diff --git a/.github/workflows/infra.yaml b/.github/workflows/infra.yaml
new file mode 100644
index 0000000..1815026
--- /dev/null
+++ b/.github/workflows/infra.yaml
@@ -0,0 +1,29 @@
+name: infra
+
+on:
+  push:
+    paths:
+      - infra/**
+  workflow_dispatch:
+
+jobs:
+  infra:
+    strategy:
+      matrix:
+        platform: [ubuntu-latest]
+    runs-on: ${{ matrix.platform }}
+    steps:
+      - name: Log into Azure
+        uses: azure/login@v2
+        with:
+          creds: ${{ secrets.AZURE_CREDENTIALS }}
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Azure CLI script file
+        uses: azure/cli@v2
+        with:
+          inlineScript: |
+            cd infra
+            make ci-test RESOURCE_GROUP_NAME=${{ secrets.AZURE_RG }}
diff --git a/README.md b/README.md
index 90e4060..e6fcea4 100644
--- a/README.md
+++ b/README.md
@@ -1,4 +1,5 @@
 [![test](https://github.com/ks6088ts-labs/azure-ai-services-solutions/actions/workflows/test.yaml/badge.svg?branch=main)](https://github.com/ks6088ts-labs/azure-ai-services-solutions/actions/workflows/test.yaml?query=branch%3Amain)
+[![infra](https://github.com/ks6088ts-labs/azure-ai-services-solutions/actions/workflows/infra.yaml/badge.svg?branch=main)](https://github.com/ks6088ts-labs/azure-ai-services-solutions/actions/workflows/infra.yaml?query=branch%3Amain)
 [![docker](https://github.com/ks6088ts-labs/azure-ai-services-solutions/actions/workflows/docker.yaml/badge.svg?branch=main)](https://github.com/ks6088ts-labs/azure-ai-services-solutions/actions/workflows/docker.yaml?query=branch%3Amain)
 [![docker-release](https://github.com/ks6088ts-labs/azure-ai-services-solutions/actions/workflows/docker-release.yaml/badge.svg)](https://github.com/ks6088ts-labs/azure-ai-services-solutions/actions/workflows/docker-release.yaml)
 
diff --git a/infra/Makefile b/infra/Makefile
index 6faffba..62188d8 100644
--- a/infra/Makefile
+++ b/infra/Makefile
@@ -83,3 +83,19 @@ deploy: create-resource-group deployment-what-if deployment-create ## deploy res
 
 .PHONY: destroy
 destroy: delete-resource-group ## destroy resources
+
+# Generate deployment credentials: https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/deploy-github-actions?tabs=userlevel%2CCLI#generate-deployment-credentials
+.PHONY: create-for-rbac
+create-for-rbac: ## create service principal for RBAC
+	az ad sp create-for-rbac \
+		--name test-baseline-environment-on-azure-bicep \
+		--role contributor \
+		--scopes /subscriptions/$(SUBSCRIPTION_ID)/resourceGroups/$(RESOURCE_GROUP_NAME) \
+		--sdk-auth > $(OUT_DIR)/azure-credentials.json
+
+# Configure the GitHub secrets: https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/deploy-github-actions?tabs=userlevel%2CCLI#configure-the-github-secrets
+.PHONY: configure-github-secrets
+configure-github-secrets: ## configure GitHub secrets
+	gh secret set AZURE_CREDENTIALS < $(OUT_DIR)/azure-credentials.json
+	gh secret set AZURE_SUBSCRIPTION --body $(SUBSCRIPTION_ID)
+	gh secret set AZURE_RG --body $(RESOURCE_GROUP_NAME)