action.yml

name: "Sync Tailscale ACLs"
description: "Push changes to Tailscale and run ACL tests in CI"
inputs:
  tailnet:
    description: "Tailnet name (eg. example.com, xe.github, tailscale.org.github)"
    required: true
  api-key:
    description: "Tailscale API key"
    required: false
  oauth-client-id:
    description: "Tailscale OAuth ID"
    required: false
  oauth-secret:
    description: "Tailscale OAuth Secret"
    required: false
  policy-file:
    description: "Path to policy file"
    required: true
    default: ./policy.hujson
  action:
    description: "Action to take (test/apply)"
    required: true
runs:
  using: "composite"
  steps:
    - name: Check Auth Info Empty
      if: ${{ inputs['api-key'] == '' && inputs['oauth-secret'] == '' }}
      shell: bash
      run: |
        echo "::error title=⛔ error hint::API Key or OAuth secret must be specified. Maybe you need to populate it in the Secrets for your workflow, see more in https://docs.github.com/en/actions/security-guides/encrypted-secrets and https://tailscale.com/s/oauth-clients"
        exit 1
    - name: Check Conflicting Auth Info
      if: ${{ inputs['api-key'] != '' && inputs['oauth-secret'] != '' }}
      shell: bash
      run: |
        echo "::error title=⛔ error hint::only one of API Key or OAuth secret should be specified.
        exit 1
    - uses: actions/setup-go@v5
      with:
        go-version: 1.22.4
        cache: false

    - name: Gitops pusher
      shell: bash
      env:
        # gitops-pusher will use OAUTH_ID and OAUTH_SECRET if non-empty,
        # otherwise it will use API_KEY.
        TS_OAUTH_ID: "${{ inputs.oauth-client-id }}"
        TS_OAUTH_SECRET: "${{ inputs.oauth-secret }}"
        TS_API_KEY: "${{ inputs.api-key }}"
        TS_TAILNET: "${{ inputs.tailnet }}"
      run: go run tailscale.com/cmd/gitops-pusher@66aa77416744037baec93206ae212012a2314f83 "--policy-file=${{ inputs.policy-file }}" "${{ inputs.action }}"