Skip to main content
This page provides detailed information about each secret used by AL-Go for GitHub, including authentication methods, required properties, and usage examples.

Azure_Credentials

Connect your GitHub repository to Azure resources including Azure KeyVault for secret management and app signing.

Overview

By creating a secret called Azure_Credentials, you give your GitHub repository access to:
  • Azure KeyVault for reading secrets
  • Managed signing of apps (requires Premium SKU KeyVault)
  • Azure resources for deployment and storage
For signing apps with KeyVault, you need a Premium SKU KeyVault. Update an existing KeyVault:
az keyvault update --set properties.sku.name=premium --name <KeyVaultName> --resource-group <ResourceGroupName>

KeyVault Security Models

Azure KeyVault supports two security models:
TaskRequired Role
Read SecretsKey Vault Secrets User
Sign AppsKey Vault Crypto User + Key Vault Certificate User

Vault Access Policy

TaskRequired Permissions
Read SecretsSecret permissions: Get, List
Sign AppsCryptographic Operations: Sign + Certificate permissions: Get

Authentication Methods

You can authenticate using either a Managed Identity or an App Registration.

Managed Identity with Federated Credential

Register your GitHub repository in the managed identity under Settings → Federated credentials. Example: 
{"keyVaultName":"MyKeyVault","clientId":"<clientId>","tenantId":"<tenantId>"}
Federated credentials are the most secure option as they don’t require storing client secrets. Only workflows running in the specified branch/environment can authenticate.

App Registration with Federated Credential

Register your GitHub repository in the app registration under Certificates & Secrets → Federated credentials. Example: 
{"keyVaultName":"MyKeyVault","clientId":"<clientId>","tenantId":"<tenantId>"}

App Registration with Client Secret

Create a client secret in the app registration under Certificates & Secrets. Example: 
{"keyVaultName":"MyKeyVault","clientId":"<clientId>","clientSecret":"<clientSecret>","tenantId":"<tenantId>"}
Client secrets are less secure than federated credentials. Anyone with the clientId and clientSecret can authenticate.

App Signing Configuration

With Azure_Credentials configured, you can enable app signing by setting: 
{
  "keyVaultCodesignCertificateName": "MyCertificateName"
}

AuthContext

Deploy apps to Business Central environments.

Overview

Whenever AL-Go deploys to an environment, it needs an AuthContext secret. The secret can be provided:
  • Underneath the environment in GitHub (preferred)
  • As a repository secret named <EnvironmentName>_AuthContext
  • As a generic AuthContext repository secret

Managed Identity

Managed identities cannot be used for deploying to Business Central environments as this is not an Azure resource.

Impersonation with RefreshToken

Allows AL-Go to impersonate a user and act on their behalf. Example: 
{"tenantId":"<tenantId>","scopes":"https://api.businesscentral.dynamics.com/","RefreshToken":"<refreshToken>","clientId":"<clientId>"}
RefreshTokens typically provide access for 90 days. After that, you need to refresh the AuthContext secret with a new refreshToken.

App Registration (Service to Service)

Register the ClientId in Business Central to create a user with permissions: D365 AUTOMATION and EXTEN. MGT. - ADMIN.

With Federated Credential

Register your GitHub repository in the app registration. Example: 
{"tenantId":"d630ce39-5a0c-41ec-bf0d-6758ad558f0c","scopes":"https://api.businesscentral.dynamics.com/","clientId":"d48b773f-2c26-4394-8bd2-c5b64e0cae32"}

With Client Secret

Create a client secret in the app registration. Example: 
{"tenantId":"<tenantId>","scopes":"https://api.businesscentral.dynamics.com/","clientId":"<clientId>","clientSecret":"<clientSecret>"}

AppSourceContext

Deliver apps to Microsoft AppSource.

Overview

Adding a secret called AppSourceContext to an AL-Go repository from the AppSource template enables automatic delivery to AppSource.
Managed identities cannot be used for AppSource submission as the Partner Center API is not an Azure resource.

App Registration (Service to Service)

Register the ClientId in Partner Center.

With Federated Credential

Example: 
{"clientId":"<clientId>","tenantId":"<tenantId>","scopes":"https://api.partner.microsoft.com/.default"}

With Client Secret

Example: 
{"tenantId":"c645f7e7-0613-4b82-88ca-71f3dbb40045","scopes":"https://api.partner.microsoft.com/.default","clientId":"<clientId>","clientSecret":"<clientSecret>"}
Whoever has access to the clientId and clientSecret can publish apps to AppSource on your behalf.

StorageContext

Deliver build artifacts to Azure Storage.

Overview

Adding a secret called StorageContext enables automatic delivery to an Azure Storage account.

Structure

The StorageContext secret must be a compressed JSON structure containing authentication properties plus:
  • containerName - Container name (with placeholders)
  • blobName - Blob name (with placeholders)
  • storageAccountName - Azure Storage account name

Placeholders

  • {project} - Project or repository name
  • {version} - Version number (plus -preview for continuous delivery)
  • {branch} - Branch name
  • {type} - apps, testapps, or dependencies
Container names must be 3-63 characters long, start/end with lowercase letter or number, and contain only lowercase letters, numbers, or dashes (no consecutive dashes).

