I’m working in private GitHub repository housing an Azure Functions project. I just used the Deployment Center feature in the Azure Portal to connect my Azure Function App to my GitHub repository, and automatically generate a GitHub actions YAML file.
That file looks something like this:
# Docs for the Azure Web Apps Deploy action: https://github.com/azure/functions-action
# More GitHub Actions for Azure: https://github.com/Azure/actions
name: Build and deploy dotnet core app to Azure Function App - my-functions
on:
push:
branches:
- '*'
workflow_dispatch:
env:
AZURE_FUNCTIONAPP_PACKAGE_PATH: '.' # set this to the path to your web app project, defaults to the repository root
DOTNET_VERSION: '8.0.x' # set this to the dotnet version to use
jobs:
build-and-deploy:
runs-on: windows-latest
permissions:
id-token: write #This is required for requesting the JWT
steps:
- name: 'Checkout GitHub Action'
uses: actions/checkout@v4
- name: Setup DotNet ${{ env.DOTNET_VERSION }} Environment
uses: actions/setup-dotnet@v1
with:
dotnet-version: ${{ env.DOTNET_VERSION }}
- name: 'Resolve Project Dependencies Using Dotnet'
shell: pwsh
run: |
pushd './${{ env.AZURE_FUNCTIONAPP_PACKAGE_PATH }}'
dotnet build --configuration Release --output ./output -r win-x64 -p:PublishReadyToRun=true
popd
- name: Login to Azure
uses: azure/login@v1
with:
client-id: ${{ secrets.AZUREAPPSERVICE_CLIENTID_XXX }}
tenant-id: ${{ secrets.AZUREAPPSERVICE_TENANTID_XXX }}
subscription-id: ${{ secrets.AZUREAPPSERVICE_SUBSCRIPTIONID_XXX }}
- name: 'Run Azure Functions Action'
uses: Azure/functions-action@v1
id: fa
with:
app-name: 'my-functions'
slot-name: 'Production'
package: '${{ env.AZURE_FUNCTIONAPP_PACKAGE_PATH }}/output'
After some Googling and experimentation, I found this to be the problem:
permissions:
id-token: write
It seems that if you’re going to specify any permissions, you need the complete set of permissions that you require. So while we’ve requested the id-token-write permission, we still need permission to read the content of the repository:
permissions:
contents: read
id-token: write
Problem solved!
Sources:
https://github.com/actions/checkout/issues/254#issuecomment-1959289339
https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs
Leave a Reply