macOS hosted runner does not route traffic through exit node #271
Description
Environment
- Runner:
macos-15 - Action:
tailscale/github-action@v4 - Auth: OIDC / Workload Identity Federation
- Exit node configured after connect:
sudo tailscale set --exit-node=<node> --accept-routes
Observed behavior
Tailscale connects successfully, and tailscale set --exit-node=... also succeeds.
However, outbound traffic does not appear to use the exit node on GitHub-hosted macOS runners:
- tailscale netcheck reports public IPv4 in the 13.105.117.x range
- curl ifconfig.me returns 13.105.117.x
- Expected: the public IP of the configured exit node
- Actual: the the GitHub-hosted runner public IP
We also verified that an HTTPS request to an external service still appears to originate from the runner IP rather than the exit node.
Comparison with Ubuntu
Using the same workflow and the same exit node:
| Runner | curl ifconfig.me | Result |
|---|---|---|
| ubuntu-latest | exit node public IP | Works |
| macos-15 | the GitHub-hosted runner public IP (13.105.117.x) | Not routed |
Notes
- The v4.0.0 macOS DNS fix does not appear to address this case.
- This does not look like a DNS resolution failure: requests resolve and complete, but egress IP does not switch to the
exit node.
Question
Is exit node routing expected to work on GitHub-hosted macOS runners, or is this currently unsupported/limited by the macOS runner environment?