fix(ci): auto-deploy ARC runners on push to main

[Jesssullivan]

Summary

• Remove environment: arc-runners gate from the apply job
• PR review is the safety gate — once on main, deploy automatically
• Add runners/** to path trigger so Dockerfile changes trigger deploys

Why

The environment gate caused the apply to skip on every push to main, requiring manual local tofu apply runs. This creates local/CI state drift — the exact thing IaC is supposed to prevent.

Test plan

• Verify plan job still runs on PR (unchanged)
• Verify apply condition logic is preserved (has-changes && push to main)
• Next push to main with arc-runner changes should plan AND apply

[greptile-apps]

Greptile Summary

This PR removes the environment: arc-runners manual approval gate from the apply job and adds runners/** to the push path trigger, enabling fully automatic deploys on merge to main. The motivation is sound — eliminating the environment gate that caused every push to skip the apply step, forcing error-prone manual tofu apply runs locally.

Key changes:

• environment: arc-runners removed from the apply job; auto-deploy now fires immediately on push to main once the plan detects changes.
• runners/** added to the push path trigger so Dockerfile changes in that directory also kick off the deploy pipeline.

Issues found:

• runners/** was not added to the pull_request path trigger (only to push). PRs that exclusively touch files under runners/** will never trigger the plan job, so reviewers won't see a plan output during PR review. The apply will still run automatically on merge — silently, with no prior plan visibility. This directly contradicts the stated safety model of "PR review is the safety gate."
• With the environment gate removed, workflow_dispatch with action == 'apply' is now also unguarded. Any user with write access can trigger an immediate infrastructure apply without a secondary approval step.

Confidence Score: 3/5

• Safe to merge with caution — the environment gate removal is intentional, but the runners/** path asymmetry should be fixed before relying on PR review as the safety gate for Dockerfile changes.
• The core motivation (removing the skipping environment gate) is valid and the apply condition logic is preserved. However, the runners/** path missing from the pull_request trigger creates a real gap: Dockerfile-only PRs won't show a plan, so infrastructure changes can reach production without prior plan review. This partially undermines the stated safety model. Score of 3 reflects that the PR is functionally mostly correct but has a meaningful oversight that should be addressed.
• .github/workflows/deploy-arc-runners.yml — verify the runners/** path is added to the pull_request trigger to ensure plan visibility during PR review.

Important Files Changed

Filename	Overview
.github/workflows/deploy-arc-runners.yml	Removes the environment: arc-runners approval gate and adds runners/** to the push path trigger. The gate removal is intentional and well-reasoned, but runners/** was not added to the pull_request path trigger, meaning PRs that only touch Dockerfile/runner files won't surface a plan for review — undermining the stated "PR review is the safety gate" model.

Sequence Diagram

sequenceDiagram
    participant Dev as Developer
    participant GH as GitHub Actions
    participant Plan as plan job
    participant Apply as apply job
    participant Verify as verify job
    participant Infra as ARC Infra (Civo/K8s)

    Note over Dev,Infra: PR workflow (pull_request event)
    Dev->>GH: Open PR (tofu/** changes)
    GH->>Plan: Trigger plan job
    Plan->>Infra: tofu plan (read-only)
    Plan-->>GH: has-changes output + plan artifact
    Note over GH: Plan summary posted to PR step summary

    Note over Dev,Infra: Merge to main (push event)
    Dev->>GH: Merge PR → push to main
    GH->>Plan: Trigger plan job
    Plan->>Infra: tofu plan -detailed-exitcode
    Plan-->>Apply: has-changes=true (artifact)
    Note over GH: No environment gate (removed in this PR)
    Apply->>Infra: tofu apply -auto-approve tfplan
    Apply-->>Verify: apply complete
    Verify->>Infra: Verify runners on tinyland-docker

    Note over Dev,Infra: Manual workflow_dispatch (action=apply)
    Dev->>GH: workflow_dispatch (action=apply)
    GH->>Plan: Trigger plan job
    Plan-->>Apply: has-changes=true
    Note over GH: No approval gate (previously required env gate)
    Apply->>Infra: tofu apply -auto-approve tfplan

Loading

Comments Outside Diff (2)

1. .github/workflows/deploy-arc-runners.yml, line 5-15 (link)

   runners/** missing from pull_request path trigger

   runners/** was added to the push trigger (line 15) but not to the pull_request trigger (lines 5–8). This creates a gap in the stated safety model: "PR review is the safety gate."

   When a PR touches only files under runners/** (e.g. a Dockerfile change), the plan job will not run during the PR — reviewers will never see a plan output. The workflow only fires after the PR merges to main, at which point plan and apply both run automatically with no prior plan visibility.

   To keep the PR review gate consistent, runners/** should also be added to the pull_request paths:

2. .github/workflows/deploy-arc-runners.yml, line 129-136 (link)

   workflow_dispatch apply is now unguarded

   Previously the environment: arc-runners gate required a manual approval click before any tofu apply ran — including when triggered via workflow_dispatch. With the gate removed, any user with workflow_dispatch permission can now fire an apply directly without any secondary approval step.

   If this is intentional for your team's access model that's fine, but it's worth confirming that all users with write access (and therefore workflow_dispatch access) should have unreviewed apply rights to the ARC runner infrastructure.

_{Reviews (1): Last reviewed commit: "fix(ci): auto-deploy ARC runners on push..." | Re-trigger Greptile}