{"id":13992938,"url":"https://github.com/tailscale/gitops-acl-action","last_synced_at":"2025-04-23T07:07:32.579Z","repository":{"id":45729232,"uuid":"514004903","full_name":"tailscale/gitops-acl-action","owner":"tailscale","description":"GitOps for your Tailscale ACLs","archived":false,"fork":false,"pushed_at":"2024-12-12T17:47:39.000Z","size":20,"stargazers_count":102,"open_issues_count":12,"forks_count":28,"subscribers_count":22,"default_branch":"main","last_synced_at":"2025-04-23T07:07:26.786Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"bsd-3-clause","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/tailscale.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-07-14T18:17:26.000Z","updated_at":"2025-04-20T17:13:36.000Z","dependencies_parsed_at":"2024-01-15T15:37:10.353Z","dependency_job_id":"6077d379-a809-4107-b639-d7bc22e5da5e","html_url":"https://github.com/tailscale/gitops-acl-action","commit_stats":{"total_commits":10,"total_committers":5,"mean_commits":2.0,"dds":0.5,"last_synced_commit":"e50bab9c639fd3202c464759e10f6b8c547d57cc"},"previous_names":[],"tags_count":9,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tailscale%2Fgitops-acl-action","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tailscale%2Fgitops-acl-action/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tailscale%2Fgitops-acl-action/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tailscale%2Fgitops-acl-action/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/tailscale","download_url":"https://codeload.github.com/tailscale/gitops-acl-action/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":250386755,"owners_count":21422028,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-09T14:02:10.942Z","updated_at":"2025-04-23T07:07:32.541Z","avatar_url":"https://github.com/tailscale.png","language":null,"funding_links":[],"categories":["Others"],"sub_categories":[],"readme":"# GitHub Action to Sync Tailscale ACLs\n\nThis GitHub action lets you manage your [tailnet policy file](https://tailscale.com/kb/1018/acls/) using a\n[GitOps](https://about.gitlab.com/topics/gitops/) workflow. With this GitHub\naction you can automatically manage your tailnet policy file using a git repository\nas your source of truth. \n\n## Inputs\n\n### `tailnet`\n\n**Required** The name of your tailnet. You can find it by opening [the admin\npanel](https://login.tailscale.com/admin) and copying down the name next to the\nTailscale logo in the upper left hand corner of the page.\n\n### `api-key`\n\n**Optional** An API key authorized for your tailnet. You can get one [in the\nadmin panel](https://login.tailscale.com/admin/settings/keys).\nEither `api-key` or `oauth-client-id` and `oauth-secret` are required.\n\nPlease note that API keys will expire in 90 days. Set up a monthly event to\nrotate your Tailscale API key, or use an OAuth client.\n\n### `oauth-client-id` and `oauth-secret`\n\n**Optional** The ID and secret for an [OAuth client](https://tailscale.com/kb/1215/oauth-clients)\nfor your tailnet. The client must have the `acl` scope.\n\nEither `api-key` or `oauth-client-id` and `oauth-secret` are required.\n\n### `policy-file`\n\n**Optional** The path to your policy file in the repository. If not set this\ndefaults to `policy.hujson` in the root of your repository.\n\n### `action`\n\n**Required** One of `test` or `apply`. If you set `test`, the action will run\nACL tests and not update the ACLs in Tailscale. If you set `apply`, the action\nwill run ACL tests and then update the ACLs in Tailscale. This enables you to\nuse pull requests to make changes with CI stopping you from pushing a bad change\nout to production.\n\n## Getting Started\n\nSet up a new GitHub repository that will contain your tailnet policy file. Open the [Access Controls page of the admin console](https://login.tailscale.com/admin/acls) and copy your policy file to\na file in that repo called `policy.hujson`.\n\nIf you want to change this name to something else, you will need to add the\n`policy-file` argument to the `with` blocks in your GitHub Actions config.\n\nCopy this file to `.github/workflows/tailscale.yml`.\n\n```yaml\nname: Sync Tailscale ACLs\n\non:\n  push:\n    branches: [ \"main\" ]\n  pull_request:\n    branches: [ \"main\" ]\n\njobs:\n  acls:\n    runs-on: ubuntu-latest\n\n    steps:\n      - uses: actions/checkout@v4\n\n      - name: Fetch version-cache.json\n        uses: actions/cache@v4\n        with:\n          path: ./version-cache.json\n          key: version-cache.json-${{ github.run_id }}\n          restore-keys: |\n            version-cache.json-\n\n      - name: Deploy ACL\n        if: github.event_name == 'push'\n        id: deploy-acl\n        uses: tailscale/gitops-acl-action@v1\n        with:\n          api-key: ${{ secrets.TS_API_KEY }}\n          tailnet: ${{ secrets.TS_TAILNET }}\n          action: apply\n\n      - name: Test ACL\n        if: github.event_name == 'pull_request'\n        id: test-acl\n        uses: tailscale/gitops-acl-action@v1\n        with:\n          api-key: ${{ secrets.TS_API_KEY }}\n          tailnet: ${{ secrets.TS_TAILNET }}\n          action: test\n```\n\nGenerate a new API key [here](https://login.tailscale.com/admin/settings/keys).\n\nSet a monthly calendar reminder to renew this key because Tailscale does not\ncurrently support API key renewal (this will be updated to support that when\nthat feature is implemented).\n\nThen open the secrets settings for your repo and add two secrets:\n\n* `TS_API_KEY`: Your Tailscale API key from the earlier step\n* `TS_TAILNET`: Your tailnet's name (it's next to the logo on the upper\n  left-hand corner of the [admin\n  panel](https://login.tailscale.com/admin/machines))\n\nOnce you do that, commit the changes and push them to GitHub. You will have CI\nautomatically test and push changes to your tailnet policy file to Tailscale.\n\n## Developer guide\n\n### Release process\n\nTo create a new minor or patch release:\n\n- push the new tag to the main branch\n\n- create a new GitHub release with a description of the changes in this release\n\n- repush the latest major release tag to point at the new latest release.\nFor example, if you are creating a `v1.3.1` release, you want to additionally tag it with `v1` tag.\nThis approach follows the [official GitHub actions versioning guidelines](https://docs.github.com/en/actions/creating-actions/about-custom-actions#using-tags-for-release-management).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftailscale%2Fgitops-acl-action","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftailscale%2Fgitops-acl-action","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftailscale%2Fgitops-acl-action/lists"}