GitHub Actions 云服务部署 #

GitHub Actions支持部署到各种云服务平台。本节介绍如何部署到AWS、Azure、GCP等主流云服务。

AWS部署 #

配置AWS凭证 #

yaml 
- uses: aws-actions/configure-aws-credentials@v4
  with:
    aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
    aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
    aws-region: us-east-1

使用OIDC(推荐) #

yaml 
permissions:
  id-token: write
  contents: read

jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: arn:aws:iam::123456789012:role/myRole
          aws-region: us-east-1

部署到S3 #

yaml 
- uses: aws-actions/configure-aws-credentials@v4
  with:
    aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
    aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
    aws-region: us-east-1

- name: Sync to S3
  run: |
    aws s3 sync ./dist s3://my-bucket --delete

部署到EC2 #

yaml 
- name: Deploy to EC2
  uses: appleboy/ssh-action@v1
  with:
    host: ${{ secrets.EC2_HOST }}
    username: ${{ secrets.EC2_USER }}
    key: ${{ secrets.SSH_KEY }}
    script: |
      cd /app
      git pull
      npm install
      npm run build
      pm2 restart all

部署到ECS #

yaml 
- uses: aws-actions/configure-aws-credentials@v4
  with:
    aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
    aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
    aws-region: us-east-1

- uses: aws-actions/amazon-ecs-deploy-task-definition@v1
  with:
    task-definition: task-definition.json
    service: my-service
    cluster: my-cluster

部署到Lambda #

yaml 
- name: Deploy to Lambda
  run: |
    zip -r function.zip .
    aws lambda update-function-code \
      --function-name my-function \
      --zip-file fileb://function.zip

部署到EKS #

yaml 
- uses: aws-actions/configure-aws-credentials@v4
  with:
    aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
    aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
    aws-region: us-east-1

- name: Update kubeconfig
  run: aws eks update-kubeconfig --name my-cluster

- name: Deploy to EKS
  run: kubectl apply -f kubernetes/

Azure部署 #

配置Azure凭证 #

yaml 
- uses: azure/login@v1
  with:
    creds: ${{ secrets.AZURE_CREDENTIALS }}

创建服务主体 #

bash 
az ad sp create-for-rbac \
  --name "myApp" \
  --role contributor \
  --scopes /subscriptions/{subscription-id}/resourceGroups/{resource-group} \
  --sdk-auth

部署到Azure Web App #

yaml 
- uses: azure/login@v1
  with:
    creds: ${{ secrets.AZURE_CREDENTIALS }}

- uses: azure/webapps-deploy@v2
  with:
    app-name: my-app
    package: ./dist

部署到Azure Container Apps #

yaml 
- uses: azure/login@v1
  with:
    creds: ${{ secrets.AZURE_CREDENTIALS }}

- uses: azure/container-apps-deploy-action@v1
  with:
    app-name: my-app
    resource-group: my-rg
    image: myregistry.azurecr.io/myapp:latest

部署到Azure Functions #

yaml 
- uses: azure/login@v1
  with:
    creds: ${{ secrets.AZURE_CREDENTIALS }}

- uses: Azure/functions-action@v1
  with:
    app-name: my-function
    package: ./dist

部署到AKS #

yaml 
- uses: azure/login@v1
  with:
    creds: ${{ secrets.AZURE_CREDENTIALS }}

- uses: azure/aks-set-context@v3
  with:
    resource-group: my-rg
    cluster-name: my-cluster

- uses: azure/k8s-deploy@v4
  with:
    namespace: default
    manifests: kubernetes/
    images: myregistry.azurecr.io/myapp:latest

Google Cloud部署 #

配置GCP凭证 #

yaml 
- uses: google-github-actions/setup-gcloud@v2
  with:
    project_id: ${{ secrets.GCP_PROJECT_ID }}
    service_account_key: ${{ secrets.GCP_SA_KEY }}

部署到Cloud Run #

yaml 
- uses: google-github-actions/setup-gcloud@v2
  with:
    project_id: ${{ secrets.GCP_PROJECT_ID }}
    service_account_key: ${{ secrets.GCP_SA_KEY }}

- name: Deploy to Cloud Run
  run: |
    gcloud run deploy myapp \
      --image gcr.io/${{ secrets.GCP_PROJECT_ID }}/myapp:latest \
      --platform managed \
      --region us-central1 \
      --allow-unauthenticated

部署到GKE #

yaml 
- uses: google-github-actions/setup-gcloud@v2
  with:
    project_id: ${{ secrets.GCP_PROJECT_ID }}
    service_account_key: ${{ secrets.GCP_SA_KEY }}

