Add CI/CD pipeline deployment guide for Aspire applications

[Copilot]

• Create new CI/CD deployment guide (deployment/cicd.mdx) covering:
  • GitHub Actions workflow examples for Aspire deployment
  • Azure DevOps pipeline setup guide
  • Service Principal vs. user principal for Azure resources in CI
  • Non-interactive deployment (environment variables)
  • CI environment tips (timeouts, terminal output, Docker)
  • Deployment state caching in CI
• Update .NET version references from 9.x to 10.x throughout the guide
• Add new "CI/CD pipelines" entry to deployment sidebar (deployment.topics.ts) with translations
• Verified page renders correctly (all internal links return 200, no broken pages)

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[Discord Feedback] Deployment & CI/CD documentation gaps</issue_title>
<issue_description>## Summary

Based on analysis of 20,415 Discord messages + 147 #help threads (April 2025 - February 2026).

Question counts:

Topic	Questions
Azure DevOps/Pipelines	87
azd integration	75
ACA/Container Apps	70
Kubernetes	54
aspire deploy	44
Container Registry	42
GitHub Actions	22

---

Docs That Exist

Slug	Title	Coverage
deploy-using-the-aspire-cli	Deploy using the Aspire CLI	✅ Basic ACA deployment
building-custom-deployment-pipelines	Building custom deployment pipelines	✅ Image building, progress reporting
publishing-and-deployment	Publishing and deployment	✅ Overview
deployment-manifest-format	Deployment manifest format	✅ Manifest structure
kubernetes-integration	Kubernetes integration	⚠️ Hosting only, not publishing

---

Gaps in Existing Docs

1. aspire deploy - Missing Topics (44 questions)

Customer Quotes:

"how does aspire deploy handle WaitFor? for example, if i set a database migration service to run before an api and frontend, how is this handled when deploying to i.e. azure?"

"did aspire deploy not get resource specific deploys like azd?"

Missing from deploy-using-the-aspire-cli:

• WaitFor behavior during deployment (vs local dev)
• Selective/resource-specific deployment
• aspire deploy vs azd comparison table
• Parameters file format and examples (partially mentioned but unclear per user feedback)
• Handling dev-only resources during deploy

---

2. CI/CD Integration - No Dedicated Docs (109 questions)

Verified: grep -i "github action\|azure devops\|ci\|cd\|pipeline" aspire-docs-list.txt returns no dedicated CI/CD guide.

Customer Quotes:

"Trying to work my way through some issues using the aspire cli in my Azure DevOps pipeline."

"Tests pass locally but fail in Azure DevOps because Cosmos uses principalType 'User' but CI uses Service Principal"

From #help threads:

• Tests run indefinitely in GitHub Actions
• CLI output formatting issues in Jenkins

Action Items:

• Azure DevOps pipeline setup guide
• GitHub Actions workflow examples
• Service Principal vs User principal for Azure resources in CI
• Running aspire CLI in detached mode for E2E tests
• CI environment compatibility (timeouts, terminal output)

---

3. Kubernetes Publishing - Incomplete (54 questions)

Verified: kubernetes-integration exists but covers hosting only, not publishing/deployment.

Customer Quotes:

"I was wondering if anyone has considered an option where you could orchestrate resources in an actual Kubernetes cluster running locally (with MiniKube, Kind, Docker Desktop)"

From #help threads:

• "How to get Kubernetes integration to use container registry image names?"
• AddKubernetesEnvironment() mentioned but undocumented

Action Items:

• AddKubernetesEnvironment() documentation
• Helm chart generation patterns
• Local Kubernetes (MiniKube, Kind) workflows
• cert-manager integration
• Aspirate mention/comparison

---

4. Container Registry / Airgapped (42 questions)

Verified: azure-container-registry-integration exists for ACR, but no private/airgapped patterns.

Customer Quotes:

"Is there an easy way to override container registry hostnames? Internally we use a jfrog artifactory proxy for mcr.microsoft.com."

"Could someone have a look at dotnet/aspire#14128? This would help us to support container registry mirrors in airgapped environments."

Action Items:

• Private/internal registry configuration
• mcr.microsoft.com proxy/mirror patterns
• Airgapped environment setup
• Enterprise registry authentication patterns

---

Data Source

• Discord channels: #��│general, #🔵│azure, #🔨│building-resources
• Help threads: 147 from #🆘│help
• Total messages: 20,415
• Date range: April 2025 - February 2026
• Verified against: aspire-list_docs and aspire-search_docs</issue_description>

<agent_instructions>Please address this issue, while using the .github/skills/doc-writer/SKILL.md. Be certain to also take into account, related issues, pull requests, links and comments that are directly linked as well as comments.</agent_instructions>

Comments on the Issue (you are @copilot in this section)

• Fixes [Discord Feedback] Deployment & CI/CD documentation gaps #331

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

[IEvangelist]

This PR looks good so far, but let's double check it for accuracy by using the .github/skills/doc-tester/SKILL.md skill. Please also consider all new comments and feedback/suggestions. @copilot

[IEvangelist]

Suggested change

	dotnet-version: '9.x'
	dotnet-version: '10.x'

[Copilot]

Updated in b3eb860 — both dotnet-version: '9.x' (GitHub Actions) and version: '9.x' (Azure DevOps) are now 10.x.

