search

Azure / static-web-apps

Azure Static Web Apps. For bugs and feature requests, please create an issue in this repo. For community discussions, latest updates, kindly refer to the Discussions Tab. To know what's new in Static Web Apps, visit https://aka.ms/swa/ThisMonth
https://aka.ms/swa
MIT License
326 stars 56 forks source link

GitHub Action - Add WebApp/FunctionApp restriction Allow Rule before build #487

Open stunney opened 3 years ago

stunney commented 3 years ago

Our Static Web App (Preview) app is using Next.js. During rendering of the static site the build calls several of our Azure Functions.

We are not a public site yet, so we do not want these functions public quite yet. Also want to keep costs/risk down.

We are using the built-in GH Actions (code below)

Is there a way to call the Azure API to temporarily add the actions agent that is running our build (hosted by GitHub) so that the calls can be made successfully and then remove the rule at the end?

I can do these things via PowerShell with Add-AzWebAppAccessRestrictionRule but that requires me to sign on. Not sure what is available via Actions and if an API key could be used in Secrets.

Thank you!

name: Azure Static Web Apps CI/CD

on:
  push:
    branches:
      - main
  pull_request:
    types: [opened, synchronize, reopened, closed]
    branches:
      - main

jobs:
  build_and_deploy_job:
    if: github.event_name == 'push' || (github.event_name == 'pull_request' && github.event.action != 'closed')
    runs-on: ubuntu-latest
    name: Build and Deploy Job
    steps:
      - uses: actions/checkout@v2
        with:
          submodules: true
      - name: Build And Deploy
        id: builddeploy
        uses: Azure/static-web-apps-deploy@v0.0.1-preview
        with:
          azure_static_web_apps_api_token: ${{ secrets.AZURE_STATIC_WEB_APPS_API_TOKEN_JOLLY_GRASS_07AED040F }}
          repo_token: ${{ secrets.GITHUB_TOKEN }} # Used for Github integrations (i.e. PR comments)
          action: "upload"
          ###### Repository/Build Configurations - These values can be configured to match your app requirements. ######
          # For more information regarding Static Web App workflow configurations, please visit: https://aka.ms/swaworkflowconfig
          app_location: "/" # App source code path
          api_location: "api" # Api source code path - optional
          output_location: "out" # Built app content directory - optional
          ###### End of Repository/Build Configurations ######

  close_pull_request_job:
    if: github.event_name == 'pull_request' && github.event.action == 'closed'
    runs-on: ubuntu-latest
    name: Close Pull Request Job
    steps:
      - name: Close Pull Request
        id: closepullrequest
        uses: Azure/static-web-apps-deploy@v0.0.1-preview
        with:
          azure_static_web_apps_api_token: ${{ secrets.AZURE_STATIC_WEB_APPS_API_TOKEN_JOLLY_GRASS_07AED040F }}
          action: "close"
v-anvari commented 3 years ago

Tagging @anthonychu , for any further information or insights

anthonychu commented 3 years ago

Thanks @v-anvari. Will transfer to Static Web Apps repo for further discussion.

anthonychu commented 3 years ago

Can't really think of a great solution to this. If you are open to running the build yourself by setting up addition steps before the Static Web Apps action, you can potentially spin up Azure Functions Core Tools in the workflow and have the Next.js app call that during build. That way you have a private instance of the function app.