使用 GitHub Actions 部署 ARM 模板Deploy ARM templates by using GitHub Actions

Github 操作是 GitHub 中的一个功能套件,可以在存储代码的同一位置自动执行软件开发工作流,并针对拉取请求和问题进行协作。GitHub Actions is a suite of features in GitHub to automate your software development workflows in the same place you store code and collaborate on pull requests and issues.

使用“部署 Azure 资源管理器模板”操作将 Azure 资源管理器模板(ARM 模板)自动部署到 Azure。Use the Deploy Azure Resource Manager Template Action to automate deploying an Azure Resource Manager template (ARM template) to Azure.


  • 具有活动订阅的 Azure 帐户。An Azure account with an active subscription. 创建试用版订阅Create a trial subscription.
  • 一个 GitHub 帐户。A GitHub account. 如果没有该帐户,请注册免费版If you don't have one, sign up for free.
    • GitHub 存储库,用于存储资源管理器模板和工作流文件。A GitHub repository to store your Resource Manager templates and your workflow files. 若要创建一个存储库,请参阅创建新存储库To create one, see Creating a new repository.

工作流文件概述Workflow file overview

工作流通过存储库的 /.github/workflows/ 路径中的 YAML (.yml) 文件定义。A workflow is defined by a YAML (.yml) file in the /.github/workflows/ path in your repository. 此定义包含组成工作流的各种步骤和参数。This definition contains the various steps and parameters that make up the workflow.

此文件包含两个部分:The file has two sections:

部分Section 任务Tasks
身份验证Authentication 1.定义服务主体。1. Define a service principal.
2.创建 GitHub 机密。2. Create a GitHub secret.
部署Deploy 1.部署资源管理器模板。1. Deploy the Resource Manager template.

生成部署凭据Generate deployment credentials

可以在 Azure CLI 中使用 az ad sp create-for-rbac 命令创建服务主体You can create a service principal with the az ad sp create-for-rbac command in the Azure CLI.

如果没有资源组,请创建一个。Create a resource group if you do not already have one.

az group create -n {MyResourceGroup}

请将 myApp 占位符替换为应用程序的名称。Replace the placeholder myApp with the name of your application.

az ad sp create-for-rbac --name {myApp} --role contributor --scopes /subscriptions/{subscription-id}/resourceGroups/{MyResourceGroup} --sdk-auth

在上面的示例中,请将占位符替换为你的订阅 ID 和资源组名称。In the example above, replace the placeholders with your subscription ID and resource group name. 输出是一个 JSON 对象,包含的角色分配凭据可提供对应用服务应用的访问权限,如下所示。The output is a JSON object with the role assignment credentials that provide access to your App Service app similar to below. 复制此 JSON 对象供以后使用。Copy this JSON object for later. 你只需要具有 clientIdclientSecretsubscriptionIdtenantId 值的部分。You will only need the sections with the clientId, clientSecret, subscriptionId, and tenantId values.

    "clientId": "<GUID>",
    "clientSecret": "<GUID>",
    "subscriptionId": "<GUID>",
    "tenantId": "<GUID>",


始终应授予最小访问权限。It is always a good practice to grant minimum access. 上一示例中的范围限制为资源组。The scope in the previous example is limited to the resource group.

配置 GitHub 机密Configure the GitHub secrets

需要为 Azure 凭据、资源组和订阅创建机密。You need to create secrets for your Azure credentials, resource group, and subscriptions.

  1. GitHub 中,浏览你的存储库。In GitHub, browse your repository.

  2. 选择“设置”>“机密”>“新的机密”。Select Settings > Secrets > New secret.

  3. 将 Azure CLI 命令的整个 JSON 输出粘贴到机密的值字段中。Paste the entire JSON output from the Azure CLI command into the secret's value field. 为机密指定名称 AZURE_CREDENTIALSGive the secret the name AZURE_CREDENTIALS.

  4. 创建另一个名为 AZURE_RG 的机密。Create another secret named AZURE_RG. 将资源组的名称添加到该机密的“值”字段(例如:myResourceGroup)。Add the name of your resource group to the secret's value field (example: myResourceGroup).

