From 4abfe16ed55d0fc43379723d3a2c4cd955b6c1cf Mon Sep 17 00:00:00 2001
From: xnoto <steven@makeitwork.cloud>
Date: Wed, 29 Apr 2026 22:51:39 -0600
Subject: [PATCH] feat(opentofu): drop nested container, default to arc-tf
 native runner
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The arc-tf runner-set runs the tfroot-runner image directly; jobs no
longer need a `container:` block. Drop the input, the three container
blocks, and the `cp -r /root/.ssh /github/home/` shim that was only
required when the job ran inside a nested container.

Default `runs-on` flips to `arc-tf`. Existing callers passing
`runs-on: arc-dind` need to update — there's only the one (tfroot-libvirt),
handled in a paired PR.
---
 .github/workflows/opentofu.yml | 24 +-----------------------
 1 file changed, 1 insertion(+), 23 deletions(-)

diff --git a/.github/workflows/opentofu.yml b/.github/workflows/opentofu.yml
index 396962d..f1c40b6 100644
--- a/.github/workflows/opentofu.yml
+++ b/.github/workflows/opentofu.yml
@@ -10,11 +10,7 @@ on:
       runs-on:
         description: Runner label
         type: string
-        default: ubuntu-latest
-      container:
-        description: Container image to use
-        type: string
-        default: ghcr.io/makeitworkcloud/tfroot-runner:latest
+        default: arc-tf
       setup-ssh:
         description: Whether to setup SSH keys
         type: boolean
@@ -35,8 +31,6 @@ jobs:
   test:
     name: Pre-commit Tests
     runs-on: ${{ inputs.runs-on }}
-    container:
-      image: ${{ inputs.container }}
     env:
       SOPS_AGE_KEY: ${{ secrets.SOPS_AGE_KEY }}
     steps:
@@ -52,10 +46,6 @@ jobs:
           key: ${{ secrets.SSH_PRIVATE_KEY }}
           known_hosts: ${{ secrets.SSH_KNOWN_HOSTS }}
 
-      - name: Copy SSH area
-        if: ${{ inputs.setup-ssh }}
-        run: cp -r /root/.ssh /github/home/
-
       - name: Fetch canonical pre-commit config
         run: |
           curl -sSL -o .pre-commit-config.yaml \
@@ -70,8 +60,6 @@ jobs:
   plan:
     name: OpenTofu Plan
     runs-on: ${{ inputs.runs-on }}
-    container:
-      image: ${{ inputs.container }}
     if: github.event_name == 'pull_request'
     needs: [test]
     env:
@@ -87,10 +75,6 @@ jobs:
           key: ${{ secrets.SSH_PRIVATE_KEY }}
           known_hosts: ${{ secrets.SSH_KNOWN_HOSTS }}
 
-      - name: Copy SSH area
-        if: ${{ inputs.setup-ssh }}
-        run: cp -r /root/.ssh /github/home/
-
       - name: OpenTofu Plan
         id: plan
         run: |
@@ -125,8 +109,6 @@ jobs:
   apply:
     name: OpenTofu Apply
     runs-on: ${{ inputs.runs-on }}
-    container:
-      image: ${{ inputs.container }}
     if: github.event_name == 'push' && github.ref == 'refs/heads/main'
     needs: [test]
     environment: ${{ inputs.environment }}
@@ -143,9 +125,5 @@ jobs:
           key: ${{ secrets.SSH_PRIVATE_KEY }}
           known_hosts: ${{ secrets.SSH_KNOWN_HOSTS }}
 
-      - name: Copy SSH area
-        if: ${{ inputs.setup-ssh }}
-        run: cp -r /root/.ssh /github/home/
-
       - name: OpenTofu Apply
         run: make apply