action.yml: allow specifying a state directory

Also, document usage of the action with Tailnet Lock. Fixes #132 Signed-off-by: Anton Tolchanov <[email protected]>
tailscale · Jul 10, 2024 · b2b96d3 · b2b96d3
1 parent 0bf9b9f
commit b2b96d3
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -27,6 +27,26 @@ be automatically removed by the coordination server a short time after they
 finish their run. The nodes are also [marked Preapproved](https://tailscale.com/kb/1085/auth-keys/)
 on tailnets which use [Device Approval](https://tailscale.com/kb/1099/device-approval/)
 
+## Tailnet Lock
+
+If you are using this Action in a [Tailnet
+Lock](https://tailscale.com/kb/1226/tailnet-lock) enabled network, you need to:
+
+* Authenticate using an ephemeral reusable [pre-signed auth key](
+  https://tailscale.com/kb/1226/tailnet-lock#add-a-node-using-a-pre-signed-auth-key)
+  rather than an OAuth client.
+* Specify a [state directory](
+  https://tailscale.com/kb/1278/tailscaled#flags-to-tailscaled) for the
+  client to store the Tailnet Key Authority data in.
+
+```yaml
+  - name: Tailscale
+    uses: tailscale/github-action@v2
+    with:
+      authkey: tskey-auth-...
+      statedir: /tmp/tailscale-state/
+```
+
 ## Defining Tailscale version
 
 Which Tailscale version to use can be set like this:

diff --git a/action.yml b/action.yml
@@ -40,6 +40,10 @@ inputs:
     description: 'Fixed hostname to use.'
     required: false
     default: ''
+  statedir:
+    description: 'Optional state directory to use (if unset, memory state is used)'
+    required: false
+    default: ''
 runs:
     using: 'composite'
     steps:
@@ -95,8 +99,15 @@ runs:
         shell: bash
         env:
           ADDITIONAL_DAEMON_ARGS: ${{ inputs.tailscaled-args }}
+          STATEDIR: ${{ inputs.statedir }}
         run: |
-          sudo -E tailscaled --state=mem: ${ADDITIONAL_DAEMON_ARGS} 2>~/tailscaled.log &
+          if [ "$STATEDIR" == "" ]; then
+            STATE_ARGS="--state=mem:"
+          else
+            STATE_ARGS="--statedir=${STATEDIR}"
+            mkdir -p "$STATEDIR"
+          fi
+          sudo -E tailscaled ${STATE_ARGS} ${ADDITIONAL_DAEMON_ARGS} 2>~/tailscaled.log &
           # And check that tailscaled came up. The CLI will block for a bit waiting
           # for it. And --json will make it exit with status 0 even if we're logged
           # out (as we will be). Without --json it returns an error if we're not up.