fix: remove empty TF_VAR CIDR envs causing plan parse errors

.gitea/workflows/deploy.yml

@@ -17,8 +17,6 @@ env:
   TF_VAR_s3_endpoint: ${{ secrets.S3_ENDPOINT }}
   TF_VAR_s3_bucket: ${{ secrets.S3_BUCKET }}
   TF_VAR_tailscale_tailnet: ${{ secrets.TAILSCALE_TAILNET }}
-  TF_VAR_allowed_ssh_ips: ${{ secrets.RUNNER_ALLOWED_CIDRS }}
-  TF_VAR_allowed_api_ips: ${{ secrets.RUNNER_ALLOWED_CIDRS }}
 
 jobs:
   terraform:

.gitea/workflows/destroy.yml

@@ -16,8 +16,6 @@ env:
   TF_VAR_s3_endpoint: ${{ secrets.S3_ENDPOINT }}
   TF_VAR_s3_bucket: ${{ secrets.S3_BUCKET }}
   TF_VAR_tailscale_tailnet: ${{ secrets.TAILSCALE_TAILNET }}
-  TF_VAR_allowed_ssh_ips: ${{ secrets.RUNNER_ALLOWED_CIDRS }}
-  TF_VAR_allowed_api_ips: ${{ secrets.RUNNER_ALLOWED_CIDRS }}
 
 jobs:
   destroy:

README.md

@@ -164,7 +164,7 @@ Set these in your Gitea repository settings (**Settings** → **Secrets** → **
 | `S3_BUCKET` | S3 bucket name (e.g., `k8s-terraform-state`) |
 | `TAILSCALE_AUTH_KEY` | Tailscale auth key for node bootstrap |
 | `TAILSCALE_TAILNET` | Tailnet domain (e.g., `yourtailnet.ts.net`) |
-| `RUNNER_ALLOWED_CIDRS` | CIDR list (HCL format) allowed to SSH/API from CI runner, e.g. `["0.0.0.0/0"]` or your runner egress CIDR |
+| `RUNNER_ALLOWED_CIDRS` | Optional CIDR list for CI runner access if you choose to pass it via tfvars/secrets |
 | `SSH_PUBLIC_KEY` | SSH public key content |
 | `SSH_PRIVATE_KEY` | SSH private key content |