From ba170fc335f0d5efb8cbcd979a2ec1f7733cd420 Mon Sep 17 00:00:00 2001
From: xnoto <steven@makeitwork.cloud>
Date: Thu, 30 Apr 2026 09:06:06 -0600
Subject: [PATCH] fix(arc): enable SA token automount on arc-tf runner pods

The gha-runner-scale-set chart defaults automountServiceAccountToken
to false, so the arc-tf-runner SA's token never reached the runner
container and kubectl failed with 401. Set it true on the template
spec so the projected token is mounted at the standard path and
in-cluster auth works.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 workloads/arc/arc-tf-application.yaml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/workloads/arc/arc-tf-application.yaml b/workloads/arc/arc-tf-application.yaml
index 8f86999..0536288 100644
--- a/workloads/arc/arc-tf-application.yaml
+++ b/workloads/arc/arc-tf-application.yaml
@@ -32,6 +32,9 @@ spec:
         template:
           spec:
             serviceAccountName: arc-tf-runner
+            # The gha-runner-scale-set chart disables token automount by
+            # default; re-enable so kubectl can use the SA's projected token.
+            automountServiceAccountToken: true
             containers:
               - name: runner
                 image: ghcr.io/makeitworkcloud/tfroot-runner:latest