From 18240410107a078802ccab297344ccec8fad0f4a Mon Sep 17 00:00:00 2001
From: Campbell Goodwille <campbell@lunarenergy.com>
Date: Fri, 9 Feb 2024 11:05:29 +0000
Subject: [PATCH 1/3] Updating referenced Actions to use non-deprecated
 versions

---
 README.md  | 4 ++--
 action.yml | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index a1b155a..29da478 100644
--- a/README.md
+++ b/README.md
@@ -66,10 +66,10 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
 
       - name: Fetch version-cache.json
-        uses: actions/cache@v3
+        uses: actions/cache@v4
         with:
           path: ./version-cache.json
           key: version-cache.json-${{ github.run_id }}
diff --git a/action.yml b/action.yml
index 7ecfa25..4b66833 100644
--- a/action.yml
+++ b/action.yml
@@ -35,7 +35,7 @@ runs:
       run: |
         echo "::error title=⛔ error hint::only one of API Key or OAuth secret should be specified.
         exit 1
-    - uses: actions/setup-go@v4.0.0
+    - uses: actions/setup-go@v5.0.0
       with:
         go-version: 1.21.6
     - shell: bash

From 5ff3395adb247efb4dbfab3b0554660e14973f63 Mon Sep 17 00:00:00 2001
From: Campbell Goodwille <campbell@lunarenergy.com>
Date: Fri, 9 Feb 2024 11:49:21 +0000
Subject: [PATCH 2/3] Updating Readme Instructions

---
 README.md | 80 +++++++++++++++++++++++++++++++++++++++++++++++--------
 1 file changed, 69 insertions(+), 11 deletions(-)

diff --git a/README.md b/README.md
index 29da478..c19f8d7 100644
--- a/README.md
+++ b/README.md
@@ -47,8 +47,71 @@ out to production.
 Set up a new GitHub repository that will contain your tailnet policy file. Open the [Access Controls page of the admin console](https://login.tailscale.com/admin/acls) and copy your policy file to
 a file in that repo called `policy.hujson`.
 
-If you want to change this name to something else, you will need to add the
-`policy-file` argument to the `with` blocks in your GitHub Actions config.
+If you want to change this name to something else, you will need to add the `policy-file` argument to the `with` blocks in your GitHub Actions config.
+
+Now implement one of the two options below:
+
+### Option A - Using OAuth (Recommended)
+
+Copy this file to `.github/workflows/tailscale.yml`.
+
+```yaml
+name: Sync Tailscale ACLs
+
+on:
+  push:
+    branches: [ "main" ]
+  pull_request:
+    branches: [ "main" ]
+
+jobs:
+  acls:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Fetch version-cache.json
+        uses: actions/cache@v4
+        with:
+          path: ./version-cache.json
+          key: version-cache.json-${{ github.run_id }}
+          restore-keys: |
+            version-cache.json-
+
+      - name: Deploy ACL
+        if: github.event_name == 'push'
+        id: deploy-acl
+        uses: tailscale/gitops-acl-action@v1
+        with:
+          oauth-client-id: ${{ secrets.TS_OAUTH_CLIENT_ID }}
+          oauth-secret: ${{ secrets.TS_OAUTH_SECRET }}
+          tailnet: ${{ secrets.TS_TAILNET }}
+          action: apply
+
+      - name: Test ACL
+        if: github.event_name == 'pull_request'
+        id: test-acl
+        uses: tailscale/gitops-acl-action@v1
+        with:
+          oauth-client-id: ${{ secrets.TS_OAUTH_CLIENT_ID }}
+          oauth-secret: ${{ secrets.TS_OAUTH_SECRET }}
+          tailnet: ${{ secrets.TS_TAILNET }}
+          action: test
+```
+
+Generate OAuth credentials [here](https://login.tailscale.com/admin/settings/oauth).  Give it Read & Write permissions for `ACL`.
+
+Then open the secrets settings for your repo (Settings > Secrets and variables > Actions) and add two secrets:
+
+* `TS_OAUTH_CLIENT_ID`: Your OAuth Client ID from the earlier step
+* `TS_OAUTH_CLIENT_SECRET`: Your OAuth Client Secret from the earlier step
+* `TS_TAILNET`: Your tailnet's name (it's next to the logo on the upper left-hand corner of the [admin panel](https://login.tailscale.com/admin/machines))
+
+Once you do that, commit the changes and push them to GitHub. You will have CI automatically test and push changes to your tailnet policy file to Tailscale.
+
+
+### Option B - Using API key 
 
 Copy this file to `.github/workflows/tailscale.yml`.
 
