Remove Tailscale + K3s deploy from GitHub Actions #92

New issue

Closed

opened 2026-05-28 00:00:32 +00:00 by coilysiren · 0 comments

coilysiren commented 2026-05-28 00:00:32 +00:00

Owner

Copy link

Problem

.github/workflows/docker.yml still runs a ship job that joins the tailnet via Tailscale OIDC and runs k3s ctr / k3s kubectl on kai-server. GitHub Actions should no longer touch K3s or the tailnet in any circumstance — pull-side update already covers redeploys.

Proposal

• Delete the ship job entirely.
• Drop id-token: write from the top-level permissions: block (only the ship job needed it for Tailscale OIDC).
• Trim the top-of-file doc comment so it only describes the GHCR publish path.
• After merge, Kai unsets the repo's TS_CLIENT_ID / TS_AUDIENCE secrets and removes the federated identity entry from coilysiren/infrastructure/terraform/tailscale-oidc/.

Acceptance

• docker.yml has no Tailscale or K3s steps.
• CI on a main push runs only the build job (GHCR publish).
• repo-recall-update.service on kai-server continues to roll the deploy.

**Problem** `.github/workflows/docker.yml` still runs a `ship` job that joins the tailnet via Tailscale OIDC and runs `k3s ctr` / `k3s kubectl` on kai-server. GitHub Actions should no longer touch K3s or the tailnet in any circumstance — pull-side update already covers redeploys. **Proposal** - Delete the `ship` job entirely. - Drop `id-token: write` from the top-level `permissions:` block (only the ship job needed it for Tailscale OIDC). - Trim the top-of-file doc comment so it only describes the GHCR publish path. - After merge, Kai unsets the repo's `TS_CLIENT_ID` / `TS_AUDIENCE` secrets and removes the federated identity entry from `coilysiren/infrastructure/terraform/tailscale-oidc/`. **Acceptance** - `docker.yml` has no Tailscale or K3s steps. - CI on a `main` push runs only the `build` job (GHCR publish). - `repo-recall-update.service` on kai-server continues to roll the deploy.

coilysiren referenced this issue from coilyco-flight-deck/infrastructure 2026-05-28 00:17:55 +00:00

Revoke GH Actions tailnet credentials after rip-out sweep #160

coilysiren referenced this issue from a commit 2026-05-28 04:41:23 +00:00

chore(ci): rip Tailscale + K3s deploy out of docker.yml

coilysiren closed this issue 2026-05-28 04:41:23 +00:00

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

action-required-mine

mcp-app-rewrite

v0.45.0

v0.44.0

v0.43.0

v0.42.2

v0.42.1

v0.42.0

v0.41.1

v0.41.0

v0.40.7

v0.40.6

v0.40.5

v0.40.4

v0.40.3

v0.40.2

v0.40.1

v0.40.0

v0.39.0

v0.38.0

v0.37.0

v0.36.0

v0.35.0

v0.34.0

v0.33.1

v0.33.0

v0.32.3

v0.32.2

v0.32.1

v0.32.0

v0.31.1

v0.31.0

v0.30.3

v0.30.2

v0.30.1

v0.30.0

v0.29.56

v0.29.55

v0.29.54

v0.29.53

v0.29.52

v0.29.51

v0.29.50

v0.29.49

v0.29.48

v0.29.47

v0.29.46

v0.29.45

v0.29.44

v0.29.43

v0.29.42

v0.29.41

v0.29.40

v0.29.39

v0.29.38

v0.29.37

v0.29.36

v0.29.35

v0.29.34

v0.29.33

v0.29.32

v0.29.31

v0.29.30

v0.29.29

v0.29.28

v0.29.27

v0.29.26

v0.29.25

v0.29.24

v0.29.23

v0.29.22

v0.29.21

v0.29.20

v0.29.19

v0.29.18

v0.29.17

v0.29.16

v0.29.15

v0.29.14

v0.29.13

v0.29.12

v0.29.11

v0.29.10

v0.29.9

v0.29.8

v0.29.7

v0.29.6

v0.29.5

v0.29.4

v0.29.3

v0.29.2

v0.29.1

v0.29.0

v0.28.36

v0.28.35

v0.28.34

v0.28.33

v0.28.32

v0.28.31

v0.28.30

v0.28.29

v0.28.28

v0.28.27

v0.28.26

v0.28.25

v0.28.24

v0.28.23

v0.28.22

v0.28.21

v0.28.20

v0.28.19

v0.28.18

v0.28.17

v0.28.16

v0.28.15

v0.28.14

v0.28.13

v0.28.12

v0.28.11

v0.28.10

v0.28.9

v0.28.8

v0.28.7

v0.28.6

v0.28.5

v0.28.4

v0.28.3

v0.28.2

v0.28.1

v0.28.0

v0.27.5

v0.27.4

v0.27.3

v0.27.2

v0.27.1

v0.27.0

v0.26.1

v0.26.0

v0.25.1

v0.25.0

v0.24.0

v0.23.1

v0.23.0

v0.22.3

v0.22.2

v0.22.1

v0.22.0

v0.21.0

v0.20.1

v0.20.0

v0.19.0

v0.18.0

v0.17.0

v0.16.1

v0.16.0

v0.15.0

v0.14.1

v0.14.0

v0.13.15

v0.13.14

v0.13.13

v0.13.12

v0.13.11

v0.13.10

v0.13.9

v0.13.8

v0.13.7

v0.13.6

v0.13.5

v0.13.4

v0.13.3

v0.13.2

v0.13.1

v0.13.0

v0.12.9

v0.12.8

v0.12.7

v0.12.6

v0.12.5

v0.12.4

v0.12.3

v0.12.2

v0.12.1

v0.12.0

v0.11.2

v0.11.1

v0.11.0

v0.10.0

v0.9.0

v0.8.0

v0.7.0

v0.6.1

v0.6.0

v0.5.0

v0.4.0

v0.3.3

v0.3.2

v0.3.1

v0.3.0

v0.2.0

v0.1.6

v0.1.5

v0.1.4

v0.1.3

v0.1.2

v0.1.1

v0.1.0

Labels

Clear labels

  

P0

now / blocking / urgent

  

P1

next / important

  

P2

backlog / will do

  

P3

someday / low

  

P4

icebox / frozen / reopen if it becomes real

No labels

P0

P1

P2

P3

P4

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

coilyco-flight-deck/repo-recall#92

No description provided.