tailscale-gitops-action/action.yml at main · matchory/tailscale-gitops-action · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
name: "Tailscale GitOps ACL Sync"
description: "Push changes to Tailscale ACLs and run ACL tests in CI (pre-compiled for speed)"

branding:
  icon: "shield"
  color: "blue"

inputs:
  tailnet:
    description: "Tailnet name (e.g. example.com, your-org.github)"
    required: true
  api-key:
    description: "Tailscale API key"
    required: false
  oauth-client-id:
    description: "Tailscale OAuth or OIDC Federated Identity Client ID"
    required: false
  oauth-secret:
    description: "Tailscale OAuth Secret"
    required: false
  audience:
    description: "Tailscale OIDC Federated Identity Audience"
    required: false
  policy-file:
    description: "Path to the policy file in the repository"
    required: true
    default: "./policy.hujson"
  action:
    description: "test or apply"
    required: true
  tailscale-release:
    description: "Tailscale release version to use"
    required: false
    default: "b4d39e2fd92538384aa7388fdbeda0ec51973bfc"

runs:
  using: "composite"
  steps:
    - name: Validate inputs
      shell: bash
      env:
        INPUT_API_KEY: ${{ inputs.api-key }}
        INPUT_OAUTH_CLIENT_ID: ${{ inputs.oauth-client-id }}
        INPUT_OAUTH_SECRET: ${{ inputs.oauth-secret }}
        INPUT_AUDIENCE: ${{ inputs.audience }}
        INPUT_ACTION: ${{ inputs.action }}
      run: |
        set -euo pipefail

        if [[ "${INPUT_ACTION}" != "test" && "${INPUT_ACTION}" != "apply" ]]; then
          echo "::error::Invalid action '${INPUT_ACTION}'. Must be 'test' or 'apply'."
          exit 1
        fi

        auth_count=0

        if [[ -n "${INPUT_API_KEY}" ]]; then
          auth_count=$((auth_count + 1))
        fi

        if [[ -n "${INPUT_OAUTH_CLIENT_ID}" && -n "${INPUT_OAUTH_SECRET}" ]]; then
          auth_count=$((auth_count + 1))
        fi

        if [[ -n "${INPUT_OAUTH_CLIENT_ID}" && -n "${INPUT_AUDIENCE}" ]]; then
          auth_count=$((auth_count + 1))
        fi

        if [[ "${auth_count}" -eq 0 ]]; then
          echo "::error::No authentication method provided. Provide one of: api-key, oauth-client-id + oauth-secret, or oauth-client-id + audience."
          exit 1
        fi

        if [[ "${auth_count}" -gt 1 ]]; then
          echo "::error::Multiple conflicting authentication methods provided. Provide only one of: api-key, oauth-client-id + oauth-secret, or oauth-client-id + audience."
          exit 1
        fi

    - name: Cache gitops-pusher binary
      id: cache
      uses: actions/cache@v5
      with:
        path: ${{ github.action_path }}/bin
        key: gitops-pusher-${{ runner.os }}-${{ runner.arch }}-${{ inputs.tailscale-release }}

    - name: Setup Go
      if: steps.cache.outputs.cache-hit != 'true'
      uses: actions/setup-go@v6
      with:
        go-version: "1.25.x"
        cache: false

    - name: Build gitops-pusher
      if: steps.cache.outputs.cache-hit != 'true'
      shell: bash
      env:
        ACTION_PATH: ${{ github.action_path }}
        TAILSCALE_RELEASE: ${{ inputs.tailscale-release }}
      run: |
        set -euo pipefail
        CGO_ENABLED=0 go install tailscale.com/cmd/gitops-pusher@${TAILSCALE_RELEASE}
        mkdir -p "${ACTION_PATH}/bin"
        cp "$(go env GOPATH)/bin/gitops-pusher" "${ACTION_PATH}/bin/"

    - name: Fetch OIDC token
      id: fetch-id-token
      if: ${{ inputs.oauth-client-id != '' && inputs.audience != '' }}
      shell: bash
      env:
        INPUT_AUDIENCE: ${{ inputs.audience }}
      run: |
        set -euo pipefail

        if [[ -z "${ACTIONS_ID_TOKEN_REQUEST_URL:-}" ]]; then
          echo "::error::ACTIONS_ID_TOKEN_REQUEST_URL is not set. Ensure the workflow has 'id-token: write' permission."
          exit 1
        fi
        if [[ -z "${ACTIONS_ID_TOKEN_REQUEST_TOKEN:-}" ]]; then
          echo "::error::ACTIONS_ID_TOKEN_REQUEST_TOKEN is not set. Ensure the workflow has 'id-token: write' permission."
          exit 1
        fi

        RESPONSE=$(curl -fsSL \
          -H "Authorization: Bearer ${ACTIONS_ID_TOKEN_REQUEST_TOKEN}" \
          "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=${INPUT_AUDIENCE}")

        ID_TOKEN=$(echo "${RESPONSE}" | jq -r '.value')

        if [[ -z "${ID_TOKEN}" || "${ID_TOKEN}" == "null" ]]; then
          echo "::error::Failed to fetch OIDC ID token from GitHub."
          exit 1
        fi

        echo "::add-mask::${ID_TOKEN}"
        echo "id-token=${ID_TOKEN}" >> "${GITHUB_OUTPUT}"

    - name: Run gitops-pusher
      shell: bash
      env:
        TS_OAUTH_ID: ${{ inputs.oauth-client-id }}
        TS_OAUTH_SECRET: ${{ inputs.oauth-secret }}
        TS_ID_TOKEN: ${{ steps.fetch-id-token.outputs.id-token }}
        TS_API_KEY: ${{ inputs.api-key }}
        TS_TAILNET: ${{ inputs.tailnet }}
        ACTION_PATH: ${{ github.action_path }}
        INPUT_POLICY_FILE: ${{ inputs.policy-file }}
        INPUT_ACTION: ${{ inputs.action }}
      run: |
        set -euo pipefail
        exec "${ACTION_PATH}/bin/gitops-pusher" "--policy-file=${INPUT_POLICY_FILE}" "${INPUT_ACTION}"