Enterprise-grade Azure integration

How content authored in the Meno editor reaches your GitHub repository, and how staging and production branches are wired to Azure so each push deploys to the right environment.

Talk to Us

The big picture

The Meno desktop app pushes commits to GitHub over HTTPS. GitHub Actions builds the project and deploys to Azure. Meno is never in the deployment path — your security and audit story is the standard GitHub + Azure story.

Meno (desktop)

Edits JSON pages, templates, and CMS items locally. Authenticates each user to GitHub via OAuth and pushes commits over HTTPS.

GitHub repo

The source of truth. Branches are environments — staging for QA, production for live. Branch protection and SSO apply as usual.

Azure hosting

Pulls from GitHub via GitHub Actions. Static Web Apps or App Service serves the built dist/ directory at your staging and production URLs.

  • The GitHub repository is the source of truth — every page, template, and CMS item is plain JSON committed to git

  • Meno is a thin client — the editor runs locally and pushes on behalf of the signed-in user

  • Azure does not talk to Meno — it pulls from GitHub like any other static site

GitHub authentication

OAuth Device Flow, per user

Meno authenticates each editor to GitHub using OAuth Device Flow with the scopes repo, user:email, and read:org. There is no shared service account.

  • Meno requests a short user code from GitHub's device endpoint

  • The user opens github.com/login/device, pastes the code, and approves the requested scopes

  • GitHub returns a personal access token bound to that user

  • The token is stored locally, encrypted with the OS keychain (macOS Keychain, Windows DPAPI, Linux libsecret) — it never leaves the user's machine

  • All git operations (clone, fetch, push) use that token over HTTPS

What IT controls

Org policy

Approve the Meno OAuth App at the GitHub organization level. Until approval, users can only push to their personal repos.

SSO / SAML

If your org enforces SAML SSO, users authorize their token for the org once in GitHub settings — same flow as any other OAuth app.

Branch protection

Configure branch protection on main (and staging if needed) to require PRs, reviews, and status checks. Pushes that violate protection are rejected by GitHub.

Revocation

Disconnecting the user in GitHub or in Meno (Settings → Disconnect GitHub) immediately invalidates the token.

Repository layout

A Meno project is a regular git repository. The shape relevant to IT:

  • pages/ — JSON, one file per static page

  • templates/ — JSON, one per CMS-driven page template

  • cms/ — JSON content items organized by collection

  • components/ — reusable component definitions

  • project.config.json — site config: domains, locales, CSP, fonts

  • package.json — build scripts (bun run build)

  • dist/ — build output, usually .gitignored

The build command is the same locally and in CI: bun install followed by bun run build. It produces a fully static dist/ directory of HTML, CSS, JS, and assets — that's what Azure serves.

Branch model

Staging and production

We recommend a two-branch model. It maps cleanly onto two Azure environments and onto Meno's branch switcher.

staging branch

Editor preview and QA. Deploys to the Azure staging environment for internal reviewers.

  • Default branch in Meno's editor

  • Stable preview URL on Azure

  • Reviewers verify before promotion

production branch

The live site. Updated by merging a PR from staging once review is complete.

  • Branch protection requires PR + review

  • Deploys to your public domain

Recommended flow: editor saves in Meno → Meno pushes staging to GitHub → Azure deploys staging within minutes → reviewers verify → PR from staging to main is merged → production deploys. Branch names aren't special — match whatever convention you use, just align it with the workflow's push filters.

Azure setup

Azure Static Web Apps has a built-in GitHub integration. Create the app in the Azure portal, point it at your repo and branch, and Azure handles the rest — it commits a GitHub Actions workflow to your repo, stores the deployment token as a GitHub secret, and from then on every push deploys automatically.

Staging and production are just two branches mapped to two environments. Add custom domains in the portal — TLS is automatic. Pull requests get ephemeral preview URLs.

Secrets and what lives where

The flow has one credential the customer actually controls: the editor's GitHub OAuth token, stored encrypted in the OS keychain on their machine. It never leaves the device.

Azure's deployment token is generated and stored automatically when the GitHub integration is set up — it lives as a secret in your repo and is used only by the auto-generated Actions workflow. Nothing to copy, paste, or rotate manually.

