gh: pre-pull released tailscale images for fork-PR CI

Fork PRs anonymous-pull tailscale/tailscale:vX.Y at test time and hit Docker Hub rate limits, causing flakes. A new build-tailscale-released job pulls the MustTestVersions set from ghcr.io once per CI run and ships them to every test job as a gzipped tarball artifact, matching the shape of the existing headscale/HEAD/postgres caches. The version list is driven by 'hi list-versions' so capver is the single source of truth; adding a version there propagates to CI without YAML edits. ghcr.io public reads need no auth, so the new job has no docker login step.
2026-05-24 02:58:42 +09:00 · 2026-05-22 09:45:38 +00:00
parent 2e49f3dc67
commit 66a5f99bfa
2 changed files with 59 additions and 2 deletions
--- a/.github/workflows/integration-test-template.yml
+++ b/.github/workflows/integration-test-template.yml
@@ -51,6 +51,11 @@ jobs:
        with:
          name: tailscale-head-image
          path: /tmp/artifacts
+      - name: Download tailscale released images
+        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
+        with:
+          name: tailscale-released-images
+          path: /tmp/artifacts
      - name: Download hi binary
        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
        with:
@@ -86,6 +91,7 @@ jobs:
        run: |
          gunzip -c /tmp/artifacts/headscale-image.tar.gz | docker load
          gunzip -c /tmp/artifacts/tailscale-head-image.tar.gz | docker load
+          gunzip -c /tmp/artifacts/tailscale-released-images.tar.gz | docker load
          if [ -f /tmp/artifacts/postgres-image.tar.gz ]; then
            gunzip -c /tmp/artifacts/postgres-image.tar.gz | docker load
          fi