validate that when using an OAuth client, tags are specified

Also include a troubleshooting section in the README with information about the
requested tags are invalid or not permitted error.

Updates #78

Signed-off-by: Percy Wegmann <percy@tailscale.com>

Author: oxtoacart

README.md

@@ -134,3 +134,9 @@ Although caching is generally recommended, you can disable it by passing `'false
 
 When running on self-hosted runners that persist after CI jobs have finished,
 the GitHub Action leaves tailscale binaries installed but stops the tailscale background processes.
+
+## Troubleshooting
+
+### requested tags [tag:mytag] are invalid or not permitted
+
+You may encounter this error when using an OAuth client. OAuth clients must have the [`auth_keys` scope](https://tailscale.com/kb/1215/oauth-clients#scopes) with one or more [tags](https://tailscale.com/kb/1068/acl-tags/), and the tags specified with `tags` must match all tags on the OAuth client.

action.yml

@@ -19,7 +19,7 @@ inputs:
     description: 'Your Tailscale OAuth Client Secret.'
     required: false
   tags:
-    description: 'Comma separated list of Tags to be applied to nodes. The OAuth client must have permission to apply these tags.'
+    description: 'Comma separated list of Tags to be applied to nodes. When using an OAuth client, the OAuth client must have the `auth_keys` scope and alls tags on the OAuth client must match all tags specified here.'
     required: false
   version:
     description: 'Tailscale version to use. Specify `latest` to use the latest stable version, and `unstable` to use the latest development version.'

dist/index.js

@@ -41264,7 +41264,7 @@ async function getInputs() {
             core.setSecret(oauthSecret);
         }
     }
-    return {
+    const config = {
         version: core.getInput("version") || "1.88.3",
         resolvedVersion: "",
         arch: "",
@@ -41282,6 +41282,10 @@ async function getInputs() {
         sha256Sum: core.getInput("sha256sum") || "",
         pingHosts: pingHosts,
     };
+    if (config.oauthSecret && !config.tags) {
+        throw new Error("the tags parameter is required when using an OAuth client");
+    }
+    return config;
 }
 function validateAuth(config) {
     if (!config.authKey && (!config.oauthSecret || !config.tags)) {
@@ -41628,9 +41632,7 @@ async function connectToTailscale(config, runnerOS) {
     const tagsArg = [];
     if (config.oauthSecret) {
         finalAuthKey = `${config.oauthSecret}?preauthorized=true&ephemeral=true`;
-        if (config.tags) {
-            tagsArg.push(`--advertise-tags=${config.tags}`);
-        }
+        tagsArg.push(`--advertise-tags=${config.tags}`);
     }
     // Platform-specific args
     const platformArgs = [];

src/main.ts

@@ -208,7 +208,7 @@ async function getInputs(): Promise<TailscaleConfig> {
     }
   }
 
-  return {
+  const config = {
     version: core.getInput("version") || "1.88.3",
     resolvedVersion: "",
     arch: "",
@@ -226,6 +226,14 @@ async function getInputs(): Promise<TailscaleConfig> {
     sha256Sum: core.getInput("sha256sum") || "",
     pingHosts: pingHosts,
   };
+
+  if (config.oauthSecret && !config.tags) {
+    throw new Error(
+      "the tags parameter is required when using an OAuth client"
+    );
+  }
+
+  return config;
 }
 
 function validateAuth(config: TailscaleConfig): void {
@@ -665,9 +673,7 @@ async function connectToTailscale(
 
   if (config.oauthSecret) {
     finalAuthKey = `${config.oauthSecret}?preauthorized=true&ephemeral=true`;
-    if (config.tags) {
-      tagsArg.push(`--advertise-tags=${config.tags}`);
-    }
+    tagsArg.push(`--advertise-tags=${config.tags}`);
   }
 
   // Platform-specific args