Updates to GitHub action for container deployments

Author: ggailey777

articles/azure-functions/functions-continuous-deployment.md

@@ -182,7 +182,7 @@ If you want to use a different deployment source or build provider for continuou
 
 ## Enable basic authentication for deployments
 
-By default, your function app is created with basic authentication access to the `scm` endpoint disabled. This blocks publishing by all methods that can't use managed identities to access the `scm` endpoint. The publishing impacts of having the `scm` endpoint disabled are detailed in [Deployment without basic authentication](../app-service/configure-basic-auth-disable.md#deployment-without-basic-authentication). 
+In some cases, your function app is created with basic authentication access to the `scm` endpoint disabled. This blocks publishing by all methods that can't use managed identities to access the `scm` endpoint. The publishing impacts of having the `scm` endpoint disabled are detailed in [Deployment without basic authentication](../app-service/configure-basic-auth-disable.md#deployment-without-basic-authentication). 
 
 > [!IMPORTANT]
 > When you use basic authenication, credentials are sent in clear text. To protect these credentials, you must only access the `scm` endpoint over an encrypted connection (HTTPS) when using basic authentication. For more information, see [Secure deployment](security-concepts.md#secure-deployment).

articles/azure-functions/functions-how-to-github-actions.md

@@ -9,32 +9,14 @@ zone_pivot_groups: github-actions-deployment-options
 
 # Continuous delivery by using GitHub Actions
 
-You can use a [GitHub Actions workflow](https://docs.github.com/actions/learn-github-actions/introduction-to-github-actions#the-components-of-github-actions) to define a workflow to automatically build and deploy code to your function app in Azure Functions. This article supports both code deployments to Azure Functions (using the `Azure/functions-action` action) and image deployments to a container registry (using `Azure/functions-container-action`). 
+You can use a [GitHub Actions workflow](https://docs.github.com/actions/learn-github-actions/introduction-to-github-actions#the-components-of-github-actions) to automatically build and deploy your function code to Azure. This article supports these GitHub Actions-based deployment methods: 
 
-A YAML file (.yml) that defines the workflow configuration is maintained in the `/.github/workflows/` path in your repository. This definition contains the actions and parameters that make up the workflow, which is specific to the development language of your functions. 
-
-### [Code deployment](#tab/code-only)
-
-A GitHub Actions workflow for Functions performs the following tasks, regardless of language: 
-
-1. Set up the environment.
-1. Build the code project.
-1. Deploy the package to a function app in Azure.
-
-The Azure Functions action handles the deployment to an existing function app in Azure. 
-
-### [Container deployment](#tab/container2)
+| Method | Action | Tasks |
+| ---- | ---- | ---- |
+| Code-only | `Azure/functions-action` | 1. Set up the environment.<br/>2. Build the code project.<br/>3. Deploy the package to a function app in Azure.   |
+| Container | `Azure/functions-container-action` | 1. Set up the environment.<br/>2. Build the Docker container.<br/>3. Push the image to the container registry.<br/>4. Deploy the container to Azure. | 
 
-A GitHub Actions workflow for containerized function apps performs the following tasks: 
-
-1. Set up the environment.
-1. Build the Docker container.
-1. Push the image to the registry.
-1. Deploy the container to Azure
-
-The Azure Functions container action handles the deployment from an existing container registry to Azure. 
-
----
+A YAML file (.yml) that defines the workflow configuration is maintained in the `/.github/workflows/` path in your repository. This definition contains the actions and parameters that make up the workflow, which is specific to the development language of your functions. 
 
 You can create a workflow configuration file for your deployment manually. You can also generate the file from a set of language-specific templates in one of these ways:  
 
@@ -62,26 +44,62 @@ If you don't want to create your YAML file by hand, select a different method at
 ::: zone-end
 ::: zone pivot="method-manual,method-template"
 
-## Generate deployment credentials
+## Choose deployment credentials
 
-Since GitHub Actions requires credentials to be able to access your function app (code deployment) your container registry (container deployment), you first need to get the credentials you need from your Azure service and store them securely as [GitHub secrets](https://docs.github.com/en/actions/reference/encrypted-secrets).  
+Since GitHub Actions requires credentials to be able to access Azure resources, you first need to get the credentials you need from Azure and store them securely in your repository as [GitHub secrets](https://docs.github.com/en/actions/reference/encrypted-secrets). 
 
