Skip to content

feat: Azure ACR push and WebApp deployment for terrain-gpu-demo#17

Merged
maxfelker merged 3 commits into
mainfrom
deploy-to-azure
Mar 2, 2026
Merged

feat: Azure ACR push and WebApp deployment for terrain-gpu-demo#17
maxfelker merged 3 commits into
mainfrom
deploy-to-azure

Conversation

@maxfelker

@maxfelker maxfelker commented Mar 2, 2026

Copy link
Copy Markdown
Owner

Summary

Adds Azure infrastructure and CI/CD pipeline to build, push, and deploy the terrain-webgpu Docker image to a new terrain-gpu-demo Azure WebApp.

What's included

.azure/ — Bicep infrastructure

  • main.bicep — defines:
    • App Service Plan ASP-terrain-gpu (B1, Linux)
    • WebApp terrain-gpu-demo with system-assigned managed identity
    • AcrPull role assignment on maxfelkershared ACR for the managed identity (no stored credentials at runtime)
  • main.bicepparam — deployment parameters
  • README.md — documents layout and az deployment group create usage

.github/workflows/deploy.yml — Deploy workflow

Triggers on push to main. Uses OIDC workload identity federation — no stored secrets or client passwords:

  1. azure/login@v2 with AZURE_CLIENT_ID / AZURE_TENANT_ID / AZURE_SUBSCRIPTION_ID
  2. az acr login for ephemeral ACR token (no username/password)
  3. Build & push maxfelkershared.azurecr.io/terrain-gpu:${{ github.sha }} + :latest
  4. Deploy to terrain-gpu-demo in maxfelker.com resource group

Security

  • ✅ OIDC federated identity credentials (no client secrets)
  • ✅ Managed identity for WebApp → ACR auth at runtime
  • ✅ GitHub secrets: only AZURE_CLIENT_ID, AZURE_TENANT_ID, AZURE_SUBSCRIPTION_ID

Deploy infrastructure (one-time)

az deployment group create \
  --resource-group maxfelker.com \
  --template-file .azure/main.bicep \
  --parameters .azure/main.bicepparam

maxfelker and others added 3 commits March 2, 2026 13:01
@maxfelker
feat: add OIDC-based deploy workflow for terrain-gpu-demo
ac4eb11 
- Triggers on push to main
- Uses workload identity federation (OIDC), no stored secrets
- az acr login for ephemeral ACR token (no username/password)
- Pushes image to maxfelkershared.azurecr.io/terrain-gpu
- Deploys to terrain-gpu-demo Azure WebApp

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@maxfelker
feat: add Azure Bicep infrastructure for terrain-gpu-demo
7357c19 
- App Service Plan ASP-terrain-gpu (B1 Linux)
- WebApp terrain-gpu-demo with system-assigned managed identity
- AcrPull role assignment for MI on maxfelkershared ACR
- No secrets: uses managed identity for ACR auth at runtime

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@maxfelker
fix: extract cross-RG AcrPull role assignment into bicep module
c8d84a0 
Azure Bicep BCP139 requires cross-resource-group role assignments
to use modules scoped to the target RG. Extracted the AcrPull
assignment on maxfelkershared ACR into .azure/acr-role.bicep.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@maxfelker maxfelker merged commit 4440c59 into main Mar 2, 2026
1 check passed
@maxfelker maxfelker deleted the deploy-to-azure branch March 20, 2026 04:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@maxfelker