RWejlgaard/pez-infra
1
0
Fork 0
mirror of https://github.com/RWejlgaard/pez-infra.git synced 2026-05-06 04:14:43 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

fix: replace tailscale authkey use with oauth

Browse source
This commit is contained in:
Rasmus Wejlgaard 2026-04-26 17:28:47 +01:00
parent e9fbd41cb4
commit 64c85854b9
2 changed files with 20 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

15
.github/workflows/deploy-on-merge.yml vendored
View file

@ -8,9 +8,10 @@ on:
- 'terraform/**' - 'terraform/**'
# Requires these repository secrets: # Requires these repository secrets:
# TAILSCALE_AUTHKEY — Tailscale auth key for mesh access # TAILSCALE_CLIENT_ID — Tailscale OAuth client ID (federated identity)
# SSH_PRIVATE_KEY — SSH key authorized on target hosts # TAILSCALE_AUDIENCE — Tailscale federated identity audience
# AGE_SECRET_KEY — age private key for SOPS decryption # SSH_PRIVATE_KEY — SSH key authorized on target hosts
# AGE_SECRET_KEY — age private key for SOPS decryption
jobs: jobs:
discover: discover:
@ -32,6 +33,8 @@ jobs:
name: Deploy → ${{ matrix.host }} name: Deploy → ${{ matrix.host }}
runs-on: ubuntu-latest runs-on: ubuntu-latest
environment: production environment: production
permissions:
id-token: write
strategy: strategy:
matrix: matrix:
host: ${{ fromJson(needs.discover.outputs.hosts) }} host: ${{ fromJson(needs.discover.outputs.hosts) }}
@ -40,9 +43,11 @@ jobs:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
- name: Set up Tailscale - name: Set up Tailscale
uses: tailscale/github-action@v3 uses: tailscale/github-action@v4
with: with:
authkey: ${{ secrets.TAILSCALE_AUTHKEY }} oauth-client-id: ${{ secrets.TAILSCALE_CLIENT_ID }}
audience: ${{ secrets.TAILSCALE_AUDIENCE }}
tags: tag:ci
- name: Set up SSH key - name: Set up SSH key
run: | run: |

15
.github/workflows/deploy.yml vendored
View file

@ -18,9 +18,10 @@ on:
default: true default: true
# Requires these repository secrets: # Requires these repository secrets:
# TAILSCALE_AUTHKEY — Tailscale auth key for mesh access # TAILSCALE_CLIENT_ID — Tailscale OAuth client ID (federated identity)
# SSH_PRIVATE_KEY — SSH key authorized on target hosts # TAILSCALE_AUDIENCE — Tailscale federated identity audience
# AGE_SECRET_KEY — age private key for SOPS decryption # SSH_PRIVATE_KEY — SSH key authorized on target hosts
# AGE_SECRET_KEY — age private key for SOPS decryption
jobs: jobs:
prepare: prepare:
@ -48,6 +49,8 @@ jobs:
name: Deploy ${{ inputs.playbook }} → ${{ matrix.host }} name: Deploy ${{ inputs.playbook }} → ${{ matrix.host }}
runs-on: ubuntu-latest runs-on: ubuntu-latest
environment: production # requires manual approval in repo settings environment: production # requires manual approval in repo settings
permissions:
id-token: write
strategy: strategy:
matrix: matrix:
host: ${{ fromJson(needs.prepare.outputs.hosts) }} host: ${{ fromJson(needs.prepare.outputs.hosts) }}
@ -56,9 +59,11 @@ jobs:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
- name: Set up Tailscale - name: Set up Tailscale
uses: tailscale/github-action@v3 uses: tailscale/github-action@v4
with: with:
authkey: ${{ secrets.TAILSCALE_AUTHKEY }} oauth-client-id: ${{ secrets.TAILSCALE_CLIENT_ID }}
audience: ${{ secrets.TAILSCALE_AUDIENCE }}
tags: tag:ci
- name: Set up SSH key - name: Set up SSH key
run: | run: |