Simpler, smarter, and more connected after Fall Update Week 2025.Here's what you missed.
Product
Solutions
Enterprise
Customers
Docs
Blog
Pricing
Download
Schedule a demo
Get started - it's free!
Log in
WireGuard is a registered trademark of Jason A. Donenfeld.
Terms of ServicePrivacy PolicyCalifornia NoticeCookie Notice
© 2025 Tailscale Inc. All rights reserved. Tailscale is a registered trademark of Tailscale Inc.
Blog|productNovember 17, 2025

Tailscale GitHub Action v4: faster, more reliable, and new features

Light green shapes on a lighter green background: Squircles, circles, squares, things of that nature.

Tailscale has a unique ability to connect any machine to any machine, and CI/CD pipelines are no exception. The Tailscale Github Action has, as of this writing, nearly 800 stars since its first release in April 2021.

The first three versions of the Tailscale GitHub Action were written in bash, and bash had served us well. As we received feedback from power users of the Action, and started to form ideas about how we’d like to improve, it became clear that we needed to port the Action to a more powerful language.

Version 4 of the Tailscale GitHub Action now uses TypeScript and the core of the GitHub Actions Toolkit. This rewrite opens doors to new functionality and allows us to fix long-standing issues with the Bash action that will make the experience even smoother.

Community Feedback

A diagram showing a Github box, with "Workload" and "Tailscale Client" pieces inside, connecting to "Internal AWS Service," "Internal Azure Service," and "Internal VPC Service" on the right, forking to all three; each of those boxes has "Tailscale Client" inside.

For many Tailscale users, the GitHub action seamlessly unlocks workflows that weren’t previously possible. GitHub’s managed runners run outside the security boundary that you have inside your network, so it can be incredibly difficult to run workflows that involve activities like integration tests against internal APIs, database migrations against private databases, or infrastructure as code (IaC) tasks against secret managers. By adding a single step to your workflow to include a Tailscale device, you can connect your GitHub managed runner to your infrastructure following zero trust principles, enabling automation that saves time and dollars.

Our bash-based Action provided that upgrade, but it had several areas that needed to improve.

One common piece of feedback we heard was that since the propagation of firewall rules and device presence in the tailnet network can take some time, CI workloads sometimes couldn't reach the rest of the network right away. When you add a device to the tailnet, it takes a moment for the other devices to appear in the netmap. When logging into a human device like a laptop or phone, this is generally transparent to the user, but in a GitHub workflow, this could sometimes affect the user experience.

Another note from Action users was that the GitHub Action device “hung around” in the Tailscale console as a disconnected device for a time after the action had terminated. This could potentially cause confusion to Tailscale admins, and counted against overall device limits for a tailnet until they were periodically removed by our backend systems, so users had to clean up devices “out of band.”

Finally, GitHub Actions are billed based on the amount of time they operate, so performance is critical when connecting to Tailscale. The act of downloading, installing, and initiating Tailscale is generally in the low seconds, but as the number of CI/CD jobs scales, every second counts. Improving performance could save existing and new users of the action meaningful money over time.

The newly released version of the GitHub Action addresses all of these issues and provides a drastically improved experience. Here are its new features and upgrades.

DNS Setup & Connectivity

The GitHub Action supports a new parameter: ping.

The ping parameter blocks the workflow until connectivity and DNS resolution for the specified devices is established within the tailnet, ensuring that workflow runs connect to other devices only once those devices are ready to accept the workflow's connections.

Ping accepts IP and DNS names like so:

- name: Tailscale
  uses: tailscale/github-action@v4
  with:
    ping: 100.x.y.z,my-machine.my-tailnet.ts.net

Device Cleanup

The new GitHub action now automatically runs tailscale logout on completion of the workflow. This capability is not available in bash-based Actions, but is enabled by default on TypeScript-based Actions. By upgrading to the v4 version of the GitHub Actions, users will be able to keep their tailnets clean, without any manual steps.

Speed Improvements

The TypeScript SDK enables much more efficient caching capabilities inside the runner. This results in a notable speed increase compared to the bash-based runner, and enables more reliable performance. We made the decision to enable binary caching by default with this major version bump of the runner, and we’re excited to hear from customers how much time this saves!

Give it a try

Upgrading to the v4 version of the Action should be a simple change for most organizations. Simply update your workflows to reference v4 of the Action:

- name: Tailscale
  uses: tailscale/github-action@v4

Feedback, of course, is always appreciated. Let us know—via Discord, Reddit or GitHub Issues—what else you’d like to see in Tailscale’s CI/CD tools.

Share

Author

Lee Briggs HeadshotLee Briggs

Contributor

Percy Wegmann
Loading...

Try Tailscale for free

Get started
Schedule a demo
Contact sales
cta phone
mercury
instacrt
Retool
duolingo
Hugging Face