Git-Ape for DevOps & SRE
TL;DR — Git-Ape provides four GitHub Actions workflows for the full deployment lifecycle: plan-on-PR, deploy-on-merge, destroy-on-request. OIDC auth, no stored secrets, drift detection included.
CI/CD Pipeline Architecture​
OIDC Setup (Zero Stored Secrets)​
Git-Ape uses OIDC federated identity — the GitHub Actions runner exchanges a short-lived token for an Azure access token at deploy time. No AZURE_CREDENTIALS JSON blob.
Required GitHub secrets (identifiers only, not credentials):
| Secret | Purpose |
|---|---|
AZURE_CLIENT_ID | App Registration's client ID |
AZURE_TENANT_ID | Azure AD tenant ID |
AZURE_SUBSCRIPTION_ID | Target subscription ID |
Federated credential config:
Issuer: https://token.actions.githubusercontent.com
Subject: repo:{org}/{repo}:ref:refs/heads/main
Audience: api://AzureADTokenExchange
:::tip Automated Setup
Use @git-ape-onboarding to configure OIDC, RBAC, GitHub environments, and secrets in one guided session.
:::
Workflow Deep Dive​
git-ape-plan.yml (PR validation)​
Triggers: PR opened/updated with changes to .azure/deployments/**/template.json
- Detect which deployment directories changed
- Login to Azure via OIDC
- Validate ARM template (
az deployment sub validate) - Run what-if analysis (
az deployment sub what-if) - Post detailed plan as PR comment (architecture diagram + what-if + validation)
git-ape-deploy.yml (Execution)​
Triggers: Push to main with deployment changes OR /deploy comment on approved PR
- OIDC login
- Validate template
az deployment sub create- Run integration tests (list resources, test HTTP endpoints)
- Commit
state.jsonwith deployment result - Post result as PR comment
git-ape-destroy.yml (Teardown)​
Triggers: Push to main where metadata.json status changed to destroy-requested
- Read
state.jsonfor resource group name - Inventory all resources
az group delete(synchronous, waits for completion)- Update
state.jsonandmetadata.json→destroyed
Drift Detection​
GitHub Environment Setup​
Create two protected environments:
| Environment | Purpose | Protection Rules |
|---|---|---|
azure-deploy | Deployment target | Required reviewers (optional for prod), branches: main only |
azure-destroy | Teardown target | Required reviewers (recommended), branches: main only |