github-action/.github/workflows/test.yml at main · tailscale/github-action · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
name: "Integration Tests"

permissions:
  id-token: write # This is required for requesting the JWT for workload identity

on:
  pull_request:
  workflow_dispatch:
  push:
    branches:
      - main

jobs:
  # Matrix test for all supported platforms and architectures

  integration-tests:
    # Skip our integration tests if the PR is from a fork. This has the consequence of
    # disabling these even if the PR is from a forked repo into itself, but given that
    # these tests are very specific to our internal test environment that is a good thing.
    #
    # Similarly, skip if this is running from a PR that has been opened by dependabot as
    # the bot does not have credentials for the integration testing tailnet.
    # TODO(mpminardi): revisit / remove this if / when we give dependabot a tailnet for
    # testing with a smaller blast radius.
    if: ${{ github.event_name == 'push' || (github.event.pull_request.head.repo.full_name == github.repository && github.actor != 'dependabot[bot]') }}
    name: ${{ matrix.os }} (${{ matrix.arch }}) (${{ matrix.credential-type }}) tailscale-${{ matrix.version }}
    strategy:
      fail-fast: false
      matrix:
        include:
          # Linux tests (AMD64)
          - os: ubuntu-latest
            runner-os: Linux
            arch: amd64
            version: latest
            ping: 100.99.0.2,lax-pve.pineapplefish.ts.net,lax-pve
            credential-type: oauth

          # Try unstable too
          - os: ubuntu-latest
            runner-os: Linux
            arch: amd64
            version: unstable
            credential-type: oauth

          # Try a pinned version
          - os: ubuntu-latest
            runner-os: Linux
            arch: amd64
            credential-type: oauth
            # leave version blank to fall back to default

          # Linux tests (ARM64)
          - os: ubuntu-24.04-arm
            runner-os: Linux
            arch: arm64
            version: latest
            credential-type: oauth

          # Windows tests (AMD64)
          - os: windows-latest
            runner-os: Windows
            arch: amd64
            version: latest
            ping: 100.99.0.2,lax-pve.pineapplefish.ts.net,lax-pve
            credential-type: oauth

          # Windows tests (ARM64)
          - os: windows-11-arm
            runner-os: Windows
            arch: arm64
            version: latest
            credential-type: oauth

          # macOS 14 (ARM)
          - os: macos-14
            runner-os: macOS
            arch: arm64
            version: latest
            ping: 100.99.0.2,lax-pve.pineapplefish.ts.net,lax-pve
            credential-type: oauth

          # macOS latest (ARM)
          - os: macos-latest
            runner-os: macOS
            arch: arm64
            version: latest
            ping: 100.99.0.2,lax-pve.pineapplefish.ts.net,lax-pve
            credential-type: oauth

          # Try workload identity for each platform
          - os: macos-latest
            runner-os: macOS
            arch: amd64
            version: latest
            ping: 100.99.0.2,lax-pve.pineapplefish.ts.net,lax-pve
            credential-type: workload-identity

          - os: windows-latest
            runner-os: Windows
            arch: amd64
            ping: 100.99.0.2,lax-pve.pineapplefish.ts.net,lax-pve
            credential-type: workload-identity
            # leave version blank to fall back to default

          # Try adding in an unstable
          - os: ubuntu-latest
            runner-os: Linux
            arch: amd64
            version: unstable
            credential-type: workload-identity


    runs-on: ${{ matrix.os }}

    steps:
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      - name: Setup Node.js
        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
        with:
          node-version: "24"
          cache: "npm"

      - name: Install Dependencies
        run: npm ci

      - name: Build Action
        run: npm run build

      # Test with OAuth authentication
      - name: Test Action
        id: tailscale-oauth
        uses: ./
        with:
          oauth-client-id: ${{ matrix.credential-type == 'oauth' && secrets.TS_AUTH_KEYS_OAUTH_CLIENT_ID || secrets.TS_WORKLOAD_IDENTITY_CLIENT_ID }}
          oauth-secret: ${{ matrix.credential-type == 'oauth' &&  secrets.TS_AUTH_KEYS_OAUTH_CLIENT_SECRET || '' }}
          audience: ${{ matrix.credential-type == 'workload-identity' && secrets.TS_AUDIENCE || ''}}
          tags: "tag:ci"
          version: "${{ matrix.version }}"
          use-cache: false
          timeout: "5m"
          retry: 3
          ping: "${{ matrix.ping }}"

      # Look up names to make sure MagicDNS is working
      - name: Look up qualified name
        run: nslookup lax-pve.pineapplefish.ts.net

      - name: Look up unqualified name
        run: nslookup lax-pve

      # Test Tailscale status command
      - name: Check Tailscale Status
        if: steps.tailscale-oauth.outcome == 'success'
        run: |
          echo "Testing Tailscale status command..."
          if [ "${{ matrix.runner-os }}" == "Windows" ]; then
            # Windows uses system-installed binary without sudo
            tailscale status
            tailscale version
          else
            # Linux and macOS use system-installed binary with sudo
            sudo -E tailscale status
            tailscale version
          fi
        shell: bash