If Meno is removed tomorrow, the same repository keeps building and deploying. There are no Meno-managed secrets in this flow.

Audit, rollback, access removal

Audit trail

Every content change is a git commit authored by the editor's GitHub identity. git log shows who changed what and when. GitHub's org audit log captures pushes and PR reviews.

Rollback

git revert on main — the next workflow run redeploys the older content. No data migration, no Meno involvement.

Removing an editor

Remove their access in GitHub. Their next push fails. Optionally have them click Disconnect GitHub in Meno to wipe the local token.

DDoS protection and WAF

What you get for free

Static Web Apps and App Service sit behind Azure's global edge, which includes Azure Basic DDoS Protection at no cost. It handles network and transport-layer (L3/L4) volumetric and protocol attacks on the platform itself — you don't configure it, it's just on. For a fully static site with no database, no auth surface, and no expensive backend to exhaust, this baseline is enough for most enterprise rollouts.

When to step up

Front Door + WAF

Application-layer (L7) protection: rate limiting per IP, OWASP managed rules, bot rules, geo-blocking. The right next step for most enterprises.

DDoS Protection Standard

Justified for regulated workloads, public VIPs you control, or a credible threat model — financial services, government, frequently-targeted brands. Overkill for a marketing site.

Dynamic endpoints

If you later add forms, auth, or server-rendered routes, revisit. That's where rate limiting and WAF rules start earning their keep.

Pricing

Approximate monthly costs — verify with the Azure Pricing Calculator before committing. Regional and usage variations apply.

Front Door Standard

~$35/month base fee. CDN, global routing, custom domains. WAF available as an add-on.

  • Outbound data transfer: ~$0.08–0.20/GB by region

  • Requests: ~$0.009 per 10k requests

  • WAF policy: ~$5/month

  • Custom WAF rules: ~$1/rule/month

  • Managed rule sets: ~$20/month

  • WAF requests: ~$0.60 per million

Front Door Premium

~$330/month base fee. Everything in Standard plus WAF managed rule sets, bot protection, and Private Link to origin — bundled, no per-policy add-ons.

  • WAF (managed rules + bot protection) included

  • Private Link to origin

  • Outbound data transfer billed separately

  • Pick this if WAF requests in Standard would otherwise add up

Realistic monthly bill

For a typical marketing site (≈100 GB egress, ≈2M requests per month):

  • Front Door Standard + WAF add-on: ~$75–100/month

  • Front Door Premium (WAF included): ~$340–360/month

  • DDoS Protection Standard: ~$2,944/month

Our recommendation

Start with Static Web Apps default protection plus Front Door Standard with WAF in Prevention mode and a sensible rate-limit rule (e.g. 100 req/min/IP on non-asset paths). That covers ~95% of realistic threats at low cost. Move to Front Door Premium when bundled bot protection or Private Link become worthwhile, and reserve DDoS Protection Standard for when there's a specific reason to buy it.

FAQ

Does Meno run any backend service we have to host?

No. The desktop app talks directly to GitHub, and GitHub talks directly to Azure. There is no Meno-operated server in the data path.

Where does content live if Meno is offline?

In the GitHub repository. The desktop editor is just an authoring UI on top of git — nothing about hosting or deployment depends on Meno being reachable.

Can we use GitHub Enterprise Server (self-hosted)?

Yes, as long as the OAuth Device Flow endpoints and REST API are reachable from editor machines. Configure the Enterprise hostname in Meno when prompted.

Can we use Azure DevOps Pipelines instead of GitHub Actions?

Yes. Point an Azure Pipelines YAML at the same repo. The build step (bun install && bun run build) and deploy target (dist/) are identical; only the YAML syntax changes.

Can editors push directly to main?

Only if branch protection allows it. We strongly recommend requiring a PR from staging so production deploys are always reviewed.

Want to walk through this with our team?

We'll review your GitHub org policies, Azure environment, and branch model with you, and help you stand up the workflow end to end.

Contact Sales

Building the future of digital experiences, one website at a time

© 2026 Company. All rights reserved.

  • Privacy policy
  • Terms of Service