Re-pin the demo tailnet join on the OAuth client secrets

Commit 0a9a29d63 moved deploy-demo-server.yml and update-demo-server.yml
from the static TS_AUTHKEY to the Tailscale OAuth client but left the
release promotion policy pin asserting TS_AUTHKEY, so the Canonical
Governance run failed at the promotion policy unit tests once the
completion guard false positive (fixed in 54a6118d1) stopped masking
the step. The pin now asserts the OAuth client id and secret and pins
the static key retirement.
This commit is contained in:
rcourtman 2026-07-08 14:40:17 +01:00
parent d61f57a1e2
commit a1c22bf55c

View file

@ -784,7 +784,11 @@ class ReleasePromotionPolicyTest(unittest.TestCase):
self.assertNotIn('SERVICE_NAME="pulse-v6-preview"', demo)
self.assertNotIn("Preview demo updates must not target the stable pulse service.", demo)
self.assertIn("tailscale/github-action@4e4c49acaa9818630ce0bd7a564372c17e33fb4d # v2", demo)
self.assertIn("TS_AUTHKEY", demo)
self.assertIn("oauth-client-id: ${{ secrets.TS_OAUTH_CLIENT_ID }}", demo)
self.assertIn("oauth-secret: ${{ secrets.TS_OAUTH_SECRET }}", demo)
# The static 90-day TS_AUTHKEY was retired for the OAuth client
# (0a9a29d63); the runner mints an ephemeral tagged node key per run.
self.assertNotIn("TS_AUTHKEY", demo)
self.assertIn("DEMO_EXPECTED_HOSTNAME", demo)
self.assertIn("Verify target host identity", demo)
self.assertIn("Demo environment points at host $REMOTE_HOSTNAME but expected $DEMO_EXPECTED_HOSTNAME.", demo)