Clarify tag JSON first

simonw · Feb 23, 2025 · e3ae8b8 · e3ae8b8
1 parent 34b89e3
commit e3ae8b8
Showing 1 changed file with 11 additions and 12 deletions.
diff --git a/tailscale/tailscale-github-actions.md b/tailscale/tailscale-github-actions.md
@@ -18,17 +18,7 @@ The great thing about an Apple TV for this is that it's an existing low power de
 
 The GitHub Actions workflow needs an OAuth client with credentials that allow it to join the Tailscale network.
 
-This can be created at [https://login.tailscale.com/admin/settings/oauth](https://login.tailscale.com/admin/settings/oauth)
-
-As far as I can tell this needs the "Devices: Core" scopes configured for both read and write access, plus a tag. It also needed read/write access for **Auth Keys**.
-
-Here's how I configured that device access:
-
-![Screenshot of OAuth device permissions interface showing "Devices" section with "Core" permissions that include "Read" and "Write" checkboxes (both checked). Text reads "Read or modify devices and their properties." Below is a "Tags" section labeled "(required for write scope)" with explanation "Access tokens generated by this OAuth Client will be able to assign the below tags to devices." There is one tag shown: "tag:github-actions". Below is an "Add tags" dropdown.](https://static.simonwillison.net/static/2025/tailscale-oauth.jpg)
-
-Plus I selected the read and write checkboxes for "Auth Keys".
-
-I also added the tag to another section in the Tailscale interface, because one of the documents I read suggested that the tag needed that. I don't know if this is necessary or not, but I used the JSON editing interface at [https://login.tailscale.com/admin/acls/file](https://login.tailscale.com/admin/acls/file) and added this:
+First I needed to define a "tag" for my OAuth cleint to ise. I used the JSON editing interface at [https://login.tailscale.com/admin/acls/file](https://login.tailscale.com/admin/acls/file) and added this:
 
 ```
 ...
@@ -37,7 +27,16 @@ I also added the tag to another section in the Tailscale interface, because one
 	}
 ...
 ```
-(I'm hoping a Tailscale expert can confirm if this was necessary or not!)
+
+The OAuth client can then be created at [https://login.tailscale.com/admin/settings/oauth](https://login.tailscale.com/admin/settings/oauth)
+
+As far as I can tell this needs the "Devices: Core" scopes configured for both read and write access, plus a tag. It also needed read/write access for **Auth Keys**.
+
+Here's how I configured that device access:
+
+![Screenshot of OAuth device permissions interface showing "Devices" section with "Core" permissions that include "Read" and "Write" checkboxes (both checked). Text reads "Read or modify devices and their properties." Below is a "Tags" section labeled "(required for write scope)" with explanation "Access tokens generated by this OAuth Client will be able to assign the below tags to devices." There is one tag shown: "tag:github-actions". Below is an "Add tags" dropdown.](https://static.simonwillison.net/static/2025/tailscale-oauth.jpg)
+
+Plus I selected the read and write checkboxes for "Auth Keys".
 
 ## Configuring GitHub Actions to use the exit node