GitHub Actions and Azure - Using Environments with GitHub Actions
Once you have a working GitHub Actions workflow, the next challenge is safely deploying across dev, staging, and production with the right secrets in the right places. This episode deep-dives into GitHub Actions Environments: how to scope secrets per environment to enforce the principle of least privilege, configure required reviewers and wait timers as production gates, and assign service principals with minimal Azure RBAC permissions. A live demo deploys the cloudwithchris.com Hugo site to Azure Storage, making every concept concrete.
Chris explains why repository-level secrets are a security anti-pattern for multi-environment pipelines — a secret accessible to a dev workflow has no business being readable by the production deployment step. GitHub Actions Environments solve this by scoping secrets to a named environment, so only workflows targeting that environment can read those values. The episode walks through configuring required reviewers (manual approval gates) and wait timers for the production environment, creating environment-specific service principals in Azure Active Directory with narrowly scoped RBAC roles, and structuring a multi-job YAML workflow that promotes through environments. The principle of least privilege runs as a thread throughout — limiting blast radius if a secret or credential is ever compromised.
Related Content
GitHub Actions and Azure - Deploying .NET Core code to Azure App Service
You have your .NET Core application code and your Azure App Service infrastructure is ready. Now it's time to wire them together with an automated GitHub Actions deployment pipeline. This episode walks through building a multi-job workflow that compiles, publishes, and deploys your .NET Core app to Azure App Service using publish profiles and GitHub Secrets.
Discussing the Cloud with Chris GitHub Architecture and GitHub setup
Cloud with ChrisKarl Cooke (irishtechie.com) interviews Chris Reddington about the full architecture and GitHub workflow powering CloudWithChris.com. The session covers Azure Storage static website hosting, Azure CDN with a custom rules engine for enforcing HTTPS and security headers (CSP, HSTS, Permissions Policy), Hugo as the static site generator, multi-environment GitHub Actions pipelines (preview, staging, production), GitHub Codespaces for in-browser editing, and practical security hardening using securityheaders.com and Mozilla Observatory.
V016 - Weekly Technology Vlog #16
Weekly Vlog #16 covers significant IoT Edge updates — including nested device hierarchies now GA and zero-touch provisioning blueprints — plus the GA of Azure API Management support for availability zones and a new open-source API portal. GitHub highlights include a detailed guide to implementing least-privilege secrets in GitHub Actions using environments and branch protection rules, and the GitHub CLI's new support for managing Actions workflows from the terminal. Chris recaps two Global Azure talks on Hugo static sites and GitHub Actions, shares a SecurityHeaders.com deep-dive using Azure CDN rules, and previews Azure RBAC data-plane content and an upcoming Azure Spring Cloud session.