[IEvangelist]

Please be sure to use .NET 10 for all bits...

[Copilot]

Fixed in b3eb860 — both .NET version references in the guide are now 10.x.

[Copilot]

Pull request overview

This PR adds a comprehensive CI/CD deployment guide to address a significant documentation gap identified from Discord community feedback (109+ questions about CI/CD integration with no dedicated documentation). The guide covers deploying Aspire applications from GitHub Actions and Azure DevOps pipelines, with detailed setup instructions for both platforms.

Changes:

• Added new CI/CD deployment documentation covering non-interactive deployment, Azure authentication (OIDC/service principals), complete GitHub Actions and Azure DevOps pipeline examples, and CI environment best practices
• Added sidebar entry for "CI/CD pipelines" with translations for all 16 supported locales, positioned before the "Deploy to Azure" section

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File	Description
src/frontend/src/content/docs/deployment/cicd.mdx	New comprehensive guide documenting CI/CD deployment patterns for Aspire applications, including environment variables for non-interactive mode, authentication setup, and complete workflow/pipeline examples
src/frontend/config/sidebar/deployment.topics.ts	Added "CI/CD pipelines" sidebar entry with complete translations for all 16 locales (da, de, en, es, fr, hi, id, it, ja, ko, pt-BR, pt-PT, ru, tr, uk, zh-CN)

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The .NET version specified here is incorrect. According to the Aspire CLI overview documentation, "Starting with Aspire 13.0, the Aspire CLI requires .NET SDK version 10.0.100 or later." This workflow should use dotnet-version: '10.0.x' instead of '9.x' to ensure compatibility with Aspire 13.0 and later.

Suggested change

	dotnet-version: '9.x'
	dotnet-version: '10.0.x'

[Copilot]

The .NET version specified here is incorrect. According to the Aspire CLI overview documentation, "Starting with Aspire 13.0, the Aspire CLI requires .NET SDK version 10.0.100 or later." This pipeline should use version: '10.0.x' instead of '9.x' to ensure compatibility with Aspire 13.0 and later.

Suggested change

	version: '9.x'
	version: '10.0.x'

[Copilot]

The example az role assignment create command assigns the CI app registration the Contributor role at the entire subscription scope, which grants far broader permissions than are needed for a single Aspire deployment. If the GitHub Actions workflow or its identity is compromised, an attacker could create, modify, or delete any resource in the subscription, not just those for this app. Consider scoping the role assignment to a specific resource group (or narrower scope) and using the least-privileged role needed for deployment rather than subscription-wide Contributor.

Suggested change

	1. Assign the App Registration a role on the target subscription or resource group:
	```azurecli title="Azure CLI — Role assignment"
	az role assignment create \
	--assignee <app-registration-client-id> \
	--role Contributor \
	--scope /subscriptions/<subscription-id>
	1. Assign the App Registration a role scoped to the target resource group:
	```azurecli title="Azure CLI — Role assignment"
	az role assignment create \
	--assignee <app-registration-client-id> \
	--role Contributor \
	--scope /subscriptions/<subscription-id>/resourceGroups/<resource-group-name>

[Copilot]

This PR looks good so far, but let's double check it for accuracy by using the .github/skills/doc-tester/SKILL.md skill. Please also consider all new comments and feedback/suggestions. @copilot

Doc-tester results for deployment/cicd.mdx:

All checks passed ✅

• Page renders correctly — page title, sidebar entry ("CI/CD pipelines"), and all sections display as expected
• All 5 internal links return HTTP 200 — /deployment/deployment-state-caching/, /deployment/azure/aca-deployment-aspire-cli/, /deployment/azure/azure-security-best-practices/, /deployment/overview/, /reference/cli/commands/aspire-deploy/
• dotnet-version: '10.x' confirmed visible in rendered GitHub Actions workflow (b3eb860)
• azurecli code block language — produces the same existing warning as aca-deployment-aspire-cli.mdx, which uses the same language identifier; consistent with existing docs
• No broken MDX syntax, no unused imports, no casual language

Screenshots from the live dev server: the page title, the Cosmos DB principalType explanation, and the dotnet-version: '10.x' line are all correctly rendered.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• centralus-2.in.applicationinsights.azure.com
  • Triggering command: /home/REDACTED/.aspire/bin/aspire /home/REDACTED/.aspire/bin/aspire config set -g channel daily (dns block)
  • Triggering command: /home/REDACTED/.aspire/bin/aspire /home/REDACTED/.aspire/bin/aspire run --non-interactive --project /home/REDACTED/work/aspire.dev/aspire.dev/src/apphost/Aspire.Dev.AppHost/Aspire.Dev.AppHost.csproj --log-file /home/REDACTED/.aspire/logs/cli_20260223T000104812_detach-child_6b11857adbf14bc0b344be1437b8c65c.log (dns block)
  • Triggering command: /home/REDACTED/.aspire/bin/aspire aspire run --detach (dns block)
• telemetry.astro.build
  • Triggering command: /home/REDACTED/work/_temp/ghcca-node/node/bin/node node /home/REDACTED/work/aspire.dev/aspire.dev/src/frontend/node_modules/.bin/../astro/astro.js dev (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)