  5. 再创建一个名为 AZURE_SUBSCRIPTION 的机密。Create an additional secret named AZURE_SUBSCRIPTION. 将订阅 ID 添加到该机密的“值”字段(例如:90fd3f9d-4c61-432d-99ba-1273f236afa2)。Add your subscription ID to the secret's value field (example: 90fd3f9d-4c61-432d-99ba-1273f236afa2).

添加资源管理器模板Add Resource Manager template

将资源管理器模板添加到 GitHub 存储库。Add a Resource Manager template to your GitHub repository. 此模板可用于创建存储帐户。This template creates a storage account.


你可以将该文件放到存储库中的任何位置。You can put the file anywhere in the repository. 下一部分的工作流示例假定模板文件名为“azuredeploy.json”,它存储在存储库的根目录下。The workflow sample in the next section assumes the template file is named azuredeploy.json, and it is stored at the root of your repository.

创建工作流Create workflow

工作流文件必须存储在存储库根目录的“.github/workflow”文件夹中。The workflow file must be stored in the .github/workflows folder at the root of your repository. 工作流文件扩展名可以是“.yml”或“.yaml”。 The workflow file extension can be either .yml or .yaml.

  1. 在 GitHub 存储库的顶部菜单中,选择“操作”。From your GitHub repository, select Actions from the top menu.

  2. 选择“新建工作流”。Select New workflow.

  3. 选择“自己设置工作流”。Select set up a workflow yourself.

  4. 如果希望使用“main.yml”以外的其他名称,请重命名工作流文件。Rename the workflow file if you prefer a different name other than main.yml. 例如:“deployStorageAccount.yml”。For example: deployStorageAccount.yml.

  5. 将 yml 文件的内容替换为以下内容:Replace the content of the yml file with the following:

    on: [push]
    name: Azure ARM
        runs-on: ubuntu-latest
          # Checkout code
        - uses: actions/checkout@main
          # Log into Azure
        - uses: azure/login@v1
            creds: ${{ secrets.AZURE_CREDENTIALS }}
          # Deploy ARM template
        - name: Run ARM deploy
          uses: azure/arm-deploy@v1
            subscriptionId: ${{ secrets.AZURE_SUBSCRIPTION }}
            resourceGroupName: ${{ secrets.AZURE_RG }}
            template: ./azuredeploy.json
            parameters: storageAccountType=Standard_LRS
          # output containerName variable from template
        - run: echo ${{ steps.deploy.outputs.containerName }}


    可以改为在 ARM 部署操作中指定一个 JSON 格式的参数文件(例如:.azuredeploy.parameters.json)。You can specify a JSON format parameters file instead in the ARM Deploy action (example: .azuredeploy.parameters.json).

    工作流文件的第一部分包含:The first section of the workflow file includes:

    • name:工作流的名称。name: The name of the workflow.
    • 事件:触发工作流的 GitHub 事件的名称。on: The name of the GitHub events that triggers the workflow. 当主分支上有推送事件时,会触发工作流,修改所指定的两个文件中的至少一个。The workflow is trigger when there is a push event on the main branch, which modifies at least one of the two files specified. 这两个文件分别是工作流文件和模板文件。The two files are the workflow file and the template file.
  6. 选择“开始提交”。Select Start commit.

  7. 选择“直接提交到主分支”。Select Commit directly to the main branch.

  8. 选择“提交新文件”(或“提交更改”)。 Select Commit new file (or Commit changes).

由于工作流配置为由要更新的工作流文件或模板文件触发,因此在提交更改后,工作流将立即启动。Because the workflow is configured to be triggered by either the workflow file or the template file being updated, the workflow starts right after you commit the changes.

检查工作流状态Check workflow status

  1. 选择“操作”选项卡。此时会看到列出的“创建 deployStorageAccount.yml”工作流。Select the Actions tab. You will see a Create deployStorageAccount.yml workflow listed. 运行此工作流需要 1-2 分钟。It takes 1-2 minutes to run the workflow.
  2. 选择要打开的工作流。Select the workflow to open it.
  3. 从菜单中选择“运行 ARM 部署”以验证此部署。Select Run ARM deploy from the menu to verify the deployment.

清理资源Clean up resources

不再需要资源组和存储库时,请通过删除资源组和 GitHub 存储库来清理部署的资源。When your resource group and repository are no longer needed, clean up the resources you deployed by deleting the resource group and your GitHub repository.

后续步骤Next steps