feat(arc): replace dind runner with arc-tf scale set on tfroot-runner (#25)

## Summary

Single GitHub Actions runner-set running the rebuilt tfroot-runner image
(based on \`ghcr.io/actions/actions-runner\`). No docker-in-docker, no
nested \`container:\` blocks in caller workflows. Consumers move to
\`runs-on: arc-tf\`.

### Removed (legacy summerwind ARC + dind plumbing)

- \`operators/arc/dind-application.yaml\` — summerwind controller
install
- \`operators/arc/github-token-secret.yaml\` — its \`arc-dind-systems\`
token
- \`operators/arc/namespace.yaml\` — \`arc-dind-systems\` ns
- \`operators/arc/ksops-arc-secrets.yaml\` — only listed the deleted
token
- \`workloads/arc/runner-application.yaml\` — old runner-set with
\`docker:dind\` sidecar
- \`workloads/arc/docker-daemon-config.yaml\` — dind registry-mirror
config
- \`workloads/arc/registry.yaml\` — internal docker-registry ns + SA +
RB
- \`workloads/arc/rbac.yaml\` — \`system:openshift:scc:privileged\`
binding (the SCC ClusterRole doesn't exist on k3s)

### Added

- \`workloads/arc/arc-tf-application.yaml\` — \`gha-runner-scale-set\`
Helm Application, \`releaseName / runnerScaleSetName: arc-tf\`, \`image:
ghcr.io/makeitworkcloud/tfroot-runner:latest\`. \`ignoreDifferences\`
for the controller-mutated listener resources (same fix that was applied
to the old generic runner-set in #11).

### Tidied

- \`workloads/apps/arc-app.yaml\` — drop the OpenShift ImageStream
\`ignoreDifferences\` block.
- Both \`operators/arc/\` and \`workloads/arc/\` \`kustomization.yaml\`
files trimmed to the surviving resources.

### Kept

- \`operators/arc/arcsystem.yaml\` — the
\`gha-runner-scale-set-controller\` Application (the new arc-tf
runner-set depends on it).
- \`workloads/arc/namespace.yaml\` — \`arc-runners\` ns reused for the
new runner-set.
- \`workloads/arc/github-token-secret.yaml\` +
\`ksops-arc-secrets.yaml\` — \`arc-runner-github-token\` Secret reused
as \`githubConfigSecret\`.

## Pairs with

- images PR #6 (merged) — tfroot-runner image rebased onto
\`ghcr.io/actions/actions-runner\`.
- shared-workflows (incoming) — drop the nested \`container:\` block;
default \`runs-on: arc-tf\`.
- tfroot-libvirt (incoming) — caller switches from \`runs-on: arc-dind\`
+ \`container:\` to plain \`runs-on: arc-tf\`.

## Test plan

- [x] After merge: \`kubectl -n arc-runners get autoscalingrunnerset
arc-tf\` exists; listener pod registers with GitHub
- [x] After merge: GitHub org → Actions → Runners shows an \`arc-tf\`
runner set
- [x] After merge: a job with \`runs-on: arc-tf\` spawns an ephemeral
pod in arc-runners, runs to completion, pod terminates
- [x] After merge: legacy \`arc-dind\` Application is pruned by
gitops-operators; \`arc-dind-systems\` ns gone
- [x] After merge: \`docker-registry\` ns gone (pruned)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Author: xnoto

operators/arc/dind-application.yaml

@@ -3,7 +3,3 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - arcsystem.yaml
-  - namespace.yaml
-  - dind-application.yaml
-generators:
-  - ksops-arc-secrets.yaml

operators/arc/github-token-secret.yaml

@@ -14,16 +14,6 @@ spec:
     targetRevision: main
   destination:
     server: https://kubernetes.default.svc
-  # Ignore fields that OpenShift mutates on ImageStreams after import
-  ignoreDifferences:
-    - group: image.openshift.io
-      kind: ImageStream
-      jqPathExpressions:
-        - .spec.lookupPolicy
-        - .spec.tags[].generation
-        - .spec.tags[].importPolicy.importMode
-        - .spec.tags[].referencePolicy
-        - .spec.tags[].annotations
   syncPolicy:
     automated:
       prune: true

operators/arc/ksops-arc-secrets.yaml

@@ -0,0 +1,56 @@
+# GitHub Actions runner scale set running the tfroot-runner image.
+# Jobs labeled `runs-on: arc-tf` execute directly in this pod — no nested
+# `container:` block, no docker-in-docker. Replaces the legacy summerwind
+# arc-dind controller and the arc-runners-with-dind-sidecar pattern.
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: arc-tf
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "1"
+spec:
+  destination:
+    namespace: arc-runners
+    server: https://kubernetes.default.svc
+  project: default
+  source:
+    chart: gha-runner-scale-set
+    repoURL: ghcr.io/actions/actions-runner-controller-charts
+    targetRevision: 0.13.1
+    helm:
+      releaseName: arc-tf
+      valuesObject:
+        runnerScaleSetName: arc-tf
+        controllerServiceAccount:
+          name: arc-gha-rs-controller
+          namespace: arc-systems
+        githubConfigSecret: arc-runner-github-token
+        githubConfigUrl: https://github.com/makeitworkcloud
+        maxRunners: 3
+        minRunners: 0
+        template:
+          spec:
+            containers:
+              - name: runner
+                image: ghcr.io/makeitworkcloud/tfroot-runner:latest
+                command: ["/home/runner/run.sh"]
+  # The gha-runner-scale-set controller mutates listener resources at runtime
+  # (hash annotations, autoscaling spec). Ignore those drifts.
+  ignoreDifferences:
+    - group: actions.github.com
+      kind: AutoscalingListener
+      jsonPointers:
+        - /metadata/annotations
+        - /spec
+    - group: actions.github.com
+      kind: AutoscalingRunnerSet
+      jsonPointers:
+        - /metadata/annotations
+        - /spec/template
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - RespectIgnoreDifferences=true

operators/arc/kustomization.yaml

@@ -2,10 +2,7 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - registry.yaml
   - namespace.yaml
-  - docker-daemon-config.yaml
-  - runner-application.yaml
-  - rbac.yaml
+  - arc-tf-application.yaml
 generators:
   - ksops-arc-secrets.yaml