Add publishing profile secret to Github Actions using Pulumi - Azure Web Apps
Adding an Azure Web Apps publishing profile as a secret to Github Actions is quite easy to do using the inbuilt functionality in Pulumi. In this article I will show you how it can be done.
Below is an example of how you can pull the publishing credentials, format it into an XML string that the Azure webapps-deploy Github Action can parse and finally set it as a secret in you repo:
def create_publish_profile(publish_profile: ListWebAppPublishingCredentialsResult, app_url: str) -> str:
publish_url = publish_profile.scm_uri.split("@")[-1] + ":443"
user_name = publish_profile.publishing_user_name
user_pwd = publish_profile.publishing_password
destination_app_url = "https://" + app_url
publish_profile_string = f"""<publishData>
<publishProfile
publishUrl="{publish_url}"
userName="{user_name}"
userPWD="{user_pwd}"
destinationAppUrl="{destination_app_url}"
>
</publishProfile>
</publishData>"""
return publish_profile_string
app_publish_credentials = web.list_web_app_publishing_credentials_output(
name=app.name,
resource_group_name=resource_group.name
)
gh.ActionsSecret("github-publish-profile",
secret_name="AZURE_WEBAPP_PUBLISH_PROFILE",
repository=config.get("repo-name"),
plaintext_value=pulumi.Output.all(
app_publish_credentials,
app.default_host_name,
).apply(lambda args: create_publish_profile(*args))
)
Remember to set the config values required to run Github related commands. More info on this can be found in the Pulumi Github documentation.
How it works
The Azure webapps-deploy Github Action doesn’t use all the values included in the publish profile file that can download from the Azure Portal.
Therefore, we can create a minimal XML-string containing only the values needed to run the deploy action.
The exact values that webapps-deploy reads from the publish profile can be found in the source code.
Here we see that the only values the action reads are publishUrl, userName, userPWD and destinationAppUrl.
Pulumi can provide those values via the list_web_app_publishing_credentials_output function.
These credentials are injected into the create_publish_profile function and formatted to XML.
Finally, the publishing profile string is added as a Github Actions secret to the relevant repository. A more complete and complex example where this is done, can be found in this file.
