%20rotate(128)%20scale(520%20420)%22%3E%3Cstop%20stop-color%3D%22%230f3460%22%20stop-opacity%3D%220.7%22%2F%3E%3Cstop%20offset%3D%221%22%20stop-color%3D%22%230f3460%22%20stop-opacity%3D%220%22%2F%3E%3C%2FradialGradient%3E%3C%2Fdefs%3E%3Crect%20width%3D%221600%22%20height%3D%22900%22%20rx%3D%2248%22%20fill%3D%22url(%23bg)%22%2F%3E%3Crect%20width%3D%221600%22%20height%3D%22900%22%20rx%3D%2248%22%20fill%3D%22url(%23glow)%22%2F%3E%3Crect%20x%3D%2288%22%20y%3D%2288%22%20width%3D%221424%22%20height%3D%22724%22%20rx%3D%2236%22%20fill%3D%22rgba(15%2C23%2C42%2C0.78)%22%20stroke%3D%22rgba(248%2C250%2C252%2C0.12)%22%2F%3E%3Crect%20x%3D%2288%22%20y%3D%2288%22%20width%3D%221424%22%20height%3D%2216%22%20fill%3D%22url(%23accent)%22%2F%3E%3Ctext%20x%3D%2288%22%20y%3D%22176%22%20fill%3D%22rgba(248%2C250%2C252%2C0.72)%22%20font-family%3D%22JetBrains%20Mono%2C%20Arial%2C%20sans-serif%22%20font-size%3D%2228%22%20font-weight%3D%22700%22%20letter-spacing%3D%226%22%3ECI%2FCD%20%26amp%3B%20DEVOPS%3C%2Ftext%3E%3Ctext%20x%3D%2288%22%20y%3D%22366%22%20fill%3D%22%23f8fafc%22%20font-family%3D%22JetBrains%20Mono%2C%20Arial%2C%20sans-serif%22%20font-size%3D%2268%22%20font-weight%3D%22700%22%3EGitHub%20Actions%3C%2Ftext%3E%3Ctext%20x%3D%2288%22%20y%3D%22452%22%20fill%3D%22%23f8fafc%22%20font-family%3D%22JetBrains%20Mono%2C%20Arial%2C%20sans-serif%22%20font-size%3D%2268%22%20font-weight%3D%22700%22%3E%2B%20Azure%20Deploy%3C%2Ftext%3E%3Ctext%20x%3D%2288%22%20y%3D%22770%22%20fill%3D%22rgba(248%2C250%2C252%2C0.52)%22%20font-family%3D%22JetBrains%20Mono%2C%20Arial%2C%20sans-serif%22%20font-size%3D%2226%22%20letter-spacing%3D%223%22%3Eabhinavyadav.dev%20%2F%20blog%3C%2Ftext%3E%3C%2Fsvg%3E)
The Deployment Pipeline That Pays for Itself
Manual deployments are a tax. Every manual step is a potential error, a context switch, and a reason deployments slow down as the team grows. CI/CD pipelines convert that tax into a fixed one-time investment.
This is the GitHub Actions pipeline we use for deploying Next.js + FastAPI applications to Azure App Service — with secrets managed via Azure Key Vault, environment configuration via GitHub Environments, and zero-downtime slot swaps.
The Overall Pipeline Structure
The key design decision: separate jobs for test, build, staging deploy, and production deploy — each requiring the previous to succeed, with manual approval gates on production.
Authentication: OIDC Instead of Service Principal Secrets
The old pattern — create a service principal, store the JSON credentials as a GitHub secret — works but requires rotating secrets and gives broad access. The modern pattern usesOpenID Connect (OIDC) to mint short-lived tokens on demand with no stored secrets.
Azure configuration (one-time setup):
Building and Pushing to Azure Container Registry
The lines enable GitHub Actions layer caching — Docker build times drop from 3–4 minutes to 30–45 seconds on warm cache.
Zero-Downtime Deployment with Slot Swaps
Azure App Service deployment slots let you deploy to a staging slot, warm it up, then swap it into production atomically:
Environment Variables and Secrets Strategy
Never put secrets in YAML files. The hierarchy:
Non-sensitive configuration → App Service Application Settings:
Secrets → Azure Key Vault references:
Key Vault references auto-rotate: when the secret value changes in Key Vault, App Service picks up the new value on the next restart without any pipeline changes.
The Complete Picture
From to production-ready container: 4–6 minutes. From manual approval to live traffic: 2 minutes. Rollback (swap back): 90 seconds.