |
infra-deploy.yml |
Manual | dev/staging/prod | See README-INFRA-DEPLOY.md - Deploys Bicep infrastructure with manual workflow dispatch |
validate-deployment.yml |
Called by infra-deploy | Reusable workflow | See README-VALIDATE-DEPLOYMENT.md - Pre-deployment validation workflow |
test-validate-deployment.yml |
Manual or PR changes | Test only | Quick Start | Full Docs - Tests validation workflow independently |
deploy-api-to-azure.yml |
API/Backend code changes | All branches (dev/staging/main) | Builds and deploys API to environment-specific Azure Web App |
deploy-ui-to-azure.yml |
React frontend changes | All branches (dev/staging/main) | Builds and deploys the React frontend to the environment-specific Azure UI App Service, then runs a browser smoke check against the deployed tenant bootstrap flow |
validate-adrs.yml |
ADR file, script, or lint config changes | Push/PR to main/dev/staging, or manual | See README-VALIDATE-ADRS.md — Validates ADR filename pattern, H1 heading, **Status:** frontmatter, and markdownlint rules |
validate-ai-customization.yml |
Shared AI customization changes | Push/PR to main/dev/staging, or manual | Validates shared Copilot instructions, prompts, agents, operating-model docs, and their discovery surfaces |
validate-doc-links.yml |
Docs or validator changes | Push/PR to main/dev/staging, or manual | Validates local markdown links and heading anchors for the canonical docs/ tree |
Primary workflows are the workflows the team should think about first for normal delivery and operations:
| Workflow | Role |
|---|---|
ci.yml |
PR gate for build and unit/architecture test validation |
azure-initial-setup.yml |
One-time repository and OIDC bootstrap |
azure-bootstrap.yml |
Main day-to-day environment bootstrap and coordinated deployment entrypoint |
deploy-api-to-azure.yml |
Normal API deployment path for code changes |
deploy-ui-to-azure.yml |
Active React frontend deployment path for the Azure UI App Service |
Support workflows exist for specialized validation, secondary entrypoints, or troubleshooting rather than the default delivery path:
| Workflow | Role |
|---|---|
configure-github-secrets.yml |
Secondary/manual secret configuration and GitHub App troubleshooting path |
infra-deploy.yml |
Infra-only Bicep deployment entrypoint |
validate-deployment.yml |
Reusable preflight validation called by infra deployment |
test-validate-deployment.yml |
Independent test harness for validation workflow changes |
validate-adrs.yml |
Documentation governance for ADR changes |
validate-ai-customization.yml |
Governance guardrail for shared AI operating assets |
validate-doc-links.yml |
Lightweight guardrail for canonical docs navigation integrity |
| Git Branch | API Deployment Target | React Frontend Target |
|---|---|---|
dev |
orderprocessing-api-xyapp-dev | orderprocessing-ui-xyapp-dev |
staging |
orderprocessing-api-xyapp-stg | orderprocessing-ui-xyapp-stg |
main |
orderprocessing-api-xyapp-prod | orderprocessing-ui-xyapp-prod |
Workflow YAML still enforces this policy explicitly.
Azure deployment scripts consume the same defaults from Resources/Azure-Deployment/branch-policy.json; if governance changes, update the workflow guards and the shared policy file together.
Before workflows can execute, the following secrets must be configured:
Repository secrets
| Secret Name | Description | How to Get |
|---|---|---|
APP_ID |
GitHub App ID | GitHub App setup |
APP_PRIVATE_KEY |
GitHub App private key | GitHub App setup |
Environment secrets (dev, staging, prod)
| Secret Name | Description | How to Get |
|---|---|---|
AZUREAPPSERVICE_CLIENTID |
Azure AD App Registration Client ID | Azure Initial Setup (Phase 1b) |
AZUREAPPSERVICE_TENANTID |
Azure AD Tenant ID | Azure Initial Setup (Phase 1b) |
AZUREAPPSERVICE_SUBSCRIPTIONID |
Azure Subscription ID | Azure Initial Setup (Phase 1b) |
If you ran Azure Initial Setup successfully, the environment OIDC secrets are already configured.
