fix(arc): narrow AutoscalingRunnerSet ignoreDifferences

xnoto · claude · xnoto · commit e2fbc6eb7749 · 2026-04-30T08:58:41.000-06:00
ignoring /spec/template wholesale also masks spec.template.spec changes
like serviceAccountName, so the new arc-tf-runner SA never reached the
runner pods and they kept booting under the chart's default
arc-tf-gha-rs-no-permission SA. Restrict the ignore to the annotation
paths the controller actually mutates so template spec changes sync.

Co-Authored-By: Claude Opus 4.7 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/workloads/arc/arc-tf-application.yaml b/workloads/arc/arc-tf-application.yaml
@@ -36,9 +36,10 @@ spec:
               - name: runner
                 image: ghcr.io/makeitworkcloud/tfroot-runner:latest
                 command: ["/home/runner/run.sh"]
-  # The gha-runner-scale-set controller mutates AutoscalingRunnerSet at runtime
-  # (hash annotations propagate down through spec.template); ignore those drifts
-  # so selfHeal doesn't thrash on every reconcile. The dynamically-created
+  # The gha-runner-scale-set controller propagates hash annotations into
+  # AutoscalingRunnerSet metadata and spec.template.metadata; ignore only those
+  # paths so selfHeal doesn't thrash, but spec.template.spec changes
+  # (serviceAccountName, image, etc.) still sync. The dynamically-created
   # listener resources (AutoscalingListener + paired Role/RoleBinding) are
   # cosmetically reported as OutOfSync because the chart doesn't render them
   # and ArgoCD's label-based tracking still claims them — Health stays correct
@@ -48,7 +49,7 @@ spec:
       kind: AutoscalingRunnerSet
       jsonPointers:
         - /metadata/annotations
-        - /spec/template
+        - /spec/template/metadata/annotations
   syncPolicy:
     automated:
       prune: true
