7.0 KiB
title, intro, permissions, versions, type, topics, redirect_from, shortTitle
| title | intro | permissions | versions | type | topics | redirect_from | shortTitle | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Enabling GitHub Actions with Azure Blob storage | You can enable {% data variables.product.prodname_actions %} on {% data variables.product.prodname_ghe_server %} and use Azure Blob storage to store data generated by workflow runs. | Site administrators can enable {% data variables.product.prodname_actions %} and configure enterprise settings. |
|
how_to |
|
|
Azure Blob storage |
{% data reusables.actions.enterprise-storage-about %}
{% data reusables.actions.enterprise-storage-about-oidc %}
Prerequisites
Before enabling {% data variables.product.prodname_actions %}, make sure you have completed the following steps:
-
Create your Azure storage account for storing workflow data. {% data variables.product.prodname_actions %} stores its data as block blobs, and two storage account types are supported:
-
A general-purpose storage account (also known as
general-purpose v1orgeneral-purpose v2) using the standard performance tier.Warning
Using the premium performance tier with a general-purpose storage account is not supported. The standard performance tier must be selected when creating the storage account, and it cannot be changed later.
-
A BlockBlobStorage storage account, which uses the premium performance tier.
For more information on Azure storage account types and performance tiers, see the Azure documentation. {% data reusables.actions.enterprise-common-prereqs %} {% data reusables.actions.enterprise-oidc-prereqs %}
-
Enabling {% data variables.product.prodname_actions %} with Azure Blob storage using OIDC (recommended)
To configure {% data variables.product.prodname_ghe_server %} to use OIDC with an Azure storage account, you must first register a Microsoft Entra ID (previously known as Azure AD) application with OIDC credentials, then configure your storage account, and finally configure {% data variables.product.prodname_ghe_server %} to access the storage container using the Entra ID.
1. Register an Entra ID application
-
Log in to the Microsoft Entra admin center.
-
Register a new application in Entra ID. For more information, see Quickstart: Register an application with the Microsoft identity platform on Microsoft Learn.
-
In your Entra ID application, under "Essentials", take note of the values for "Application (client) ID" and "Directory (tenant) ID". These values are used later.
-
In your Entra ID application, under "Manage", click Certificates & secrets, select the Federated credentials tab, then click Add credential.
-
Enter the following details for the credential:
-
For "Federated credential scenario", select Other issuer.
-
For "Issuer", enter
https://HOSTNAME/_services/token, whereHOSTNAMEis the public hostname for {% data variables.location.product_location_enterprise %}. For example,https://my-ghes-host.example.com/_services/token. -
For "Subject identifier", enter the public hostname for {% data variables.location.product_location_enterprise %}. For example,
my-ghes-host.example.com.Note
The subject identifier must only have the hostname of {% data variables.location.product_location_enterprise %}, and must not include the protocol.
-
For "Name", enter a name for the credential.
-
Click Add.
-
2. Configure your storage account
-
In the Microsoft Azure portal, navigate to your storage account.
-
Click Access Control (IAM), then click Add, and select Add role assignment.
-
For the role, select "Storage Blob Data Owner", then click Next.
-
For members, click Select members, and then search for and select the name of the Entra ID application you created earlier. Click Select.
-
Click Review + assign, review the role assignment, then click Review + assign again.
-
In the left menu, under "Settings", click Endpoints.
-
Under "Blob service", take note of the value for "Blob service", specifically the blob endpoint suffix. This is the value after
https://<storageaccountname>.blob. It is typicallycore.windows.net, but might vary depending on your Azure region or account type.For example, if your blob service URL is
https://my-storage-account.blob.core.windows.net, the blob endpoint suffix iscore.windows.net.Note your storage account name and blob endpoint suffix, as these values are used later.
3. Configuring {% data variables.product.prodname_ghe_server %} to connect to Entra ID using OIDC
{% data reusables.enterprise_site_admin_settings.access-settings %} {% data reusables.enterprise_site_admin_settings.management-console %} {% data reusables.enterprise_management_console.actions %} {% data reusables.actions.enterprise-enable-checkbox %} {% data reusables.actions.enterprise-azure-storage-setup %}
- Under "Authentication", select OpenID Connect (OIDC), and enter the values for your storage that you noted down in the previous procedures:
- Entra ID tenant ID
- Entra ID client ID
- Azure storage account name
- Azure blob endpoint suffix {% data reusables.enterprise_management_console.test-storage-button %} {% data reusables.enterprise_management_console.save-settings %}
Enabling {% data variables.product.prodname_actions %} with Azure Blob storage using a connection string
{% data reusables.enterprise_site_admin_settings.access-settings %} {% data reusables.enterprise_site_admin_settings.management-console %} {% data reusables.enterprise_management_console.actions %} {% data reusables.actions.enterprise-enable-checkbox %} {% data reusables.actions.enterprise-azure-storage-setup %}
- Under "Authentication", select Credentials-based, and enter your Azure storage account's connection string. For more information on getting the connection string for your storage account, see the Azure documentation. {% data reusables.enterprise_management_console.test-storage-button %} {% data reusables.enterprise_management_console.save-settings %}
{% data reusables.actions.enterprise-postinstall-nextsteps %}