Add Twingate connection to deployment pipeline

[mucsi96]

Summary

This change adds Twingate network access to the CI/CD deployment pipeline, enabling secure connectivity to private Kubernetes infrastructure during deployments.

Key Changes

• Added Twingate GitHub Action step to the pipeline workflow
• Configured Twingate authentication using a service key secret
• Positioned the connection step before the Kubernetes deployment to ensure network access is established

Implementation Details

The Twingate action is inserted in the deployment job after kubelogin setup and before the actual Kubernetes deployment step. This ensures that the secure network tunnel is established before attempting to connect to the Kubernetes cluster. The service key is securely passed via GitHub secrets (TWINGATE_SERVICE_KEY).

https://claude.ai/code/session_01TTrjjtAR35Zy8kJS4xP64E

[claude]

Code Review: Add Twingate connection to deployment pipeline

Overview
Inserts a Twingate GitHub Action step into the deployment job to establish a secure network tunnel before the Kubernetes deployment step. Change is minimal (5 lines) and well-placed.

What is Good

• Correct positioning: after kubelogin setup and before Deploy to Kubernetes, ensuring the tunnel is established before kubectl/helm connects to the cluster.
• Secret is passed via secrets.TWINGATE_SERVICE_KEY - no hardcoded credentials.

Issue: Floating action version tag (medium severity)

The step uses twingate/github-action@v1. A mutable floating tag means any future v1.x commit pushed by Twingate runs automatically in your pipeline without review. This is a well-known supply-chain attack vector for GitHub Actions.

Recommendation: pin to a specific semver tag (e.g. twingate/github-action@v1.1.0) or preferably to the exact commit SHA of that release. Check the twingate/github-action releases page to identify the latest stable version.

Minor Notes

• An inline comment explaining why Twingate is needed (e.g. the Kubernetes API server is on a private network reachable only via Twingate) would help future contributors understand the pipeline.
• If Twingate fails to connect, the subsequent Deploy to Kubernetes step will likely fail with a cryptic network error rather than a clear Twingate-specific message. Worth validating failure behavior in a dry run.

Summary
Functionally correct and well-placed. The only meaningful concern is the floating @v1 action tag - pinning to a specific version or SHA eliminates supply-chain risk at zero cost.