Closed pilif closed 1 year ago
(in productive use for deploying my landing-page here: https://github.com/pilif/pilif.me/actions/runs/4945690968)
Hey, thanks for the contribution! We're actually in the process of adding OAuth support a slightly different way.
Starting in 1.40, tailscale up
will accept an OAuth client secret as the authkey, and will do all of the key exchange behind the scenes. It's still a bit experimental, so you have to set the TS_EXPERIMENT_OAUTH_AUTHKEY
environment variable. So for right now, you can use OAuth keys with something like:
- name: Tailscale
uses: tailscale/github-action@main
env:
TS_EXPERIMENT_OAUTH_AUTHKEY: true
with:
authkey: ${{ secrets.TS_OAUTH_CLIENT_SECRET }}}}
version: 1.40.0
args: --advertise-tags tag:tagname
In the future, we'll drop the experimental env variable and you can remove that from the config.
Implemented in https://github.com/tailscale/github-action/pull/71
This PR fixes #59
When using OAuth authentication, the generated authkey will be tailnet-owned and thus a tag needs to be provided, so providing a tag is mandatory when using OAuth Authentication.
Currently only one tag is supported - I'm not good enough at shell escaping to do multiple tags in a reliable way (😈), but if somebody wants to add more in the future: feel free, of course.
One commit switches to OAuth auth explicitly, and a followup commit re-adds support for authkey, though, TBH, that's not so useful given the limited lifetime of authkeys, but to honor backwards compatibility, why not keep it?