-### Get the service access credentals
+There are several supported authentication credentials you can use when deploying your code to Azure using GitHub Actions. This article supports these credentials: 
+
+| Credential | Set in... | Deployment type | Usage |
+| ---- | ---- |  --- |  --- |
+| Publish profile | [`Azure/functions-action`](https://github.com/marketplace/actions/azure-functions-action) | Code-only | Use the basic authentication credentials in the publish profile to connect to the `scm` deployment endpoint. |
+| Service principal secret |[`Azure/login`](https://github.com/Azure/login) | Code-only<br/>Containers | Using the [credentials of an Azure service principal](https://github.com/marketplace/actions/azure-login?version=v1.6.1#login-with-a-service-principal-secret) to perform identity-based authentication during deployment. |
+| Docker credentials | [`docker/login-action`](https://github.com/marketplace/actions/docker-login) | Container | When accessing a private Docker container registry. For an Azure Container Registry, you can also use an Azure service principal secret. |  
+
+You must securely store the required credentials in GitHub secrets for use by GitHub Actions during deployment. 
+
+## Get the service access credentals
 
 >[!IMPORTANT]
->In this section you are working with valuable credentials that allow access to Azure resources. Make sure you always transport and store credentials securely. In GitHub, these credentials must only be stored as GitHub secrets.
+>In this section you are working with valuable credentials that allow access to Azure resources. Make sure you always transport and store credentials securely. In GitHub, these credentials **must** only be stored as GitHub secrets.
 
-### [Code deployment](#tab/code-only)
+### [Publish profile](#tab/publish-profile)
+
+Publish profile is an XML-formated object that contains basic authentication credentials used to access the `scm` deployment endpoint. These credentials are used by tools like Visual Studio and Azure Functions Core Tools to deploy code to your function app. Publish profiles require you to [enable basic authentication](./functions-continuous-deployment.md#enable-basic-authentication-for-deployments) on the `scm` management endoint.
 
 [!INCLUDE [functions-download-publish-profile](../../includes/functions-download-publish-profile.md)]
 
-### [Container deployment](#tab/container2)
+### [Service principal secret](#tab/service-principal)
+
+You can use the identity of a service principal in Azure when connecting to your app's `scm` deployment endpoint. This is also the recommended way to connect to an Azure Container Registry from your GitHub account. You use Azure role-based access control (Azure RBAC) to limit access only to the Azure resources required for publishing.
+
+1. Use this [az ad sp create-for-rbac](/cli/azure/ad/sp#az-ad-sp-create-for-rbac) command to create a service principal and get its credential:
+
+    ```azurecli
+    az ad sp create-for-rbac --name "<APP_NAME>_deployment" --role contributor --scopes /subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RESOURCE_GROUP>/providers/Microsoft.Web/sites/<APP_NAME> --sdk-auth
+    ```
+
+    Replace `<SUBSCRIPTION_ID>`, `<RESOURCE_GROUP>`, and `<APP_NAME>` with the names of your subscription, resource group, and function app. 
+
+    The output from this command is a JSON object that is the credential that GitHub Actions uses to connect to your app.You need to securely retain this output until you can add as a GitHub secret.
 
-The most secure way to access Azure Container Registry from your GitHub account is by using Azure role-based access control (Azure RBAC). Use these steps to create the   
+1. (Optional) To deploy a containerized function app from Azure Container Registry, use this [az role assignment create](/cli/azure/role/assignment#az-role-assignment-create) command to add the `acrpull` role to the new service principal:
+
+    ```azurecli    
+    az role assignment create --assignee <SERVICE_PRINCIPAL_ID> --scope /subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RESOURCE_GROUP>/providers/Microsoft.ContainerRegistry/registries/<REGISTRY_NAME> --role acrpull
+    ```
+
+    Replace `<SUBSCRIPTION_ID>`, `<RESOURCE_GROUP>`, and `<REGISTRY_NAME>` with the names of your subscription, resource group, and registry.Replace `<SERVICE_PRINCIPAL_ID>` with the `clientID` from the credentials you obtained in the previous step. The role you added is scoped to your specific Azure Container Registry instance.
+ 
+### [Docker credentials](#tab/docker-credentials)
+
+You need to use registry-specific credentials when deploying a container from a private container registry. For Azure Container Registry (ACR), you can also use the service principal credential. 
+
+The way that you obtain this credential depends on the container registry. For more information, see [Docker Login Action](https://github.com/marketplace/actions/docker-login#usage).
 
 ---
 
-### Add the GitHub secret
+## Add credentials to GitHub secrets
 
 1. In [GitHub](https://github.com/), go to your repository.
 
@@ -91,11 +109,30 @@ The most secure way to access Azure Container Registry from your GitHub account
 
 1. Select **New repository secret**.
 
-1. Add a new secret with the name `AZURE_FUNCTIONAPP_PUBLISH_PROFILE` and the value set to the contents of the publishing profile file.
+1. Define the secret, which depends on your chosen credential:
+
+    ### [Publish profile](#tab/publish-profile)
+
+    + **Name**: `AZURE_FUNCTIONAPP_PUBLISH_PROFILE`
+    + **Secret**: Paste the entire XML contents of the publish profile. 
+
+    ### [Service principal secret](#tab/service-principal)
+    
+    + **Name**: `AZURE_CREDENTIALS`
+    + **Secret**: Paste the entire JSON output you obtained when you created your service principal. 
+    
+    ### [Docker credentials](#tab/docker-credentials)
+    
+    + **Name**: `REGISTRY_USERNAME`
+    + **Secret**: The username of your account in the private Docker registry. 
+    + **Name**: `REGISTRY_PASSWORD`
+    + **Secret**: The password for your account in the private Docker registry. 
+    
+    ---
 
