fix expired tailscale authkey

cottand · Jan 19, 2025 · 72c3481 · 72c3481
1 parent 63f054a
commit 72c3481
Show file tree

Hide file tree

Showing 4 changed files with 15 additions and 8 deletions.
diff --git a/.github/actions/setup-build-env/action.yml b/.github/actions/setup-build-env/action.yml
@@ -1,8 +1,8 @@
 name: 'Setup build environment'
 description: 'Sets up an environment with Nix and attic caching. Requires having run checkout'
 inputs:
-  tailscale_authkey:  # id of input
-    description: 'Tailscale authentication key'
+  tailscale_oauth_clientsecret:
+    description: 'Tailscale oauth client secret'
     required: true
   caCertificate:
     description: 'Base64 encoded CA certificate the server certificate was signed with. Defaults to CAs provided by Mozilla'
@@ -21,7 +21,10 @@ runs:
     - name: Setup Tailscale
       uses: tailscale/github-action@main
       with:
-        authkey: ${{ inputs.tailscale_authkey }}
+        oauth-client-id: 'kxzMdK4AQT11CNTRL'
+        oauth-secret: ${{ inputs.tailscale_oauth_clientsecret }}
+        tags: ['ci-gha']
+
 
     - name: Import Secrets
       id: secrets

diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml
@@ -24,7 +24,7 @@ jobs:
         name: Set up build env
         with:
           caCertificate: ${{ secrets.DCOTTA_ROOT_CA }}
-          tailscale_authkey: ${{ secrets.TAILSCALE_AUTHKEY }}
+          tailscale_oauth_clientsecret: ${{ secrets.TAILSCALE_OAUTH_CLIENTSECRET }}
       - name: Flake check
         run: |
           # runs checks by default

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -38,7 +38,7 @@ jobs:
         name: Set up build env
         with:
           caCertificate: ${{ secrets.DCOTTA_ROOT_CA }}
-          tailscale_authkey: ${{ secrets.TAILSCALE_AUTHKEY }}
+          tailscale_oauth_clientsecret: ${{ secrets.TAILSCALE_OAUTH_CLIENTSECRET }}
       - name: Build package ${{ matrix.package }}
         continue-on-error: false
         run: |
@@ -75,7 +75,7 @@ jobs:
         name: Set up build env
         with:
           caCertificate: ${{ secrets.DCOTTA_ROOT_CA }}
-          tailscale_authkey: ${{ secrets.TAILSCALE_AUTHKEY }}
+          tailscale_oauth_clientsecret: ${{ secrets.TAILSCALE_OAUTH_CLIENTSECRET }}
           aarch64LinuxSupport: true
       - name: Build NixOS config for ${{ matrix.node }}
         run: |
@@ -93,7 +93,7 @@ jobs:
         name: Set up build env
         with:
           caCertificate: ${{ secrets.DCOTTA_ROOT_CA }}
-          tailscale_authkey: ${{ secrets.TAILSCALE_AUTHKEY }}
+          tailscale_oauth_clientsecret: ${{ secrets.TAILSCALE_OAUTH_CLIENTSECRET }}
 
       - name: Import Secrets
         id: secrets
@@ -134,7 +134,7 @@ jobs:
         name: Set up build env
         with:
           caCertificate: ${{ secrets.DCOTTA_ROOT_CA }}
-          tailscale_authkey: ${{ secrets.TAILSCALE_AUTHKEY }}
+          tailscale_oauth_clientsecret: ${{ secrets.TAILSCALE_OAUTH_CLIENTSECRET }}
 
       - name: Build services image
         run: |

diff --git a/terraform/ci/web.tf b/terraform/ci/web.tf
@@ -5,6 +5,10 @@ resource "tailscale_tailnet_key" "github_actions" {
   preauthorized = true
 }
 
+// data github secret for tailscale oauth client are clickops'd
+// client-id: kxzMdK4AQT11CNTRL
+// in TAILSCALE_OAUTH_CLIENTID, TAILSCALE_OAUTH_CLIENTSECRET
+
 
 resource "github_actions_secret" "tailscale_authkey" {
   repository  = "selfhosted"