@@ -97,16 +160,11 @@ jobs:
 
 Generate a new API key [here](https://login.tailscale.com/admin/settings/keys).
 
-Set a monthly calendar reminder to renew this key because Tailscale does not
-currently support API key renewal (this will be updated to support that when
-that feature is implemented).
+Set a calendar reminder to renew this key because Tailscale does not support automatic API key renewal.
 
-Then open the secrets settings for your repo and add two secrets:
+Then open the secrets settings for your repo (Settings > Secrets and variables > Actions) and add two secrets:
 
 * `TS_API_KEY`: Your Tailscale API key from the earlier step
-* `TS_TAILNET`: Your tailnet's name (it's next to the logo on the upper
-  left-hand corner of the [admin
-  panel](https://login.tailscale.com/admin/machines))
+* `TS_TAILNET`: Your tailnet's name (it's next to the logo on the upper left-hand corner of the [admin panel](https://login.tailscale.com/admin/machines))
 
-Once you do that, commit the changes and push them to GitHub. You will have CI
-automatically test and push changes to your tailnet policy file to Tailscale.
+Once you do that, commit the changes and push them to GitHub. You will have CI automatically test and push changes to your tailnet policy file to Tailscale.

From cd38a56fe14d89286b8c88558521fb62dcc797bc Mon Sep 17 00:00:00 2001
From: Campbell Goodwille <82454194+campbell-lunar@users.noreply.github.com>
Date: Thu, 22 May 2025 23:56:47 +0100
Subject: [PATCH 3/3] Update action.yml

---
 action.yml | 25 ++++++++-----------------
 1 file changed, 8 insertions(+), 17 deletions(-)

diff --git a/action.yml b/action.yml
index 4b66833..5a688ef 100644
--- a/action.yml
+++ b/action.yml
@@ -35,27 +35,18 @@ runs:
       run: |
         echo "::error title=⛔ error hint::only one of API Key or OAuth secret should be specified.
         exit 1
-    - uses: actions/setup-go@v5.0.0
+    - uses: actions/setup-go@v5
       with:
-        go-version: 1.21.6
-    - shell: bash
-      env:
-        GOBIN: /usr/local/bin/
-      run: go install tailscale.com/cmd/gitops-pusher@gitops-1.58.2
+        go-version: 1.22.4
+        cache: false
 
-    - name: Gitops pusher (API Key)
-      if: ${{ inputs['api-key'] != '' }}
-      shell: bash
-      env:
-        TS_API_KEY: "${{ inputs.api-key }}"
-        TS_TAILNET: "${{ inputs.tailnet }}"
-      run: gitops-pusher "--policy-file=${{ inputs.policy-file }}" "${{ inputs.action }}"
-
-    - name: Gitops pusher (OAuth)
-      if: ${{ inputs['oauth-secret'] != '' }}
+    - name: Gitops pusher
       shell: bash
       env:
+        # gitops-pusher will use OAUTH_ID and OAUTH_SECRET if non-empty,
+        # otherwise it will use API_KEY.
         TS_OAUTH_ID: "${{ inputs.oauth-client-id }}"
         TS_OAUTH_SECRET: "${{ inputs.oauth-secret }}"
+        TS_API_KEY: "${{ inputs.api-key }}"
         TS_TAILNET: "${{ inputs.tailnet }}"
-      run: gitops-pusher "--policy-file=${{ inputs.policy-file }}" "${{ inputs.action }}"
+      run: go run tailscale.com/cmd/gitops-pusher@66aa77416744037baec93206ae212012a2314f83 "--policy-file=${{ inputs.policy-file }}" "${{ inputs.action }}"