We can implement CI workflow using GitHub's runner and SSH into our server to deploy.  However, because of our extra-tier IP restricted firewall.  We cannot use GitHub runner as it has the same IP address ranges as Azure Data centers.  Furthermore,  SSH is not possible unless we request Media3 to turn off DUO authentication for the server web user account.  I created a workflow using GitHub Action with our own self-hosted runner (which is installed under my superuser, the web user does not have enough privilege to install and run the runner ) and execute sudo command as the web user account.

  1. Adding a self-hosted runner to a repository or an organization 

    I added our dev server to the organization as many repositories uses the dev server.  For prod server that only related to one repo (such as SPI), it's better to install to a repository.

  2. Set up SSH Key for GitHub to skip password at each git command

     

  3. Workflow syntax 

    sample workflow syntax for deploy to dev and prod.

  4. How to run SSH commands

    We probably won't use this approach because of the IP restriction firewall.   I put down my research in case it's useful in the future.