diff --git a/.github/workflows/azure-dev.yml b/.github/workflows/azure-dev.yml
new file mode 100644
index 0000000..c87fbdb
--- /dev/null
+++ b/.github/workflows/azure-dev.yml
@@ -0,0 +1,42 @@
+name: Deploy to Azure with azd
+
+on:
+  workflow_dispatch:
+  push:
+    branches: [ main ]
+
+# Set up permissions for deploying with secretless Azure federated credentials
+# https://learn.microsoft.com/azure/developer/github/connect-from-azure?tabs=azure-portal%2Clinux#set-up-azure-login-with-openid-connect-authentication
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    env:
+      AZURE_CLIENT_ID: ${{ vars.AZURE_CLIENT_ID }}
+      AZURE_TENANT_ID: ${{ vars.AZURE_TENANT_ID }}
+      AZURE_SUBSCRIPTION_ID: ${{ vars.AZURE_SUBSCRIPTION_ID }}
+      AZURE_ENV_NAME: ${{ vars.AZURE_ENV_NAME }}
+      AZURE_LOCATION: ${{ vars.AZURE_LOCATION }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v5
+
+      - name: Install azd
+        uses: Azure/setup-azd@v2
+
+      - name: Log in with Azure (Federated Credentials)
+        run: |
+          azd auth login \
+            --client-id "$AZURE_CLIENT_ID" \
+            --federated-credential-provider "github" \
+            --tenant-id "$AZURE_TENANT_ID"
+        shell: bash
+
+      - name: Provision Infrastructure
+        run: azd provision --no-prompt
+
+      - name: Deploy Application
+        run: azd deploy --no-prompt
diff --git a/AGENTS.md b/AGENTS.md
index 0ba6330..e782e24 100644
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -114,6 +114,13 @@ These scripts are automatically run by `azd provision` via the `azure.yaml` post
 - Uses: uv for setup, requires models: read permission
 - Sets: `API_HOST=github`, `GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }}`, `GITHUB_MODEL=openai/gpt-4o-mini`
 
+**`azure-dev.yml` - Azure Infrastructure Provisioning and Deployment:**
+- Runs on: push to main, workflow_dispatch
+- Provisions and deploys Azure infrastructure using Azure Developer CLI (azd)
+- Uses: Azure federated credentials (OIDC) for authentication
+- Required variables: `AZURE_CLIENT_ID`, `AZURE_TENANT_ID`, `AZURE_SUBSCRIPTION_ID`, `AZURE_ENV_NAME`, `AZURE_LOCATION`
+- Steps: checkout, install azd, login with federated credentials, provision infrastructure, deploy application
+
 ### Dev Container Files (.devcontainer/)
 
 - `.devcontainer/devcontainer.json` - Default dev container (Azure OpenAI setup with azd)