Remove Tailscale + K3s deploy from GitHub Actions #11

New issue

Closed

opened 2026-05-28 00:06:21 +00:00 by coilysiren · 0 comments

coilysiren commented 2026-05-28 00:06:21 +00:00

Owner

Copy link

Problem

.github/workflows/build-and-publish.yml runs a deploy job that joins the tailnet (Tailscale OAuth), installs kubectl, writes a kubeconfig from repo secrets, and runs make .deploy + kubectl rollout status against kai-server. GitHub Actions should no longer touch K3s or the tailnet in any circumstance — pull-side update already covers redeploys.

Proposal

• Delete the deploy job entirely.
• Keep test and build-publish (the GHCR image push is still useful as a public artifact + pull source for the homelab).
• After merge, Kai unsets TS_OAUTH_CLIENT_ID, TS_OAUTH_SECRET, K8S_SERVER, K8S_CA_DATA, K8S_CLIENT_CERT_DATA, K8S_CLIENT_KEY_DATA.
• AGENTS.md "Reaching the homelab" + "Post-push follow-up" sections describe the GHA deploy and need a follow-up edit; track separately if needed.

Acceptance

• Workflow has no Tailscale, kubeconfig, or kubectl steps.
• test + build-publish still run on push to main; the homelab pulls from GHCR via pull-side.

**Problem** `.github/workflows/build-and-publish.yml` runs a `deploy` job that joins the tailnet (Tailscale OAuth), installs `kubectl`, writes a kubeconfig from repo secrets, and runs `make .deploy` + `kubectl rollout status` against kai-server. GitHub Actions should no longer touch K3s or the tailnet in any circumstance — pull-side update already covers redeploys. **Proposal** - Delete the `deploy` job entirely. - Keep `test` and `build-publish` (the GHCR image push is still useful as a public artifact + pull source for the homelab). - After merge, Kai unsets `TS_OAUTH_CLIENT_ID`, `TS_OAUTH_SECRET`, `K8S_SERVER`, `K8S_CA_DATA`, `K8S_CLIENT_CERT_DATA`, `K8S_CLIENT_KEY_DATA`. - AGENTS.md "Reaching the homelab" + "Post-push follow-up" sections describe the GHA deploy and need a follow-up edit; track separately if needed. **Acceptance** - Workflow has no Tailscale, kubeconfig, or kubectl steps. - `test` + `build-publish` still run on push to `main`; the homelab pulls from GHCR via pull-side.

coilysiren referenced this issue from coilyco-flight-deck/infrastructure 2026-05-28 00:17:55 +00:00

Revoke GH Actions tailnet credentials after rip-out sweep #160

coilysiren referenced this issue 2026-05-28 00:20:28 +00:00

Repo fails pre-commit on clean main after v0.2.6 hook bump #12

coilysiren referenced this issue from a commit 2026-05-28 00:21:28 +00:00

ci: remove tailscale + k3s deploy job

coilysiren closed this issue 2026-05-28 00:21:28 +00:00

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

No results found.

Labels

Clear labels

  

P0

now / blocking / urgent

  

P1

next / important

  

P2

backlog / will do

  

P3

someday / low

  

P4

icebox / frozen / reopen if it becomes real

No labels

P0

P1

P2

P3

P4

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

coilyco-flight-deck/eco-jobs-tracker#11

No description provided.