Stage 3 · Event-Driven Automation

Ship event-driven governance in minutes

Clone the reference repo, run setup-platform.ps1, and get Azure Functions, Key Vault wiring, and secure CI/CD automation online in about ten minutes.

Everything included deployment script, GitHub Actions and Azure DevOps templates, plus hardened defaults.
Security-first pipelines enforce OIDC authentication, principle of least privilege, and zero stored secrets.
Smart routing steers each change to the right platform, environment, and orchestrator mode.

View the reference implementation Open the dual-platform setup guide

Adoption goal

Policy-as-code meets CI/CD

Configuration updates live in Git-backed JSON. Pipelines validate, approve, and deploy without manual intervention.

Success checkpoint

Alerts and remediation before production drift

WouldRemove exports, notifications, and telemetry prove that production access never strays from the desired state.

Everything you need ships in the repo

Zero-guess deployment

Run setup-platform.ps1 to provision Azure Functions, Event Grid, Storage, and Key Vault with the correct identities and permissions.

Automation templates

Drop-in workflows for GitHub Actions and Azure DevOps are bundled so you can pick your CI/CD platform without extra wiring.

Security baked in

OIDC workload identities replace PATs, managed identities secure Azure resources, and no secrets land in code or pipelines.

Launch the automation in about ten minutes

After cloning the reference repository, run the setup wizard and choose GitHub Actions, Azure DevOps, or both. The script provisions Azure resources and links your CI/CD provider automatically.

# From the reference repo root
pwsh ./setup-platform.ps1 -Platform GitHub

# Other options:
# pwsh ./setup-platform.ps1 -Platform AzureDevOps
# pwsh ./setup-platform.ps1 -Platform Both

# The wizard provisions:
# - Azure Function + Event Grid subscription
# - Key Vault with configuration secrets
# - GitHub Actions and/or Azure DevOps pipelines ready to run

One script, consistent environments

The deployment script applies the same baseline in test and production, so promoting changes is as easy as running it again with a different subscription or resource group.

Event-driven flow at a glance

1. Configuration lives in Key Vault

Your orchestrator JSON and secrets stay in Key Vault. Any update to a secret or config entry is the signal to evaluate drift.

2. Azure Function listens for changes

Event Grid triggers the Function, which reads the updated secret name and chooses the right workflow target and orchestrator mode.

3. Smart routing runs the pipeline

Secrets prefixed with gh- send the payload to GitHub Actions, ado- to Azure DevOps. Suffixes like -test or -prod set environments and pick -WhatIf, -delta, or -initial—all executed with short-lived tokens and scoped permissions.

Smart routing keeps approvals and deployment aligned

Intent captured in naming

Secret names act as routing rules: choose the provider (GitHub or Azure DevOps) and environment (Test or Prod) by how you label the payload.

Context-aware orchestrator runs

The pipeline parameters adapt automatically—Test secrets trigger WhatIf, production secrets switch to delta or initial mode for first-time rollout.

Security-focused hand-offs

Each run ships compliance-ready summaries that highlight token provenance, scopes granted, and confirms no static secrets were used.

Resources

Reference implementation Step-by-step implementation guide Progressive validation guide

Need to review Stage 2 first?

Event-driven success depends on well-governed templates and overrides. Ensure Stage 2 is running clean before automating enforcement.

Return to Stage 2 · Orchestrator