mirror of
				https://github.com/tailscale/tailscale.git
				synced 2025-10-23 01:05:32 +00:00 
			
		
		
		
	 66aa774167
			
		
	
	66aa774167
	
	
	
		
			
			If previousEtag is empty, then we assume control ACLs were not modified manually and push the local ACLs. Instead, we defaulted to localEtag which would be different if local ACLs were different from control. AFAIK this was always buggy, but never reported? Fixes #14295 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
gitops-pusher
This is a small tool to help people achieve a GitOps workflow with Tailscale ACL changes. This tool is intended to be used in a CI flow that looks like this:
name: Tailscale ACL syncing
on:
  push:
    branches: [ "main" ]
  pull_request:
    branches: [ "main" ]
jobs:
  acls:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      
      - name: Setup Go environment
        uses: actions/setup-go@v3.2.0
        
      - name: Install gitops-pusher
        run: go install tailscale.com/cmd/gitops-pusher@latest
              
      - name: Deploy ACL
        if: github.event_name == 'push'
        env:
          TS_API_KEY: ${{ secrets.TS_API_KEY }}
          TS_TAILNET: ${{ secrets.TS_TAILNET }}
        run: |
          ~/go/bin/gitops-pusher --policy-file ./policy.hujson apply
      - name: ACL tests
        if: github.event_name == 'pull_request'
        env:
          TS_API_KEY: ${{ secrets.TS_API_KEY }}
          TS_TAILNET: ${{ secrets.TS_TAILNET }}
        run: |
          ~/go/bin/gitops-pusher --policy-file ./policy.hujson test
Change the value of the --policy-file flag to point to the policy file on
disk. Policy files should be in HuJSON
format.