Remove Tailscale deploy trigger from GitHub Actions #10

New issue

Open

opened 2026-05-28 00:05:10 +00:00 by coilysiren · 0 comments

coilysiren commented 2026-05-28 00:05:10 +00:00

Owner

Copy link

Problem

.github/workflows/release.yml has a deploy-kai-server job that joins the tailnet via Tailscale OAuth and triggers personal-dashboard-update.service over SSH. GitHub Actions should no longer touch the tailnet in any circumstance — pull-side update on kai-server (e.g. a systemd timer that polls the Formula and runs brew upgrade) covers redeploys.

Proposal

• Delete the entire deploy-kai-server job (formula wait, Tailscale join, SSH trigger).
• Keep release (tag + GH Release cut) and bump-formula.
• After merge, Kai unsets TS_OAUTH_CLIENT_ID / TS_OAUTH_SECRET and revokes the OAuth client at the Tailscale admin console.
• AGENTS.md "Release" + "Post-push" sections need a follow-up edit to drop the deploy-kai-server reference and document the pull-side timer instead.

Acceptance

• Workflow has no Tailscale or ssh kai-server steps.
• release + bump-formula still run on every push to main.

**Problem** `.github/workflows/release.yml` has a `deploy-kai-server` job that joins the tailnet via Tailscale OAuth and triggers `personal-dashboard-update.service` over SSH. GitHub Actions should no longer touch the tailnet in any circumstance — pull-side update on kai-server (e.g. a systemd timer that polls the Formula and runs `brew upgrade`) covers redeploys. **Proposal** - Delete the entire `deploy-kai-server` job (formula wait, Tailscale join, SSH trigger). - Keep `release` (tag + GH Release cut) and `bump-formula`. - After merge, Kai unsets `TS_OAUTH_CLIENT_ID` / `TS_OAUTH_SECRET` and revokes the OAuth client at the Tailscale admin console. - AGENTS.md "Release" + "Post-push" sections need a follow-up edit to drop the `deploy-kai-server` reference and document the pull-side timer instead. **Acceptance** - Workflow has no Tailscale or `ssh kai-server` steps. - `release` + `bump-formula` still run on every push to `main`.

coilysiren referenced this issue from coilyco-flight-deck/infrastructure 2026-05-28 00:17:55 +00:00

Revoke GH Actions tailnet credentials after rip-out sweep #160

coilysiren added the

P1

label 2026-05-30 17:09:23 +00:00

coilysiren added

P2

and removed

P1

labels 2026-05-30 17:20:46 +00:00

coilysiren added

P3

and removed

P2

labels 2026-05-31 07:01:31 +00:00

Commenting is not possible because the repository is archived.

No Branch/Tag specified

Branches Tags

main

v0.2.16

v0.2.15

v0.2.14

v0.2.13

v0.2.12

v0.2.11

v0.2.10

v0.2.9

v0.2.8

v0.2.7

v0.2.6

v0.2.5

v0.2.4

v0.2.3

v0.2.2

v0.2.1

v0.2.0

v0.1.0

Labels

Clear labels   

icebox

Closed in the 2026-05-29 backlog burn-down; reopen if it becomes real

  

P0

now / blocking / urgent

  

P1

next / important

  

P2

backlog / will do

  

P3

someday / low

  

P4

P4

No labels

icebox

P0

P1

P2

P3

P4

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

coilysiren/personal-dashboard#10

No description provided.