Secure workflow strategy for Azure CLI output configuration

[MoChilia]

When creating workflows, especially in a public repository, it's crucial to ensure that your build logs don't expose any sensitive data. You should proactively safeguard sensitive information by storing it as secret, masking any sensitive value in logs and setting the repositories and CI instances to private if they don't need to be public.

Moreover, Azure CLI commands output to both stdout stream and the build log by default. Azure CLI suggests us to protect output information by setting the output to none, see https://aka.ms/clisecrets. You may configure Azure CLI to not print any output by setting the environment variable AZURE_CORE_OUTPUT to none when you invoke Azure CLI commands in your workflow. For example,

# File: .github/workflows/workflow.yml

on: [push]

name: Redirect Azure CLI commands' output to none

jobs:
  build-and-deploy:
    runs-on: ubuntu-latest
    steps:
    - uses: azure/login@v1
      with:
        creds: ${{ secrets.AZURE_CREDENTIALS }}

    - uses: azure/CLI@v1
      env:
          AZURE_CORE_OUTPUT: none
        with:
          azcliversion: latest
          inlineScript: |
            az webapp config appsettings set --resource-group <resourcegroupname> --name <sitename> --settings <settings>

For detailed guidance on how to set environment variables in a workflow, refer to the GitHub doc: https://docs.github.com/en/actions/learn-github-actions/variables.

When you need the output of a specific command, you can add argument --output json to restore its output. For example,

$settings = (az webapp config appsettings list --resource-group <resourcegroupname> --name <sitename> --output json)

For more information about the configuration settings and output format of Azure CLI, see CLI configuration values and environment variables.

[jiasli]

It is interesting that GitHub-flavored markdown supports Warning:

Warning This is a warning...