Verify at: Settings → Environments → dev/staging/prod
If automatic configuration failed:
- Run Azure Initial Setup with
configureSecrets=true - Navigate to: Repository → Settings → Environments
- Open each environment and confirm the three
AZUREAPPSERVICE_*secrets are present
Workflows trigger automatically based on what code changed:
# Change API code and push → triggers deploy-api-to-azure.yml
git add XYDataLabs.OrderProcessingSystem.API/
git commit -m "feat: Update API endpoint"
git push origin dev # Deploys API only to dev environment
# Change React web code and push → triggers deploy-ui-to-azure.yml
git add frontend/
git commit -m "feat: Update React payment flow"
git push origin dev # Deploys the React frontend to the dev UI App Service
# Change API plus React frontend → triggers BOTH deploy workflows in parallel
git add XYDataLabs.OrderProcessingSystem.API/ frontend/
git commit -m "feat: Update API and React frontend"
git push origin dev # Deploys API and the React frontend to dev environmentAPI Workflow (deploy-api-to-azure.yml) triggers on changes to:
XYDataLabs.OrderProcessingSystem.API/**XYDataLabs.OrderProcessingSystem.Application/**XYDataLabs.OrderProcessingSystem.Domain/**XYDataLabs.OrderProcessingSystem.Infrastructure/**XYDataLabs.OrderProcessingSystem.SharedKernel/**
UI Workflow (deploy-ui-to-azure.yml) triggers on changes to:
frontend/**Resources/Configuration/**.github/workflows/deploy-ui-to-azure.yml
IMPORTANT: Workflows do NOT trigger on Pull Request events.
- ❌ Opening a PR does not trigger deployment
- ❌ Merging a PR via GitHub UI does not trigger deployment (unless merge creates a push event)
- ✅ Merging via command line with push does trigger deployment:
git checkout staging git merge dev git push origin staging # ← This triggers deploy-staging.yml
Workflows can be triggered manually via GitHub Actions UI:
- Navigate to: Actions tab → Select workflow
- Click Run workflow button
- Select branch → Click Run workflow
The API workflow and the React frontend workflow execute in 2 stages:
- ✅ Checkout code
- ✅ Setup Node.js 20
- ✅ Restore npm workspace dependencies
- ✅ Run frontend typecheck
- ✅ Run frontend regression tests
- ✅ Build the React production artifact with the environment-specific API base URL
- ✅ Upload build artifact
- ✅ Determine target environment (dev/staging/prod) from branch name
- ✅ Download build artifact
- ✅ Login to Azure using OIDC (passwordless authentication)
- ✅ Deploy to environment-specific Azure Web App
- ✅ Run SPA route health checks (API:
/health/ready, frontend:/customers) - ✅ Run a browser smoke check that seeds a stale tenant and verifies the deployed UI still resolves the API bootstrap tenant
- ✅ Display deployment URLs
Navigate to: https://github.com/getpavanthakur/TestAppXY_OrderProcessingSystem/actions
Add to README.md:
## Deployment Status
[](https://github.com/getpavanthakur/TestAppXY_OrderProcessingSystem/actions/workflows/deploy-dev.yml)
[](https://github.com/getpavanthakur/TestAppXY_OrderProcessingSystem/actions/workflows/deploy-staging.yml)
[](https://github.com/getpavanthakur/TestAppXY_OrderProcessingSystem/actions/workflows/deploy-main.yml)Workflows use path-based triggering - they only run when relevant code changes:
Benefits:
- ✅ Efficiency: Documentation changes don't trigger deployments
- ✅ Speed: Only affected components are deployed
- ✅ Cost: Fewer workflow minutes consumed
- ✅ Safety: Isolated deployments reduce blast radius
Example Scenarios:
# Scenario 1: Only API code changed
# Changed: XYDataLabs.OrderProcessingSystem.API/Controllers/OrderController.cs
# Result: Only deploy-api-to-azure.yml runs ✅
# Scenario 2: Only web frontend code changed
# Changed: frontend/apps/web/src/App.tsx
# Result: Only deploy-ui-to-azure.yml runs ✅
# Scenario 3: Shared domain model changed
# Changed: XYDataLabs.OrderProcessingSystem.Domain/Entities/Order.cs
# Result: BOTH workflows run (API and UI depend on Domain) ✅
# Scenario 4: Documentation updated
# Changed: docs/README.md
# Result: NO workflows run (documentation changes ignored) ✅If you used custom names during bootstrap, update app-name in workflows:
- name: Deploy to Azure Web App (API)
uses: azure/webapps-deploy@v3
with:
app-name: 'YOUR-CUSTOM-API-NAME-dev' # ← Update here
package: ./apiWorkflows use OpenID Connect (OIDC) for Azure authentication:
- ✅ No long-lived secrets stored in GitHub
- ✅ Short-lived tokens (1 hour expiration)
- ✅ Federated credentials tied to specific branches
- ✅ Principle of least privilege (Contributor role on Resource Group only)
Workflows require minimal permissions:
permissions:
id-token: write # Required for OIDC token request
contents: read # Required to checkout codeThe OIDC service principal has:
- Role: Contributor
- Scope: Resource Group level only (not subscription-wide)
- Branches: Separate federated credentials derived from the shared branch policy (currently dev, staging, main)
To test workflow syntax without deploying:
- Fork the repository to your personal account
- Update workflow files with your test app names
- Push to test branch
- Observe workflow execution (it will fail at deployment but validate syntax)
Install act to run workflows locally:
# Install act (Windows)
winget install nektos.act
# Test dev workflow
act push -W .github/workflows/deploy-dev.ymlNote: Local execution won't have Azure credentials, but validates syntax.