Authentication Methods

Managed Identity with Federated Credential

Register your GitHub repository in the managed identity. Example: 
{"storageAccountName":"MyStorageName","clientId":"<clientId>","tenantId":"<tenantId>","containerName":"{project}","blobName":"{version}/{project}-{type}.zip"}

App Registration with Federated Credential

Example: 
{"storageAccountName":"MyStorageName","clientId":"<clientId>","tenantId":"<tenantId>","containerName":"{project}","blobName":"{version}/{project}-{type}.zip"}

App Registration with Client Secret

Example: 
{"storageAccountName":"MyStorageName","clientId":"<clientId>","clientSecret":"<clientSecret>","tenantId":"<tenantId>","containerName":"{project}","blobName":"{version}/{project}-{type}.zip"}

Storage Account with SAS Token

Example: 
{"storageAccountName":"MyStorageName","sastoken":"sv=2022-11-02&ss=b&srt=sco&sp=rwdlaciytf&se=2024-08-06T20:22:08Z&st=2024-04-06T12:22:08Z&spr=https&sig=<signature>","containerName":"{project}","blobName":"{version}/{project}-{type}.zip"}

Storage Account with Access Key

Using storage account name and key is the least secure authentication method. Use only when other methods are not available.
Example: 
{"storageAccountName":"MyStorageName","storageAccountKey":"<storageAccountKey>","containerName":"{project}","blobName":"{version}/{project}-{type}.zip"}

GitHubPackagesContext

Deliver apps to GitHub Packages NuGet feed.

Overview

Creating a secret called GitHubPackagesContext enables:
  • Automatic delivery to GitHub Packages after every successful build
  • Automatic dependency resolution from the NuGet feed
Example: 
{"token":"<gitHubToken>","serverUrl":"https://nuget.pkg.github.com/mygithuborg/index.json"}
GitHub App authentication doesn’t support GitHub Packages. The token must be a Personal Access Token (Classic or Fine-Grained).

NuGetContext

Deliver apps to NuGet feeds (Azure DevOps or other).

Overview

Creating a secret called NuGetContext enables automatic delivery to a NuGet feed after every successful build.
AL-Go will NOT use this feed for dependency resolution automatically. Add it to trustedNuGetFeeds setting if you want to use it for dependencies.
Example: 
{"token":"<nuGetToken>","serverUrl":"https://pkgs.dev.azure.com/myorg/apps/_packaging/myrepo/nuget/v3/index.json"}

GhTokenWorkflow

Update AL-Go System Files.

Overview

When running the “Update AL-Go System Files” workflow, you need a secret called GhTokenWorkflow containing a Personal Access Token with permissions to modify workflows. Required permissions:
  • workflow - Modify GitHub Actions workflows
  • contents - Commit changes to the repository
Creating the token:
1

Generate PAT

Go to GitHub Settings → Developer settings → Personal access tokens
2

Select Scopes

Choose repo scope (includes workflow permissions)
3

Set Expiration

Set appropriate expiration date
4

Create Secret

Add token to repository as GhTokenWorkflow secret
You can customize the secret name using the ghTokenWorkflowSecretName setting.

GitSubmodulesToken

Access private Git submodules.

Overview

When using Git submodules from private repositories, create a GitSubmodulesToken secret containing a Personal Access Token with read access to those repositories. Alternative: Set the gitSubmodulesTokenSecretName setting to use a different secret name (e.g., GhTokenWorkflow). Required permissions:
  • repo - Full control of private repositories (for reading submodules)
Enable submodules: 
{
  "useGitSubmodules": "recursive"
}

LicenseFileUrl

Use a specific license file during CI/CD.

Overview

AL-Go uses the Demo license from Business Central (CRONUS license) by default. To use a different license, create a LicenseFileUrl secret. Value: Direct download URL for the license file Example: 
https://example.com/licenses/my-license.flf?token=abc123
Required for building AppSource apps for Business Central versions prior to version 22.
You can customize the secret name using the licenseFileUrlSecretName setting.

Additional Secrets

These secrets are referenced in settings but work similarly to the ones above:

AdminCenterApiCredentials

Credentials for connecting to the Admin Center API when creating Online Development Environments. Customize name: 
{
  "adminCenterApiCredentialsSecretName": "MyAdminCenterCreds"
}

ApplicationInsightsConnectionString

Application Insights connection string for the apps. Customize name: 
{
  "applicationInsightsConnectionStringSecretName": "MyAppInsightsConnStr"
}

Code Signing Certificates (Legacy)

Legacy method for code signing (new method preferred). CodeSignCertificateUrl: URL to download .pfx certificate file
CodeSignCertificatePassword: Password for the certificate Customize names: 
{
  "codeSignCertificateUrlSecretName": "MyCodeSignCertUrl",
  "codeSignCertificatePasswordSecretName": "MyCodeSignCertPassword"
}

Testing Secrets

After creating secrets, verify they work correctly:
1

Run Workflow

Trigger a workflow that uses the secret
2

Check Logs

Verify secret values appear as *** in logs
3

Verify Functionality

Confirm the operation succeeds (deployment, signing, etc.)
4

Debug if Needed

If failed, check secret name, format, and permissions

Build docs developers (and LLMs) love

Get started for freeTalk to us