diff --git a/.github/workflows/deploy-on-merge.yml b/.github/workflows/deploy-on-merge.yml
index 538b5e3..18d8e03 100644
--- a/.github/workflows/deploy-on-merge.yml
+++ b/.github/workflows/deploy-on-merge.yml
@@ -8,9 +8,10 @@ on:
       - 'terraform/**'
 
 # Requires these repository secrets:
-#   TAILSCALE_AUTHKEY  — Tailscale auth key for mesh access
-#   SSH_PRIVATE_KEY    — SSH key authorized on target hosts
-#   AGE_SECRET_KEY     — age private key for SOPS decryption
+#   TAILSCALE_CLIENT_ID  — Tailscale OAuth client ID (federated identity)
+#   TAILSCALE_AUDIENCE   — Tailscale federated identity audience
+#   SSH_PRIVATE_KEY      — SSH key authorized on target hosts
+#   AGE_SECRET_KEY       — age private key for SOPS decryption
 
 jobs:
   discover:
@@ -32,6 +33,8 @@ jobs:
     name: Deploy → ${{ matrix.host }}
     runs-on: ubuntu-latest
     environment: production
+    permissions:
+      id-token: write
     strategy:
       matrix:
         host: ${{ fromJson(needs.discover.outputs.hosts) }}
@@ -40,9 +43,11 @@ jobs:
       - uses: actions/checkout@v4
 
       - name: Set up Tailscale
-        uses: tailscale/github-action@v3
+        uses: tailscale/github-action@v4
         with:
-          authkey: ${{ secrets.TAILSCALE_AUTHKEY }}
+          oauth-client-id: ${{ secrets.TAILSCALE_CLIENT_ID }}
+          audience: ${{ secrets.TAILSCALE_AUDIENCE }}
+          tags: tag:ci
 
       - name: Set up SSH key
         run: |
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index bc08d88..8f0af31 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -18,9 +18,10 @@ on:
         default: true
 
 # Requires these repository secrets:
-#   TAILSCALE_AUTHKEY  — Tailscale auth key for mesh access
-#   SSH_PRIVATE_KEY    — SSH key authorized on target hosts
-#   AGE_SECRET_KEY     — age private key for SOPS decryption
+#   TAILSCALE_CLIENT_ID  — Tailscale OAuth client ID (federated identity)
+#   TAILSCALE_AUDIENCE   — Tailscale federated identity audience
+#   SSH_PRIVATE_KEY      — SSH key authorized on target hosts
+#   AGE_SECRET_KEY       — age private key for SOPS decryption
 
 jobs:
   prepare:
@@ -48,6 +49,8 @@ jobs:
     name: Deploy ${{ inputs.playbook }} → ${{ matrix.host }}
     runs-on: ubuntu-latest
     environment: production  # requires manual approval in repo settings
+    permissions:
+      id-token: write
     strategy:
       matrix:
         host: ${{ fromJson(needs.prepare.outputs.hosts) }}
@@ -56,9 +59,11 @@ jobs:
       - uses: actions/checkout@v4
 
       - name: Set up Tailscale
-        uses: tailscale/github-action@v3
+        uses: tailscale/github-action@v4
         with:
-          authkey: ${{ secrets.TAILSCALE_AUTHKEY }}
+          oauth-client-id: ${{ secrets.TAILSCALE_CLIENT_ID }}
+          audience: ${{ secrets.TAILSCALE_AUDIENCE }}
+          tags: tag:ci
 
       - name: Set up SSH key
         run: |