So I'm trying to set up a GitHub Actions workflow which deploys an ARM template and then deploys multiple apps to azure resources. Since I'm deploying multiple apps, I am trying to deploy the apps in a seperate jobs from the arm deployment so I can use the matrix strategy but for some reason the azure/login action uses a different (and therefor wrong) subject identifier which results in the deployment of the apps failing.
This is (a part of) the workflow:
name: push
on:
push:
branches:
- develop
- release/*
- main
- hotfix/*
permissions:
id-token: write
contents: write
jobs:
* other jobs *
publish:
needs: determine
runs-on: ubuntu-latest
strategy:
matrix:
include:
- projectName: 'ApiProj'
publishPath: 'api'
- projectName: 'FunctionsProj'
publishPath: 'func'
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Restore
run: dotnet restore ./server
env:
NuGetPackageSourceCredentials: Username=DUMMY_USER;Password=${{ secrets.PAT_PACKAGES }}
- name: Publish
run: |
dotnet publish ./server/src/${{ matrix.projectName }}/${{ matrix.projectName }}.csproj -c Release -o ./publish/${{ matrix.publishPath }}
- name: Upload artifact for deployment job (API)
uses: actions/upload-artifact@v4
with:
name: ${{ matrix.publishPath }}
path: ./publish/${{ matrix.publishPath }}
deploy-arm:
# Deploy the app (if approved when needed by environment)
needs: determine
runs-on: ubuntu-latest
environment: ${{ needs.determine.outputs.Environment }}
steps:
- name: Azure Login
uses: azure/login@v2
with:
client-id: ${{ secrets.AZURE_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Run ARM deploy
uses: azure/arm-deploy@v2
with:
subscriptionId: ${{ secrets.AZURE_SUBSCRIPTION }}
resourceGroupName: ${{ vars.AZURE_RG }}
template: ./infra/deployments/main.json
parameters: ./infra/deployments/main.parameters.${{needs.determine.outputs.Environment}}.json
deploy-apps:
needs: [ deploy-arm, publish ]
runs-on: ubuntu-latest
environment: ${{ needs.determine.outputs.Environment }}
strategy:
matrix:
include:
- artifact: 'api'
publishProfile: ${{ secrets.AZURE_API_PUBLISH_PROFILE }}
- artifact: 'func'
publishProfile: ${{ secrets.AZURE_FUNC_PUBLISH_PROFILE }}
steps:
- name: Azure Login
uses: azure/login@v2
with:
client-id: ${{ secrets.AZURE_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
- name: Download artifact from publish job
uses: actions/download-artifact@v4
with:
name: ${{ matrix.artifact }}
path: app
- name: Deploy to Azure Web App
id: deploy-to-webapp
uses: azure/webapps-deploy@v2
with:
app-name: resource-${{ matrix.artifact }}-app
publish-profile: ${{ matrix.publishProfile }}
package: ./app
Now, when the "deploy-arm" job does the azure login step, it uses the correct Subject Identifier:
subject claim - repo:OrganisationName/RepositoryName:environment:dev
and the template is deployed successfully (verified this in Azure, all resources have been created)
In the next job "deploy-apps", the azure login step uses a different one:
subject claim - 'repo:OrganisationName/RepositoryName:ref:refs/heads/develop'
Can anyone explain to me why the subject identifier suddenly changes, and how I could resolve this?
The deploy-apps
job depends on [ deploy-arm, publish ]
. You set the environment to be needs.determine.outputs.Environment
.
I imagine the environment is not resolved here and the subject claim defaults to the branch you're deploying from. Adding determine
in the list of dependency should solve your issue:
deploy-apps:
needs: [ deploy-arm, publish, determine]