From bb99064272eaeb50a9b9def970d41da28d2ef1a7 Mon Sep 17 00:00:00 2001
From: xnoto <steven@makeitwork.cloud>
Date: Thu, 30 Apr 2026 09:56:33 -0600
Subject: [PATCH] fix(arc): disable prune on arc-tf to break
 controller-vs-argocd loop
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The gha-runner-scale-set controller dynamically creates an
AutoscalingListener plus a Role/RoleBinding pair named
arc-tf-<hash>-listener, labeled with app.kubernetes.io/instance.
ArgoCD's label-based tracking claims them as managed, but the chart
does not render them, so each reconcile prunes them and the
controller recreates them — keeping the Application stuck in a
Progressing/OutOfSync loop.

Disable prune on this Application; selfHeal still keeps the
chart-rendered resources reconciled.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 workloads/arc/arc-tf-application.yaml | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/workloads/arc/arc-tf-application.yaml b/workloads/arc/arc-tf-application.yaml
index 0536288..294fd63 100644
--- a/workloads/arc/arc-tf-application.yaml
+++ b/workloads/arc/arc-tf-application.yaml
@@ -42,20 +42,23 @@ spec:
   # The gha-runner-scale-set controller propagates hash annotations into
   # AutoscalingRunnerSet metadata and spec.template.metadata; ignore only those
   # paths so selfHeal doesn't thrash, but spec.template.spec changes
-  # (serviceAccountName, image, etc.) still sync. The dynamically-created
-  # listener resources (AutoscalingListener + paired Role/RoleBinding) are
-  # cosmetically reported as OutOfSync because the chart doesn't render them
-  # and ArgoCD's label-based tracking still claims them — Health stays correct
-  # and Synced won't follow without a cluster-wide tracking-method change.
+  # (serviceAccountName, image, etc.) still sync.
   ignoreDifferences:
     - group: actions.github.com
       kind: AutoscalingRunnerSet
       jsonPointers:
         - /metadata/annotations
         - /spec/template/metadata/annotations
+  # prune is disabled because the controller dynamically creates an
+  # AutoscalingListener plus a paired Role/RoleBinding (named
+  # arc-tf-<hash>-listener) and labels them with app.kubernetes.io/instance,
+  # so ArgoCD's label-based tracking claims them as managed. The chart does
+  # not render these, so with prune=true ArgoCD repeatedly prunes them and
+  # the controller recreates them — a sync loop. selfHeal still keeps the
+  # chart-rendered resources reconciled.
   syncPolicy:
     automated:
-      prune: true
+      prune: false
       selfHeal: true
     syncOptions:
       - RespectIgnoreDifferences=true