SB Saurabh Bhargav
← Back to projects
Featured

Azure Cloud Architecture & GitHub Actions CI/CD Platform

Platform engineering & release automation: a secure Azure application platform and a GitHub Actions pipeline that turns a single repository into automated, multi-OS desktop releases for Windows, Linux, and macOS.

Role
Cloud / DevOps Engineer (Lead)
Duration
Jun 24 – Present
AzureGitHub ActionsGitHub ReleasesAzure Front DoorWAFStatic Web AppsAzure Web AppsAzure SQLAzure Cache for RedisKey VaultManaged IdentityPrivate EndpointsAzure MonitorApplication InsightsLog Analytics
Azure Cloud Architecture & GitHub Actions CI/CD Platform cover

Key highlights

  • Turned a manual, multi-OS release process into an automated GitHub Actions pipeline from commit to published GitHub Release.
  • Automated cross-platform desktop packaging — EXE/MSI (Windows), DEB/RPM/AppImage (Linux), DMG/PKG (macOS) — from one codebase.
  • Added a draft-then-publish release gate with checksums and release notes as a quality checkpoint before public distribution.
  • Designed a secure Azure platform: Front Door + WAF, Static Web Apps & Web Apps, Azure SQL, and Redis on private networking.
  • Eliminated embedded credentials using Key Vault + Managed Identities, with Private Endpoints and network segmentation.
  • Centralized observability in Application Insights, Azure Monitor, and Log Analytics with dashboards and proactive alerting.

Overview

Designed a secure Azure application platform and automated software delivery workflows using GitHub Actions, enabling reliable deployment of cloud-hosted applications and automated desktop application releases across Windows, Linux, and macOS.

The project focused on improving deployment consistency, reducing manual release effort, and increasing visibility into application health and performance. The real engineering story here is release automation — taking a manual, per-OS process and turning it into a single, repeatable pipeline:

Manual Deployments

Azure Platform Design

GitHub Actions Automation

Cross-Platform Release Pipeline

Centralized Observability

Reliable Software Delivery

Business challenge

The organization needed to support both web applications and desktop software releases while cutting manual operational effort. The pain points:

  • Manual releases built and published by hand.
  • Multiple OS targets with separate, inconsistent procedures.
  • Inconsistent deployments across environments.
  • Limited monitoring of application health and performance.
  • Secret-management complexity spread across locations.

The goal was a secure cloud foundation plus an automated delivery lifecycle from source-code commit to production deployment and public software release.

Architecture

Azure platform with GitHub Actions CI/CD: Front Door and WAF in front of Static Web Apps and Web Apps backed by Azure SQL and Redis on private networking with Key Vault and Managed Identities, a GitHub Actions pipeline producing cross-platform desktop releases via GitHub Releases, and observability through Application Insights, Azure Monitor and Log Analytics.
A secure Azure hosting tier (Front Door + WAF, Static Web Apps / Web Apps, Azure SQL, Redis, Key Vault) paired with a GitHub Actions pipeline that builds, packages, and publishes cross-platform releases.

The Azure environment was designed around security, scalability, and operational simplicity. Azure Front Door is the single secure entry point for user traffic; Static Web Apps host the frontend and Azure Web Apps host backend APIs, so each tier scales independently with minimal hosting overhead. Azure SQL Database holds relational data, Azure Cache for Redis keeps latency low, and Key Vault removes secrets from the deployment path entirely.

The architecture exists to keep public surface area small and operations simple — managed hosting and edge security instead of hand-built infrastructure, so the team’s effort goes into the product and its release pipeline rather than plumbing.

Security improvements

Identity & secrets

Centralized application secrets, database credentials, certificates, and API keys in Azure Key Vault, accessed at runtime through Managed Identities. This removed shared credentials, service passwords, and hard-coded secrets — applications authenticate to Azure services without anyone holding a key.

Networking

Built the platform on secure networking foundations — private networking, Private Endpoints, subnet segmentation, and Azure Front Door + WAF at the edge. The result restricts unnecessary access paths and keeps backend services off the public internet.

Release automation

This is the heart of the project. Rather than building and publishing desktop releases by hand for each operating system, the entire flow runs through GitHub Actions:

GitHub → GitHub Actions → Build → Package → Cross-Platform Builds → Draft Release → GitHub Release

Every code change automatically triggers validation, build, and packaging — eliminating manual release preparation and making releases consistent and repeatable.

Cross-platform builds

From a single codebase, the pipeline produces native packages for every supported operating system:

  • Windows — EXE packages and MSI installers.
  • Linux — DEB, RPM, and AppImage releases.
  • macOS — DMG packages and PKG installers.

This standardized delivery across all platforms and removed the per-OS release-engineering toil.

GitHub Releases & quality gate

Release management is automated through GitHub Releases: versioned artifacts, generated checksums, published release notes, and downloadable packages. Releases are first created as drafts — a validation checkpoint before public publication — and only become publicly available once approved. That draft-then-publish step adds a deliberate quality gate to an otherwise fully automated flow.

Observability

Implemented centralized monitoring so the team can see and act on what the platform is doing. Application Insights provides application performance monitoring, distributed tracing, dependency tracking, and failure analysis; Azure Monitor handles metrics, infrastructure monitoring, and alerting; and a Log Analytics Workspace centralizes logs for querying, incident investigation, and long-term retention. Dashboards and proactive alerts surface application health, performance bottlenecks, infrastructure utilization, and availability before issues reach users — significantly improving troubleshooting efficiency.

What I led

  • Cloud architecture — secure Azure hosting architecture, networking and identity controls, scalable frontend/backend hosting.
  • DevOps automation — GitHub Actions CI/CD workflows, automated build and release processes, deployment automation for Azure-hosted apps.
  • Release engineering — multi-platform release automation, GitHub draft-release workflows, standardized artifact generation.
  • Observability — Application Insights and Azure Monitor configuration, centralized logging and alerting, improved operational visibility.

Outcome

Delivered a secure Azure cloud platform and a fully automated software-delivery ecosystem supporting both web applications and desktop software distribution. Key outcomes:

  • Automated deployments to Azure Static Web Apps and Azure Web Apps.
  • Automated Windows, Linux, and macOS release generation.
  • Consistent, repeatable GitHub-based release workflows.
  • Reduced manual release-engineering effort.
  • Faster troubleshooting and improved platform visibility.
  • Stronger security through Key Vault, Managed Identities, and private networking.

The platform transformed software delivery from a largely manual process into a repeatable, secure, and automated release pipeline — while maintaining a secure and highly available Azure application environment.

← Back to all projects