fix(arc): enable SA token automount on arc-tf runner pods

xnoto · claude · xnoto · commit ba170fc335f0 · 2026-04-30T09:06:06.000-06:00
The gha-runner-scale-set chart defaults automountServiceAccountToken
to false, so the arc-tf-runner SA's token never reached the runner
container and kubectl failed with 401. Set it true on the template
spec so the projected token is mounted at the standard path and
in-cluster auth works.

Co-Authored-By: Claude Opus 4.7 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/workloads/arc/arc-tf-application.yaml b/workloads/arc/arc-tf-application.yaml
@@ -32,6 +32,9 @@ spec:
         template:
           spec:
             serviceAccountName: arc-tf-runner
+            # The gha-runner-scale-set chart disables token automount by
+            # default; re-enable so kubectl can use the SA's projected token.
+            automountServiceAccountToken: true
             containers:
               - name: runner
                 image: ghcr.io/makeitworkcloud/tfroot-runner:latest
