Remove Tailscale + K3s deploy from GitHub Actions #20

New issue

Open

opened 2026-05-28 00:01:46 +00:00 by coilysiren · 0 comments

coilysiren commented 2026-05-28 00:01:46 +00:00

Owner

Copy link

Problem

.github/workflows/build-and-publish.yml runs a deploy job that joins the tailnet via Tailscale OIDC and shells k3s ctr / kubectl into kai-server. GitHub Actions should no longer touch K3s or the tailnet in any circumstance — pull-side update already covers redeploys.

Proposal

• Delete the deploy job entirely (Tailscale join, image sideload, rollout).
• The same job's report status to datastore step also POSTs to the tailnet-internal api host; it goes with the rest of the job. A public-endpoint replacement (or removal) is out of scope for this issue — file separately if still wanted.
• Keep the test job.
• After merge, Kai unsets the repo's TS_CLIENT_ID / TS_AUDIENCE (and DATASTORE_TOKEN if no longer needed) and removes the federated identity entry from coilysiren/infrastructure/terraform/tailscale-oidc/.
• The AGENTS.md "Post-push follow-up" section and infrastructure/docs/k3s-deploy-notes.md references to this workflow may need a follow-up edit.

Acceptance

• Workflow has no Tailscale, K3s, or tailnet-internal HTTP steps.
• test job still runs on every push to main.

**Problem** `.github/workflows/build-and-publish.yml` runs a `deploy` job that joins the tailnet via Tailscale OIDC and shells `k3s ctr` / `kubectl` into kai-server. GitHub Actions should no longer touch K3s or the tailnet in any circumstance — pull-side update already covers redeploys. **Proposal** - Delete the `deploy` job entirely (Tailscale join, image sideload, rollout). - The same job's `report status to datastore` step also POSTs to the tailnet-internal `api` host; it goes with the rest of the job. A public-endpoint replacement (or removal) is out of scope for this issue — file separately if still wanted. - Keep the `test` job. - After merge, Kai unsets the repo's `TS_CLIENT_ID` / `TS_AUDIENCE` (and `DATASTORE_TOKEN` if no longer needed) and removes the federated identity entry from `coilysiren/infrastructure/terraform/tailscale-oidc/`. - The AGENTS.md "Post-push follow-up" section and `infrastructure/docs/k3s-deploy-notes.md` references to this workflow may need a follow-up edit. **Acceptance** - Workflow has no Tailscale, K3s, or tailnet-internal HTTP steps. - `test` job still runs on every push to `main`.

coilysiren referenced this issue 2026-05-28 00:03:10 +00:00

Pre-commit doc-layout violations block new commits #21

coilysiren referenced this issue from coilyco-flight-deck/infrastructure 2026-05-28 00:17:55 +00:00

Revoke GH Actions tailnet credentials after rip-out sweep #160

coilysiren added the

P1

label 2026-05-31 01:54:11 +00:00

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

generic-modes

right-size-db-pvc

worktree-agent-a2bf119718b2a7b50

fix-sideload-image-ref

adopt-docker-save-deploy

fix/deploy-config-path

No results found.

Labels

Clear labels

  

P0

now / blocking / urgent

  

P1

next / important

  

P2

backlog / will do

  

P3

someday / low

  

P4

icebox / frozen / reopen if it becomes real

No labels

P0

P1

P2

P3

P4

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

coilyco-flight-deck/backend#20

No description provided.