Problem: Pushed to branch but workflow didn't run
Solutions:
- ✅ Check branch name matches the enforced workflow mapping (
dev,staging,mainby default) - ✅ Verify push succeeded:
git push origin dev --verbose - ✅ Check if changes were only in ignored documentation paths (
docs/or other.mdfiles) - ✅ View Actions tab for any disabled workflows
Problem: Error: Login failed with Error: AADSTS700016: Application not found
Solutions:
- ✅ Verify GitHub secrets are configured correctly
- ✅ Check OIDC App Registration exists in Azure AD
- ✅ Verify federated credentials for branch exist
- ✅ Re-run
bootstrap-enterprise-infra.ps1to recreate OIDC setup
Problem: Build succeeded but deployment failed
Solutions:
- ✅ Check Azure Web App exists and is running
- ✅ Verify app name in workflow matches actual Azure resource
- ✅ Check RBAC role assignments (Service Principal needs Contributor role)
- ✅ Review Azure App Service logs for deployment errors
Problem: Build stage fails with compilation errors
Solutions:
- ✅ Verify solution builds locally:
dotnet build XYDataLabs.OrderProcessingSystem.sln - ✅ Check all NuGet packages are restored
- ✅ Review build logs in GitHub Actions for specific error
- ✅ Ensure .NET 8 SDK is used (workflow specifies
dotnet-version: '8.0.x')
- Infrastructure Deployment Guide ⭐ Manual Bicep deployment with dry run
- Quick Start Azure Bootstrap
- Azure Deployment Guide
- Master Curriculum
| Date | Workflow | Change | Author |
|---|---|---|---|
| 2025-11-21 | test-validate-deployment.yml | Added test workflow for pre-deployment validation | GitHub Copilot |
| 2025-11-20 | All | Initial creation with OIDC authentication | GitHub Copilot |
👉 Start here to test pre-deployment validation:
- Read the guide: README-TEST-VALIDATE-DEPLOYMENT.md
- Run validation test: Go to Actions → Test Pre-Deployment Validation → Run workflow
- Review test results: Check for configuration drift or issues
👉 After validation tests pass:
- Read the guide: README-INFRA-DEPLOY.md
- Run dry run: Go to Actions → Deploy Azure Infrastructure → Run workflow
- Deploy infrastructure: Set dry run = false after validation
After infrastructure is deployed:
-
Verify secrets configured: https://github.com/pavanthakur/XYDataLabs.OrderProcessingSystem/settings/secrets/actions
-
Test dev workflow:
git checkout dev git commit --allow-empty -m "test: Trigger dev workflow" git push origin dev -
Monitor workflow: https://github.com/pavanthakur/XYDataLabs.OrderProcessingSystem/actions
-
Verify deployment: https://pavanthakur-orderprocessing-api-xyapp-dev.azurewebsites.net
-
Promote to staging (after dev validation):
git checkout staging git merge dev git push origin staging
Questions or Issues?
- Validation Testing: See README-TEST-VALIDATE-DEPLOYMENT.md
- Pre-Deployment Validation: See README-VALIDATE-DEPLOYMENT.md
- Infrastructure: See README-INFRA-DEPLOY.md
- Application Deployment: Check Quick Start Azure Bootstrap
- Full Learning Path: Master Curriculum