From a1c22bf55cf98253d0fd6d4677e5653d3c26bdd1 Mon Sep 17 00:00:00 2001 From: rcourtman Date: Wed, 8 Jul 2026 14:40:17 +0100 Subject: [PATCH] Re-pin the demo tailnet join on the OAuth client secrets Commit 0a9a29d63 moved deploy-demo-server.yml and update-demo-server.yml from the static TS_AUTHKEY to the Tailscale OAuth client but left the release promotion policy pin asserting TS_AUTHKEY, so the Canonical Governance run failed at the promotion policy unit tests once the completion guard false positive (fixed in 54a6118d1) stopped masking the step. The pin now asserts the OAuth client id and secret and pins the static key retirement. --- scripts/release_control/release_promotion_policy_test.py | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/scripts/release_control/release_promotion_policy_test.py b/scripts/release_control/release_promotion_policy_test.py index 0dfb829a5..c5e1fa3e4 100644 --- a/scripts/release_control/release_promotion_policy_test.py +++ b/scripts/release_control/release_promotion_policy_test.py @@ -784,7 +784,11 @@ class ReleasePromotionPolicyTest(unittest.TestCase): self.assertNotIn('SERVICE_NAME="pulse-v6-preview"', demo) self.assertNotIn("Preview demo updates must not target the stable pulse service.", demo) self.assertIn("tailscale/github-action@4e4c49acaa9818630ce0bd7a564372c17e33fb4d # v2", demo) - self.assertIn("TS_AUTHKEY", demo) + self.assertIn("oauth-client-id: ${{ secrets.TS_OAUTH_CLIENT_ID }}", demo) + self.assertIn("oauth-secret: ${{ secrets.TS_OAUTH_SECRET }}", demo) + # The static 90-day TS_AUTHKEY was retired for the OAuth client + # (0a9a29d63); the runner mints an ephemeral tagged node key per run. + self.assertNotIn("TS_AUTHKEY", demo) self.assertIn("DEMO_EXPECTED_HOSTNAME", demo) self.assertIn("Verify target host identity", demo) self.assertIn("Demo environment points at host $REMOTE_HOSTNAME but expected $DEMO_EXPECTED_HOSTNAME.", demo)