Deploy Bicep with GitHub Actions


GitHub Actions is a suite of features in GitHub to automate your software development workflows.

Use the GitHub Action to automatically deploy a Bicep file to Azure.

Workflow file overview

A Action is defined by a YAML (.yml) file in the /.github/workflows/ path in your github repository. This definition holds all the steps and parameters that make up the workflow.

The file YAML file that we will be creating has two sections:

Authentication :

1. Create a service principal on Azure

2. Store it as Secret into Github Secret

Deployment :

  1. Create a file with Bicep file
  2. Push the file to your github repository

Create Service Principle for deployment credentials

Create a resource group by using the following command in Azure CLI

az group create -n {AzwayGroup} -l {location}

Replace Your_App_Name  with the name of your new application and replace AzwayGroup and trailing resourceGroups if you want to provide access on the Subscription directly

az ad sp create-for-rbac --name Your_App_Name --role contributor --scopes /subscriptions/xxxx-xxxx-xxxx-xxx/resourceGroups/{AzwayGroup} --sdk-auth

Configure the GitHub secrets

You need to create secrets for your Azure credentials, resource group, and subscriptions.

  1. Visit your repository on Github.
  2. Click settings Settings
  3. Click Secrets
  4. Click New secret.
  5. Paste the JSON output from the Azure CLI with { } into the secret’s value field.
  6. Name the secret AZURE_Login.
  7. Create another secret named AZURE_RG.
  8. Add the name of your resource group to the secret’s value field
  9. Create another secret named AZURE_SUBSCRIPTION.
  10. Add your subscription ID to the secret’s value field (example: 34fasda9d-4c61-497d-99ba-112esx4rgh6).

Add a Bicep file

Add a Bicep file to your GitHub repository. The following Bicep file creates a storage account

/ Input parameters must be specified by the module consumer
param publicIpResourceName string ='samplepip'
param publicIpDnsLabel string = '${publicIpResourceName}-${newGuid()}'
param location string = resourceGroup().location
param dynamicAllocation bool = True

resource publicIp 'Microsoft.Network/publicIPAddresses@2020-06-01' = {
  name: publicIpResourceName
  location: location
  properties: {
    publicIPAllocationMethod: dynamicAllocation ? 'Dynamic' : 'Static'
    dnsSettings: {
      domainNameLabel: publicIpDnsLabel

// Set an output which can be accessed by the module consumer
output ipFqdn string =

You can put the file anywhere in the repository. The workflow sample in the next section assumes the Bicep file is named azuredeploy.bicep, and it’s stored at the root of your repository.

Create workflow

The workflow file must be stored in the .github/workflows folder at the root of your repository. The workflow file extension can be either .yml or .yaml.

  1. From your GitHub repository, select Actions from the top menu.
  2. Select New workflow.
  3. Select set up a workflow yourself.
  4. Rename the workflow file if you prefer a different name other than main.yml. For example: deploy.yml.
  5. Replace the content of the yml file with the following
on: [push]
name: Azure ARM
    runs-on: ubuntu-latest

      # Checkout code
    - uses: actions/checkout@main

      # Log into Azure
    - uses: azure/login@v1
        creds: ${{ secrets.AZURE_Login }}

      # Deploy Bicep file
    - name: deploy
      uses: azure/arm-deploy@v1
        subscriptionId: ${{ secrets.AZURE_SUBSCRIPTION }}
        resourceGroupName: ${{ secrets.AZURE_RG }}
        template: ./azuredeploy.bicep
        failOnStdErr: false

The workflow starts right after you commit the changes.

Check workflow status

  1. Select the Actions tab. You’ll see a Create deploy.yml workflow listed. It takes 1-2 minutes to run the workflow.
  2. Select the workflow to open it.
  3. Select Run ARM deploy from the menu to verify the deployment.

Leave a Reply

Your email address will not be published. Required fields are marked *