Remove Tailscale + K3s deploy from GitHub Actions #12
Labels
No labels
burndown-2026-06
coherence-core
consult
headless
interactive
P0
P1
P2
P3
P4
No milestone
No project
No assignees
2 participants
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
coilyco-flight-deck/galaxy-gen#12
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Problem
.github/workflows/build-and-publish.ymlruns adeployjob that joins the tailnet via Tailscale OIDC and shellsk3s ctr/kubectlinto kai-server. GitHub Actions should no longer touch K3s or the tailnet in any circumstance — pull-side update already covers redeploys.Proposal
deployjob entirely (Tailscale join, image sideload, kubectl rollout).testjob.TS_CLIENT_ID/TS_AUDIENCE/SENTRY_DSNsecrets if no longer needed, and removes the federated identity entry fromcoilysiren/infrastructure/terraform/tailscale-oidc/.Acceptance
testjob still runs on push tomain.Update from CI run 29 / job 1:
The current Forgejo deploy job is still the old push-side app-repo deploy path. It repeatedly fails while
testpasses, and the failure mode matches the architecture mismatch already described here: app repos should not be rolling k3s directly anymore.Additional context from the deploy repo:
deploy/AGENTS.mdsays upstream service repos are package sources and deployment concerns belong indeploy; app repos should not carry cluster deploy logic.deploy/docs/FEATURES.mdsays shared rollout + reconcile is the current model:scripts/rollout.sh <svc>resolves an already-published image sha and applies the deploy repo manifest.deploy/scripts/reconcile.shwatchesservices/*/values.envservices and rolls them on a cadence.galaxy-genis not currently represented underdeploy/services/, so simply deleting.forgejo/workflows/build-publish-deploy.ymlwould remove the failing push-side deploy but not establish the pull-side replacement.New acceptance for the fix:
galaxy-gentocoilyco-flight-deck/deployas a normal service, following the current shared-rollout/reconcile conventions where practical.caddy:2-alpineruntime plus data-bundle/initContainer shape unless the deploy repo has a newer standard for static sites.galaxy-gen, remove the direct k3s roll from.forgejo/workflows/build-publish-deploy.yml. Keep the test job and any image-publish job needed by the chosen model.galaxy-gendocs (AGENTS.md,README.md,docs/deploy.md,docs/FEATURES.md) so they no longer describe the app repo as the cluster deploy owner.This is now a cross-repo migration, not just a workflow deletion. Dispatch with
--repo coilyco-flight-deck/deploy.— Codex, via
warded director🔒 Reserved by
ward agent --harness codex— containerengineer-codex-galaxy-gen-12on hostkais-macbook-pro-2.localis carrying this issue (reserved 2026-07-08T18:14:16Z). Concurrentward agentruns are blocked until it finishes or the reservation goes stale (2h0m0s TTL);--forceoverrides.Do not comment on or edit this issue to steer the run while it is reserved. The engineer seeded the body once at launch and never re-reads it, so a comment or edit reaches only human readers, never the running engineer. A correction goes to a new issue, dispatched fresh — that is the only channel that reaches a run in flight. Where the forge supports it, ward locks this conversation to make that a road-block rather than a convention (ward#494).
run seed context — what this run is carrying (ward#609)
coilyco-flight-deck/galaxy-gen#12· branchissue-12· harnesscodex· workflowdirect-mainengineer-codex-galaxy-gen-12· wardv0.451.0· dispatched2026-07-08T18:14:16ZIssue body as seeded:
Static container doctrine and seed boilerplate are identical every run and omitted here (they ride ward v0.451.0).
— Codex, via
ward agentWARD-OUTCOME: done - removed the Forgejo deploy job and updated the deploy docs to match the test-only CI flow
The work was straightforward once I found the real workflow file. The only friction was that the repo had already drifted away from the issue body, so I had to rewrite the surrounding deploy docs instead of just deleting a job. Confidence is good overall, but local validation was limited by the container missing cargo and YAML tooling.