Using Tailscale from GitHub Actions to deploy code on premises

April 20, 2025

I have “compute” resources in many places. Some are in my home, some are in the cloud and a some may even be in my pocket. Communication between the devices in different locations and networks is not easy. Here Tailscale a solution that creates a new “overlay” network with my machines so that they can talk to eachother - they call it “tailnet”.

This post describes how I use GitHub Actions with standard runners in the cloud, to reach and update software on machines that are behind a NAT and firewall.

Tailscale is free for small networks

What I had to do:

Confiure the GitHub Actions workflow to use the Tailscale GitHub Action to connect as a ephemeral node in my tailnet.
Use Tailscale SSH to run commands on premises.

To use the Tailscale GitHub Action in your workflow you need to create a Tailscale OAUTH client and secret credential. The action makes the runner an ephemeral node in your tailnet and you can access your other machines.

- name: Tailscale connect
    uses: tailscale/github-action@v3
    with:
        oauth-client-id: ${{ secrets.TS_OAUTH_CLIENT_ID }}
        oauth-secret: ${{ secrets.TS_OAUTH_SECRET }}
        tags: tag:gh-actions

SSH is not allowed by default for ephemeral nodes, so you have to allow it in access control in Tailscale. The setting below shows how I configured it in my network. Machines with the tag gh-actions can only SSH into machines that had the tag edgeserver.

{
  "action": "accept",
  "src":    ["tag:gh-actions"],
  "dst":    ["tag:edgeserver"],
  "users":  ["autogroup:nonroot", "root"],
},

Tailscale SSH is basically that Tailscale manages the SSH keys. Depending on the complexity of your application, the deplyment can be as simple as

`
- name: Publish site
  run: |
    ssh -o StrictHostKeyChecking=no user1@machine1  "mkdir -p ~/www/"
    scp -r ./public user1@machine1:~/www/
`

machine1 is a machine on my network, and user1 is a user on that machine. The task copies files from the public folder oh the workflow runner to the www folder on the destination machine

There are other ways to have GitHub Actions access on-premises machines like self hosted runners, or setting up a VPN. For now I use Tailscale and I am happy with that solution.