// Onboard a repository, Azure subscription(s), and user identity for Git-Ape CI/CD using a skill-driven CLI playbook. Use for first-time setup of OIDC, federated credentials, RBAC, GitHub environments, and required secrets.
Analyze deployed Azure resource groups and generate detailed Mermaid architecture diagrams showing relationships between resources. Use for post-deployment visualization, understanding existing infrastructure, or documenting live Azure environments.
Check that all required CLI tools are installed, meet minimum versions, and have active auth sessions. Shows platform-specific install commands for anything missing.
Estimate monthly costs for Azure resources by querying the Azure Retail Prices API. Parses ARM templates to identify resources, SKUs, and regions, then looks up real retail pricing. Produces a per-resource cost breakdown with monthly totals. Use during template generation or when user asks about costs.
Run preflight validation on ARM templates before deployment. Performs what-if analysis, permission checks, and generates a structured report with resource changes (create/modify/delete). Use before any deployment to preview changes and catch issues early.
Detect configuration drift between deployed Azure resources and stored deployment state. Compare actual Azure configuration against desired state in .azure/deployments/, identify differences, and guide user through reconciliation options. Use when checking for manual changes, policy remediations, or unauthorized modifications.
Run post-deployment integration tests for Azure resources. Verify Function Apps, Storage Accounts, Databases, App Services are healthy and accessible. Use after successful Azure deployment.
| name | git-ape-onboarding |
| description | Onboard a repository, Azure subscription(s), and user identity for Git-Ape CI/CD using a skill-driven CLI playbook. Use for first-time setup of OIDC, federated credentials, RBAC, GitHub environments, and required secrets. |
| argument-hint | GitHub repo URL, subscription target(s), and onboarding mode (single or multi-environment) |
| user-invocable | true |
Use this skill to bootstrap a repository for Git-Ape deployments by executing the onboarding workflow directly from Copilot Chat.
This skill is the source of truth for onboarding behavior. Do not depend on a standalone repository script for setup logic.
This skill configures:
azure-deploy*, azure-destroy)AZURE_CLIENT_ID, AZURE_TENANT_ID, AZURE_SUBSCRIPTION_ID)Before onboarding, run the prereq-check skill to verify all required tools are installed and auth sessions are active:
/prereq-check
The prereq-check skill validates: az (≥ 2.50), gh (≥ 2.0), jq (≥ 1.6), git, and active Azure/GitHub auth sessions. If anything is missing, it shows platform-specific install commands.
Do NOT proceed with onboarding until prereq-check reports ✅ READY.
Additionally, the Azure identity used must have Owner or User Access Administrator on the target subscription(s), and the GitHub identity must have admin access to the target repository.
Invoke the skill from chat and let the agent gather missing parameters:
/git-ape-onboarding
/git-ape-onboarding onboard https://github.com/org/repo on subscription 00000000-0000-0000-0000-000000000000 with Contributor
/git-ape-onboarding onboard https://github.com/org/repo with dev on 11111111-1111-1111-1111-111111111111 as Contributor, staging on 22222222-2222-2222-2222-222222222222 as Contributor, prod on 33333333-3333-3333-3333-333333333333 as Contributor+UserAccessAdministrator
When the agent executes this skill, it should run the equivalent Azure and GitHub CLI commands directly in this order:
gh repo view <org>/<repo>
gh api repos/<org>/<repo> --jq '{repo_id: .id, owner_id: .owner.id}'
gh api orgs/<org>/actions/oidc/customization/sub --jq '.use_default'
CLIENT_ID=$(az ad app create --display-name "$SP_NAME" --query appId -o tsv)
az ad sp create --id "$CLIENT_ID"
TENANT_ID=$(az account show --query tenantId -o tsv)
OBJECT_ID=$(az ad app show --id "$CLIENT_ID" --query id -o tsv)
# default format
OIDC_PREFIX="repo:<org>/<repo>"
# if org customization returns false
OIDC_PREFIX="repository_owner_id:<OWNER_ID>:repository_id:<REPO_ID>"
main, pull_request, azure-deploy*, and azure-destroy..exampleyml to .yml (only if all acknowledgments confirmed; see Step 11 section below).After RBAC and environment setup, ask the user about compliance requirements and update the ## Compliance & Azure Policy section in .github/copilot-instructions.md:
Ask compliance framework:
Which compliance framework should Git-Ape use for policy recommendations?
- General Azure best practices (recommended)
- CIS Azure Foundations v3.0
- NIST SP 800-53 Rev 5
- None — skip policy recommendations
Ask enforcement mode:
How should policies be enforced initially?