- uses: google-github-actions/get-gke-credentials@v2
  with:
    cluster_name: my-cluster
    location: us-central1

- name: Deploy to GKE
  run: kubectl apply -f kubernetes/

部署到App Engine #

yaml 
- uses: google-github-actions/setup-gcloud@v2
  with:
    project_id: ${{ secrets.GCP_PROJECT_ID }}
    service_account_key: ${{ secrets.GCP_SA_KEY }}

- name: Deploy to App Engine
  run: gcloud app deploy

部署到Cloud Functions #

yaml 
- uses: google-github-actions/setup-gcloud@v2
  with:
    project_id: ${{ secrets.GCP_PROJECT_ID }}
    service_account_key: ${{ secrets.GCP_SA_KEY }}

- name: Deploy to Cloud Functions
  run: |
    gcloud functions deploy my-function \
      --runtime nodejs20 \
      --trigger-http \
      --entry-point handler

其他云服务 #

Vercel #

yaml 
- uses: amondnet/vercel-action@v25
  with:
    vercel-token: ${{ secrets.VERCEL_TOKEN }}
    vercel-org-id: ${{ secrets.VERCEL_ORG_ID }}
    vercel-project-id: ${{ secrets.VERCEL_PROJECT_ID }}

Netlify #

yaml 
- uses: nwtgck/actions-netlify@v2
  with:
    publish-dir: ./dist
    production-branch: main
    github-token: ${{ secrets.GITHUB_TOKEN }}
    deploy-message: "Deploy from GitHub Actions"
  env:
    NETLIFY_AUTH_TOKEN: ${{ secrets.NETLIFY_AUTH_TOKEN }}
    NETLIFY_SITE_ID: ${{ secrets.NETLIFY_SITE_ID }}

Heroku #

yaml 
- uses: akhileshns/heroku-deploy@v3
  with:
    heroku_api_key: ${{ secrets.HEROKU_API_KEY }}
    heroku_app_name: my-app
    heroku_email: ${{ secrets.HEROKU_EMAIL }}

DigitalOcean #

yaml 
- uses: digitalocean/action-doctl@v2
  with:
    token: ${{ secrets.DIGITALOCEAN_TOKEN }}

- name: Deploy to App Platform
  run: doctl apps create-deployment my-app

完整示例 #

AWS完整部署流程 #

yaml 
name: Deploy to AWS

on:
  push:
    branches: [main]

env:
  AWS_REGION: us-east-1
  ECR_REPOSITORY: myapp
  ECS_SERVICE: my-service
  ECS_CLUSTER: my-cluster

jobs:
  build:
    runs-on: ubuntu-latest
    outputs:
      image: ${{ steps.build-image.outputs.image }}
    steps:
      - uses: actions/checkout@v4

      - uses: aws-actions/configure-aws-credentials@v4
        with:
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          aws-region: ${{ env.AWS_REGION }}

      - id: login-ecr
        uses: aws-actions/amazon-ecr-login@v2

      - name: Build and push
        id: build-image
        uses: docker/build-push-action@v5
        with:
          context: .
          push: true
          tags: ${{ steps.login-ecr.outputs.registry }}/${{ env.ECR_REPOSITORY }}:${{ github.sha }}

  deploy:
    needs: build
    runs-on: ubuntu-latest
    environment: production
    steps:
      - uses: actions/checkout@v4

      - uses: aws-actions/configure-aws-credentials@v4
        with:
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          aws-region: ${{ env.AWS_REGION }}

      - uses: aws-actions/amazon-ecs-deploy-task-definition@v1
        with:
          task-definition: task-definition.json
          service: ${{ env.ECS_SERVICE }}
          cluster: ${{ env.ECS_CLUSTER }}
          wait-for-service-stability: true

最佳实践 #

1. 使用OIDC认证 #

yaml 
permissions:
  id-token: write
  contents: read

2. 使用环境保护 #

yaml 
environment: production

3. 使用Secrets管理凭证 #

yaml 
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}

4. 添加部署审批 #

在环境设置中添加保护规则。

5. 使用缓存加速 #

yaml 
- uses: actions/cache@v4
  with:
    path: ~/.npm
    key: ${{ runner.os }}-npm-${{ hashFiles('**/package-lock.json') }}

下一步学习 #

小结 #

  • 支持AWS、Azure、GCP等主流云服务
  • 使用OIDC认证更安全
  • 使用Secrets管理凭证
  • 使用环境保护生产环境
  • 可以部署到容器、函数、静态站点等多种服务
  • 添加部署审批确保安全
最后更新:2026-03-28