RWejlgaard/pez-infra
1
0
Fork 0
mirror of https://github.com/RWejlgaard/pez-infra.git synced 2026-05-06 04:14:43 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

fix: replace tailscale authkey use with oauth (#76)
Some checks are pending
Deploy (on merge) / Discover hosts (push) Waiting to run
Details
Deploy (on merge) / Deploy → (push) Blocked by required conditions
Details

Browse source
This commit is contained in:
Rasmus Wejlgaard 2026-04-26 17:30:15 +01:00 committed by GitHub
parent e9fbd41cb4
commit 1c6784eade
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 20 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
.github/workflows/deploy-on-merge.yml vendored
View file

@ -8,7 +8,8 @@ on:
- 'terraform/**'
# Requires these repository secrets:
# TAILSCALE_AUTHKEY — Tailscale auth key for mesh access
# TAILSCALE_CLIENT_ID — Tailscale OAuth client ID (federated identity)
# TAILSCALE_AUDIENCE — Tailscale federated identity audience
# SSH_PRIVATE_KEY — SSH key authorized on target hosts
# AGE_SECRET_KEY — age private key for SOPS decryption
@ -32,6 +33,8 @@ jobs:
name: Deploy → ${{ matrix.host }}
runs-on: ubuntu-latest
environment: production
permissions:
id-token: write
strategy:
matrix:
host: ${{ fromJson(needs.discover.outputs.hosts) }}
@ -40,9 +43,11 @@ jobs:
- uses: actions/checkout@v4
- name: Set up Tailscale
uses: tailscale/github-action@v3
uses: tailscale/github-action@v4
with:
authkey: ${{ secrets.TAILSCALE_AUTHKEY }}
oauth-client-id: ${{ secrets.TAILSCALE_CLIENT_ID }}
audience: ${{ secrets.TAILSCALE_AUDIENCE }}
tags: tag:ci
- name: Set up SSH key
run: |

11
.github/workflows/deploy.yml vendored
View file

@ -18,7 +18,8 @@ on:
default: true
# Requires these repository secrets:
# TAILSCALE_AUTHKEY — Tailscale auth key for mesh access
# TAILSCALE_CLIENT_ID — Tailscale OAuth client ID (federated identity)
# TAILSCALE_AUDIENCE — Tailscale federated identity audience
# SSH_PRIVATE_KEY — SSH key authorized on target hosts
# AGE_SECRET_KEY — age private key for SOPS decryption
@ -48,6 +49,8 @@ jobs:
name: Deploy ${{ inputs.playbook }} → ${{ matrix.host }}
runs-on: ubuntu-latest
environment: production # requires manual approval in repo settings
permissions:
id-token: write
strategy:
matrix:
host: ${{ fromJson(needs.prepare.outputs.hosts) }}
@ -56,9 +59,11 @@ jobs:
- uses: actions/checkout@v4
- name: Set up Tailscale
uses: tailscale/github-action@v3
uses: tailscale/github-action@v4
with:
authkey: ${{ secrets.TAILSCALE_AUTHKEY }}
oauth-client-id: ${{ secrets.TAILSCALE_CLIENT_ID }}
audience: ${{ secrets.TAILSCALE_AUDIENCE }}
tags: tag:ci
- name: Set up SSH key
run: |