deploy: use RBAC instead of publish profile

Apparently the `publish-profile` deployments are no longer working as
expected for recently-created Azure Functions. That is, the existing
`gfw-helper-github-app` Function still works, obviously, but when I
registered a new Function as described in the `README.md` and tried to
deploy it the same way as `gfw-helper-github-app`, it failed thusly:

  ▶ Run Azure/functions-action@v1
  Successfully parsed SCM credential from publish-profile format.
  Using SCM credential for authentication, GitHub Action will not perform resource validation.
  (node:1549) [DEP0005] DeprecationWarning: Buffer() is deprecated due to security and usability issues. Please use the Buffer.alloc(), Buffer.allocUnsafe(), or Buffer.from() methods instead.
  (Use `node --trace-deprecation ...` to show where the warning was created)
  Error: Execution Exception (state: ValidateAzureResource) (step: Invocation)
  Error:   When request Azure resource at ValidateAzureResource, Get Function App Settings : Failed to acquire app settings from https://<scmsite>/api/settings with publish-profile
  Error:     Failed to fetch Kudu App Settings.
  Unauthorized (CODE: 401)
  Error:       Error: Failed to fetch Kudu App Settings.
  Unauthorized (CODE: 401)
      at Kudu.<anonymous> (/home/runner/work/_actions/Azure/functions-action/v1/lib/appservice-rest/Kudu/azure-app-kudu-service.js:69:23)
      at Generator.next (<anonymous>)
      at fulfilled (/home/runner/work/_actions/Azure/functions-action/v1/lib/appservice-rest/Kudu/azure-app-kudu-service.js:5:58)
      at processTicksAndRejections (node:internal/process/task_queues:96:5)
  Error: Deployment Failed!

My guess is that finally the reality of publish profiles being highly
insecure has caught up with new Azure Function registrations, and it is
now required to use the much more secure method of using Role-Based
Access Control. At least in my tests, this works, so let's use it.

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>

Author: dscho

.github/workflows/deploy.yml

@@ -15,8 +15,11 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v6
+      - name: 'Login via Azure CLI'
+        uses: azure/login@v1
+        with:
+          creds: ${{ secrets.AZURE_RBAC_CREDENTIALS }}
       - uses: Azure/functions-action@v1
         with:
           app-name: ${{ secrets.AZURE_FUNCTION_NAME || 'GitForWindowsHelper' }}
-          publish-profile: ${{ secrets.AZURE_FUNCTIONAPP_PUBLISH_PROFILE }}
           respect-funcignore: true

README.md

@@ -111,9 +111,17 @@ This process looks a bit complex, but the main reason for that is that three thi
 
 First of all, a new [Azure Function](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Web%2Fsites/kind/functionapp) was created. A Linux one was preferred, for cost and performance reasons. Deployment with GitHub was _not_ yet configured.
 
-#### Getting the "publish profile"
+#### Obtaining the Azure credentials
 
-After the deployment succeeded, in the "Overview" tab, there is a "Get publish profile" link on the right panel at the center top. Clicking it will automatically download a `.json` file whose contents will be needed later.
+The idea is to use [Role-Based Access Control (RBAC)](https://github.com/Azure/functions-action?tab=readme-ov-file#using-azure-service-principal-for-rbac-as-deployment-credential) to log into Azure in the deploy workflow. Essentially, after the deployment succeeded, in an Azure CLI (for example [the one that is very neatly embedded in the Azure Portal](https://learn.microsoft.com/en-us/azure/cloud-shell/get-started/classic)), run this (after replacing the placeholders `{subscription-id}`, `{resource-group}` and `{app-name}`):
+
+```shell
+az ad sp create-for-rbac --name "myApp" --role contributor \
+  --scopes /subscriptions/{subscription-id}/resourceGroups/{resource-group}/providers/Microsoft.Web/sites/{app-name} \
+  --sdk-auth
+```
+
+The result is called an "Azure Service Principal" in Azure Speak; Essentially it is a tightly-scoped credential that allows deploying this particular Azure Function and that's it. This Azure Service Principal will be the value of the `AZURE_RBAC_CREDENTIALS` Actions secret, more on that below.
 
 #### Some environment variables
 
@@ -125,7 +133,7 @@ Concretely, the environment variables `GITHUB_WEBHOOK_SECRET`, `GITHUB_APP_PRIVA
 
 On https://github.com/, the `+` link on the top was pressed, and an empty, private repository was registered. Nothing was pushed to it yet.
 
-After that, the contents of the publish profile that [was downloaded earlier](#getting-the-publish-profile) was registered as Actions secret, under the name `AZURE_FUNCTIONAPP_PUBLISH_PROFILE`.
+After that, the Azure Service Principal needs to be registered as Actions secret, under the name `AZURE_RBAC_CREDENTIALS`.
 
 This repository was initialized locally only after that, actually, by starting to write this `README.md` and then developing this working toy GitHub App, and the `origin` remote was set to the newly registered repository on GitHub.