coilyco-flight-deck/infrastructure
1
0
Fork 0
Code Issues 101 Pull requests Projects Releases Packages Wiki Activity Actions 1

Revoke GH Actions tailnet credentials after rip-out sweep #160

New issue
Open
opened 2026-05-28 00:17:55 +00:00 by coilysiren · 1 comment
coilysiren commented 2026-05-28 00:17:55 +00:00
Owner
Copy link

Problem

Following the rip-out of Tailscale + K3s steps from GitHub Actions across repo-recall, personal-dashboard, backend, galaxy-gen, eco-jobs-tracker, eco-mcp-app, the GH-side secrets and the per-repo federated identities still exist. Until they're revoked, a re-added workflow (or anyone with secrets access) could still call into the tailnet / cluster.

Per-repo rip-out tracking:

Proposal

  • Unset per-repo GH secrets via gh secret delete --repo coilysiren/<repo> <NAME>:
    • All six repos: TS_CLIENT_ID, TS_AUDIENCE, TS_OAUTH_CLIENT_ID, TS_OAUTH_SECRET (subset varies per repo; safe to delete-if-exists).
    • eco-jobs-tracker, eco-mcp-app: also K8S_SERVER, K8S_CA_DATA, K8S_CLIENT_CERT_DATA, K8S_CLIENT_KEY_DATA.
    • backend: also DATASTORE_TOKEN if no other workflow still uses it.
  • Remove the federated identity entries for these six repos from terraform/tailscale-oidc/ (and any sibling tags-only OAuth client used by personal-dashboard / eco-* / backend OIDC). terraform plan should show the targeted destroys; apply once reviewed.
  • Revoke any leftover Tailscale OAuth clients in the admin console.

Acceptance

  • gh secret list --repo coilysiren/<repo> shows none of the names above for the six repos.
  • terraform plan in terraform/tailscale-oidc/ shows no drift after the destroy lands.
  • Tailscale admin console shows no OAuth client tied to a github-actions-* hostname / tag:ci-only client.

Out of scope

  • AGENTS.md edits in each affected repo describing the old deploy path. Track per repo.
**Problem** Following the rip-out of Tailscale + K3s steps from GitHub Actions across `repo-recall`, `personal-dashboard`, `backend`, `galaxy-gen`, `eco-jobs-tracker`, `eco-mcp-app`, the GH-side secrets and the per-repo federated identities still exist. Until they're revoked, a re-added workflow (or anyone with `secrets` access) could still call into the tailnet / cluster. Per-repo rip-out tracking: - coilysiren/repo-recall#92 (landed) - coilysiren/personal-dashboard#10 (landed) - coilysiren/backend#20 (blocked by backend#21) - coilysiren/galaxy-gen#12 (blocked by pre-commit doc cleanup) - coilysiren/eco-jobs-tracker#11 (blocked by pre-commit doc cleanup) - coilysiren/eco-mcp-app#22 (blocked by pre-commit doc cleanup) **Proposal** - Unset per-repo GH secrets via `gh secret delete --repo coilysiren/<repo> <NAME>`: - All six repos: `TS_CLIENT_ID`, `TS_AUDIENCE`, `TS_OAUTH_CLIENT_ID`, `TS_OAUTH_SECRET` (subset varies per repo; safe to delete-if-exists). - eco-jobs-tracker, eco-mcp-app: also `K8S_SERVER`, `K8S_CA_DATA`, `K8S_CLIENT_CERT_DATA`, `K8S_CLIENT_KEY_DATA`. - backend: also `DATASTORE_TOKEN` if no other workflow still uses it. - Remove the federated identity entries for these six repos from `terraform/tailscale-oidc/` (and any sibling tags-only OAuth client used by personal-dashboard / eco-* / backend OIDC). `terraform plan` should show the targeted destroys; apply once reviewed. - Revoke any leftover Tailscale OAuth clients in the admin console. **Acceptance** - `gh secret list --repo coilysiren/<repo>` shows none of the names above for the six repos. - `terraform plan` in `terraform/tailscale-oidc/` shows no drift after the destroy lands. - Tailscale admin console shows no OAuth client tied to a `github-actions-*` hostname / `tag:ci`-only client. **Out of scope** - AGENTS.md edits in each affected repo describing the old deploy path. Track per repo.
coilysiren commented 2026-05-28 00:21:03 +00:00
Author
Owner
Copy link

Halt check before revocation. Audited the six repos' workflows on GitHub and only repo-recall is actually clean. The other five still have live references to the secrets this issue proposes deleting:

  • repo-recall: clean. No workflow refs to TS_* / K8S_* / DATASTORE_TOKEN. Safe to revoke TS_AUDIENCE, TS_CLIENT_ID and remove from terraform/tailscale/repos.yaml.
  • personal-dashboard: .github/workflows/release.yml:129 uses tailscale/github-action@v3 + TS_OAUTH_CLIENT_ID / TS_OAUTH_SECRET to trigger personal-dashboard-update.service on kai-server. Deleting would break releases. Note: the per-repo tracking #10 is listed as "landed" in #160 but the workflow disagrees.
  • backend: build-and-publish.yml uses TS_CLIENT_ID, TS_AUDIENCE, DATASTORE_TOKEN.
  • galaxy-gen: build-and-publish.yml uses TS_CLIENT_ID, TS_AUDIENCE.
  • eco-jobs-tracker: build-and-publish.yml uses TS_OAUTH_CLIENT_ID, TS_OAUTH_SECRET, K8S_SERVER, K8S_CA_DATA, K8S_CLIENT_CERT_DATA, K8S_CLIENT_KEY_DATA.
  • eco-mcp-app: build-and-publish.yml uses TS_OAUTH_CLIENT_ID, TS_OAUTH_SECRET, K8S_SERVER, K8S_CA_DATA, K8S_CLIENT_CERT_DATA, K8S_CLIENT_KEY_DATA.

Suggested next steps:

  1. Revoke just repo-recall now (delete its two GH secrets, drop coilysiren/repo-recall from terraform/tailscale/repos.yaml, terraform apply destroys the federated identity).
  2. Leave the other five blocked until each repo's build-and-publish.yml / release.yml actually rips the tailnet/K3s step. Re-audit and revoke per-repo as each lands.

No code changes pushed from this session. Holding for direction.

Halt check before revocation. Audited the six repos' workflows on GitHub and only `repo-recall` is actually clean. The other five still have live references to the secrets this issue proposes deleting: - **repo-recall**: clean. No workflow refs to `TS_*` / `K8S_*` / `DATASTORE_TOKEN`. Safe to revoke `TS_AUDIENCE`, `TS_CLIENT_ID` and remove from `terraform/tailscale/repos.yaml`. - **personal-dashboard**: `.github/workflows/release.yml:129` uses `tailscale/github-action@v3` + `TS_OAUTH_CLIENT_ID` / `TS_OAUTH_SECRET` to trigger `personal-dashboard-update.service` on kai-server. Deleting would break releases. Note: the per-repo tracking #10 is listed as "landed" in #160 but the workflow disagrees. - **backend**: `build-and-publish.yml` uses `TS_CLIENT_ID`, `TS_AUDIENCE`, `DATASTORE_TOKEN`. - **galaxy-gen**: `build-and-publish.yml` uses `TS_CLIENT_ID`, `TS_AUDIENCE`. - **eco-jobs-tracker**: `build-and-publish.yml` uses `TS_OAUTH_CLIENT_ID`, `TS_OAUTH_SECRET`, `K8S_SERVER`, `K8S_CA_DATA`, `K8S_CLIENT_CERT_DATA`, `K8S_CLIENT_KEY_DATA`. - **eco-mcp-app**: `build-and-publish.yml` uses `TS_OAUTH_CLIENT_ID`, `TS_OAUTH_SECRET`, `K8S_SERVER`, `K8S_CA_DATA`, `K8S_CLIENT_CERT_DATA`, `K8S_CLIENT_KEY_DATA`. Suggested next steps: 1. Revoke just `repo-recall` now (delete its two GH secrets, drop `coilysiren/repo-recall` from `terraform/tailscale/repos.yaml`, `terraform apply` destroys the federated identity). 2. Leave the other five blocked until each repo's `build-and-publish.yml` / `release.yml` actually rips the tailnet/K3s step. Re-audit and revoke per-repo as each lands. No code changes pushed from this session. Holding for direction.
coilysiren added
P2
 and removed
P1
 labels 2026-05-31 07:00:36 +00:00
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
dispatch/issue-294
tangled-knot
dispatch/issue-216
No results found.
Labels
Clear labels
  
P0
now / blocking / urgent

  
P1
next / important

  
P2
backlog / will do

  
P3
someday / low

  
P4
icebox / frozen / reopen if it becomes real

No labels
P0
P1
P2
P3
P4
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
coilyco-flight-deck/infrastructure#160
No description provided.