Tailscale version: tailscale/github-action@v2
Your operating system & version: ubuntu-latest
Here is my ACL configuration (it is the default ACL config with my addition of tagOwners):
// Example/default ACLs for unrestricted connections.
{
// Declare static groups of users. Use autogroups for all users or users with a specific role.
// "groups": {
// "group:example": ["alice@example.com", "bob@example.com"],
// },
// Define the tags which can be applied to devices and by which users.
// "tagOwners": {
// "tag:example": ["autogroup:admin"],
// },
"tagOwners": {
"tag:cicd": ["autogroup:members"],
},
// Define access control lists for users, groups, autogroups, tags,
// Tailscale IP addresses, and subnet ranges.
"acls": [
// Allow all connections.
// Comment this section out if you want to define specific restrictions.
{"action": "accept", "src": ["*"], "dst": ["*:*"]},
],
// Define users and devices that can use Tailscale SSH.
"ssh": [
// Allow all users to SSH into their own devices in check mode.
// Comment this section out if you want to define specific restrictions.
{
"action": "check",
"src": ["autogroup:members"],
"dst": ["autogroup:self"],
"users": ["autogroup:nonroot", "root"],
},
],
// Test access rules every time they're saved.
// "tests": [
// {
// "src": "alice@example.com",
// "accept": ["tag:example"],
// "deny": ["100.101.102.103:443"],
// },
// ],
}
My GitHub action looks like this:
name: Deno
on:
push:
branches: ["master"]
pull_request:
branches: ["master"]
workflow_dispatch:
permissions:
contents: read
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Setup repo
uses: actions/checkout@v3
# application pipeline specific steps skipped
- name: Tailscale
uses: tailscale/github-action@v2
with:
oauth-client-id: ${{ secrets.TS_OAUTH_CLIENT_ID }}
oauth-secret: ${{ secrets.TS_OAUTH_SECRET }}
tags: tag:cicd
I generated the client and secret with the following options and stored them in GitHub secrets:
When the action is run I get the following:
Run tailscale/github-action@v2
Run if [ X64 = "ARM64" ]; then
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
100 64 100 64 0 0 190 0 --:--:-- --:--:-- --:--:-- 191
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
3 22.5M 3 848k 0 0 1350k 0 0:00:17 --:--:-- 0:00:17 1350k
100 22.5M 100 22.5M 0 0 18.8M 0 0:00:01 0:00:01 --:--:-- 18.8M
tailscale.tgz: OK
Run sudo -E tailscaled --state=mem: ${ADDITIONAL_DAEMON_ARGS} 2>~/tailscaled.log &
Run if [ -z "${HOSTNAME}" ]; then
Status: 403, Message: "user does not have access to this operation"
Error: Process completed with exit code 1.
Why does this happen? I tried both autogroup:members and autogroup:admin.