 1. Select **Add secret**.
 
-GitHub can now authenticate to your function app in Azure.
+GitHub can now authenticate with your Azure resources during deployment.
 ::: zone-end
 ::: zone pivot="method-manual"
 
@@ -167,14 +204,28 @@ The best way to manually create a workflow configuration is to start from the of
 
     Remember to do the following before you use this YAML file:
     
-    + Add `AZURE_CREDENTIALS` to your GitHub repository secrets.
-    + Add `REGISTRY_USERNAME` to your GitHub repository secrets.
-    + Add `REGISTRY_PASSWORD` to your GitHub repository secrets.
     + Update the values of `REGISTRY`, `NAMESPACE`, `IMAGE`, and `TAG` based on your container registry. 
-    
+    + To use service principal credentials with Azure Container Registry, replace the existing `azure/docker-Login` action with this `docker/login-action`:
+
+    ```yml
+    - name: Login to ACR
+      uses: docker/login-action@v3
+      with:
+        registry: <registry-name>.azurecr.io
+        username: ${{ secrets.AZURE_CREDENTIALS.clientId }}
+        password: ${{ secrets.AZURE_CREDENTIALS.clientSecret }}
+    ```
     --- 
 
 1. Update the `env.AZURE_FUNCTIONAPP_NAME` parameter with the name of your function app resource in Azure. You may optionally need to update the parameter that sets the language version used by your app, such as `DOTNET_VERSION` for C#. 
+ 
+1. To use a service principal credential instead of a publish profile, remove `publish-profile` from the `azure/functions-action` and add this `azure/login` action before `azure/functions-action`:
+
+    ```yml
+    - name: 'Login w/ service principal'
+      uses: azure/login@v2
+      with:
+        creds: ${{ secrets.AZURE_CREDENTIALS }}
 
 1. Add this new YAML file in the `/.github/workflows/` path in your repository. 
 
@@ -258,6 +309,14 @@ You can create the GitHub Actions workflow configuration file from the Azure Fun
 
 1. In the newly created YAML file, update the `env.AZURE_FUNCTIONAPP_NAME` parameter with the name of your function app resource in Azure. You may optionally need to update the parameter that sets the language version used by your app, such as `DOTNET_VERSION` for C#.  
 
+1. To use a service principal credential instead of a publish profile, remove `publish-profile` from the `azure/functions-action` and add this `azure/login` action before `azure/functions-action`:
+
+    ```yml
+    - name: 'Login w/ service principal'
+      uses: azure/login@v2
+      with:
+        creds: ${{ secrets.AZURE_CREDENTIALS }}
+
 1. Verify that the new workflow file is being saved in `/.github/workflows/` and select **Commit changes...**.  
 ::: zone-end
 
@@ -319,6 +378,14 @@ Python functions aren't supported on Windows. Choose Linux instead.
 
 :::code language="yml" source="~/azure-actions-workflow-samples/FunctionApp/linux-powershell-functionapp-on-azure.yml" range="1-5,13-31"::: 
 
+### [Container](#tab/Container/windows)
+    
+Container deployments aren't supported on Windows. Choose Linux instead.
+
+### [Container](#tab/Container/linux)
+  
+:::code language="yml" source="~/azure-actions-workflow-samples/FunctionApp/linux-container-functionapp-on-azure.yml" range="9-57":::   
+
 --- 
 
 ## Azure Functions action
@@ -333,7 +400,7 @@ The following parameters are most commonly used with this action:
 |---------|---------|
 |_**app-name**_ | (Mandatory) The name of your function app. |
 |_**slot-name**_ | (Optional) The name of a specific [deployment slot](functions-deployment-slots.md) you want to deploy to. The slot must already exist in your function app. When not specified, the code is deployed to the active slot. |
-|_**publish-profile**_ | (Optional) The name of the GitHub secret that contains your publish profile. |
+|_**publish-profile**_ | (Optional) The name of the GitHub secret that contains your publish profile. Don't include this if you are instead using a service principal credential with `azure/login`.|
 
 The following parameters are also supported, but are used only in specific cases:
 

includes/functions-download-publish-profile.md

@@ -8,7 +8,11 @@ ms.author: glenga
 
 To download the publishing profile of your function app:
 
-1. Select the function app's **Overview** page, and then select **Get publish profile**.
+1. In the [Azure portal](https://portal.azure.com), locate the page for your function app, expand **Settings** > **Configuration** in the left column.
+
+1. In the **Configuration** page, select the **General settings** tab and make sure that **SCM Basic Auth Publishing Credentials** is turned **On**. When this setting is **Off**, you can't use publish profiles, so select **On** and then **Save**. 
+
+1. Go back to the function app's **Overview** page, and then select **Get publish profile**.
 
    :::image type="content" source="../articles/azure-functions/media/functions-how-to-github-actions/get-publish-profile.png" alt-text="Download publish profile":::