From b4d39e2fd92538384aa7388fdbeda0ec51973bfc Mon Sep 17 00:00:00 2001
From: Mario Minardi <mario@tailscale.com>
Date: Fri, 30 Jan 2026 17:03:17 -0700
Subject: [PATCH] cmd/gitops-pusher: fix precedence when id token env var is
 empty

Fix precedence logic to skip federated identity logic when the
associated environment variables are empty.

Updates https://github.com/tailscale/gitops-acl-action/issues/71

Signed-off-by: Mario Minardi <mario@tailscale.com>
---
 cmd/gitops-pusher/gitops-pusher.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cmd/gitops-pusher/gitops-pusher.go b/cmd/gitops-pusher/gitops-pusher.go
index 39a60d306..11448e30d 100644
--- a/cmd/gitops-pusher/gitops-pusher.go
+++ b/cmd/gitops-pusher/gitops-pusher.go
@@ -252,7 +252,7 @@ func getCredentials() (*http.Client, string) {
 				TokenURL:     fmt.Sprintf("https://%s/api/v2/oauth/token", *apiServer),
 			}
 			client = oauthConfig.Client(context.Background())
-		} else if idok {
+		} else if idok && idToken != "" && oiok && oauthId != "" {
 			if exchangeJWTForToken, ok := tailscale.HookExchangeJWTForTokenViaWIF.GetOk(); ok {
 				var err error
 				apiKeyEnv, err = exchangeJWTForToken(context.Background(), fmt.Sprintf("https://%s", *apiServer), oauthId, idToken)