- Audit only (recommended — evaluate compliance without blocking)
- Enforce (Deny — block non-compliant deployments immediately)
Update copilot-instructions.md with the user's choices:
## Compliance & Azure Policy → ### Compliance Frameworks section### Policy Enforcement Mode default to the user's choiceAfter collecting acknowledgments for experimental status and production safety (see agent's "Acknowledgment Phase"), activate the Git-Ape workflows by renaming .exampleyml files to .yml in the .github/workflows/ directory.
Files to activate:
git-ape-plan.exampleyml → git-ape-plan.yml (validates template and shows what-if)git-ape-deploy.exampleyml → git-ape-deploy.yml (executes deployments)git-ape-destroy.exampleyml → git-ape-destroy.yml (tears down resources)git-ape-verify.exampleyml → git-ape-verify.yml (runs verification steps)Rename commands (Unix/macOS/Linux):
cd .github/workflows
for f in *.exampleyml; do
target="${f%.exampleyml}.yml"
mv "$f" "$target"
echo "Renamed: $f -> $target"
done
Rename commands (Windows PowerShell):
cd .github\workflows
Get-ChildItem *.exampleyml | ForEach-Object {
$newName = $_.Name -replace '\.exampleyml$', '.yml'
Rename-Item -Path $_.FullName -NewName $newName
Write-Host "Renamed: $($_.Name) -> $newName"
}
Verification (all platforms):
ls .github/workflows/git-ape-*.yml
Should output:
git-ape-deploy.yml
git-ape-destroy.yml
git-ape-plan.yml
git-ape-verify.yml
Output after activation: Display summary:
✅ Workflows activated:
- git-ape-plan.yml (validates and plans deployments)
- git-ape-deploy.yml (executes deployments and integration tests)
- git-ape-destroy.yml (tears down resources when requested)
- git-ape-verify.yml (runs post-deployment verification)
Next steps:
1. Review .github/workflows/git-ape-*.yml for familiarity
2. Push changes to a feature branch and open a PR
3. Verify the plan workflow runs and shows what-if analysis in the PR comment
4. For first deployment, merge to main and monitor git-ape-deploy.yml execution
/prereq-check to validate tools and auth. Stop if it doesn't report ✅ READY.copilot-instructions.md with compliance preferences..exampleyml).Some GitHub organizations (notably the Azure org) override the default OIDC subject
claim template to use numeric ID-based subjects instead of name-based ones.
The skill auto-detects this by calling:
gh api "orgs/{org}/actions/oidc/customization/sub" --jq ".use_default"
true → standard format: repo:Azure/git-ape:pull_requestfalse → ID format: repository_owner_id:6844498:repository_id:1184905165:pull_requestIf OIDC login fails with AADSTS700213: No matching federated identity record, the
federated credential subjects don't match what GitHub is presenting. Fix by re-running
onboarding (the skill will auto-detect and use the correct format), or manually updating
existing credentials:
# Get repo/owner IDs
gh api repos/Azure/git-ape --jq '{repo_id: .id, owner_id: .owner.id}'
# Update each federated credential with correct subject
az ad app federated-credential update \
--id <APP_OBJECT_ID> \
--federated-credential-id <CRED_ID> \
--parameters '{"subject":"repository_owner_id:<OWNER_ID>:repository_id:<REPO_ID>:pull_request"}'
Azure subscriptions in a Disabled state are read-only — RBAC assignments will fail.
Verify subscription state before onboarding:
az account show --subscription <SUB_ID> --query "{name:name,state:state}" -o table
# Test write access:
az group list --subscription <SUB_ID> --query "length(@)" -o tsv
# Azure context
az account show --query "{name:name,id:id,tenantId:tenantId}" -o table
# GitHub auth
gh auth status
# Validate app federated credentials — check subjects match org OIDC format
az ad app federated-credential list --id <APP_OBJECT_ID> -o json | jq -r '.[] | "\(.name): \(.subject)"'
# Check GitHub org OIDC subject template (true = name-based, false = ID-based)
gh api orgs/<ORG>/actions/oidc/customization/sub --jq '.use_default'
# Get repo and owner numeric IDs (needed for ID-based subject construction)
gh api repos/<ORG>/<REPO> --jq '{repo_id: .id, owner_id: .owner.id}'
# Validate role assignments for SP (replace principal object id)
az role assignment list --assignee-object-id <SP_OBJECT_ID> --all -o table