.github/dependabot.yml

@@ -1,10 +0,0 @@
----
-version: 2
-updates:
-  - package-ecosystem: "github-actions"
-    directory: /
-    schedule:
-      interval: daily
-      time: "11:00"
-    commit-message:
-      prefix: "gh-actions:"

.github/workflows/build-image-test.yaml

@@ -9,13 +9,13 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
           fetch-depth: 0
 
       - name: Get changed Dockerfile
         id: changed-files-specific
-        uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0
+        uses: tj-actions/changed-files@2c85495a7bb72f2734cb5181e29b2ee5e08e61f7 # v13.1
         with:
           files: |
             Dockerfile
@@ -52,7 +52,7 @@ jobs:
 
       - name: Dive - check image for waste files
         if: steps.changed-files-specific.outputs.any_changed == 'true'
-        uses: MaxymVlasov/dive-action@fafb796951b322cc4926b8a5eafda89ab9de8edf # v1.5.1
+        uses: MaxymVlasov/dive-action@0035999cae50d4ef657ac94be84f01812aa192a5 # v0.1.0
         with:
           image: ghcr.io/${{ github.repository }}:${{ env.IMAGE_TAG }}
           config-file: ${{ github.workspace }}/.github/.dive-ci.yaml

.github/workflows/build-image.yaml

@@ -13,7 +13,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
 
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v3

.github/workflows/pr-title.yml

@@ -14,7 +14,7 @@ jobs:
     steps:
       # Please look up the latest version from
       # https://github.com/amannn/action-semantic-pull-request/releases
-      - uses: amannn/action-semantic-pull-request@48f256284bd46cdaab1048c3721360e808335d50 # v6.1.1
+      - uses: amannn/action-semantic-pull-request@e9fabac35e210fea40ca5b14c0da95a099eff26f # v5.4.0
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:

.github/workflows/pre-commit.yaml

@@ -6,7 +6,7 @@ jobs:
   pre-commit:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
     - run: |
         git fetch --no-tags --prune --depth=1 origin +refs/heads/*:refs/remotes/origin/*
 
@@ -31,16 +31,16 @@ jobs:
         curl -L "$(curl -s https://api.github.com/repos/hadolint/hadolint/releases/latest | grep -o -E -m 1 "https://.+?/hadolint-Linux-x86_64")" > hadolint \
         && chmod +x hadolint && sudo mv hadolint /usr/bin/
     # Need to success pre-commit fix push
-    - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       with:
         fetch-depth: 0
         ref: ${{ github.event.pull_request.head.sha }}
     # Skip tofu_tflint which interferes to commit pre-commit auto-fixes
-    - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
+    - uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0
       with:
         python-version: '3.9'
     - name: Execute pre-commit
-      uses: pre-commit/action@576ff52938d158a24ac7e009dfa94b1455e7df99
+      uses: pre-commit/action@9b88afc9cd57fd75b655d5c71bd38146d07135fe # v2.0.3
       env:
         SKIP: no-commit-to-branch,hadolint
       with:
@@ -49,7 +49,7 @@ jobs:
     # Run only skipped checks
     - name: Execute pre-commit check that have no auto-fixes
       if: always()
-      uses: pre-commit/action@576ff52938d158a24ac7e009dfa94b1455e7df99
+      uses: pre-commit/action@9b88afc9cd57fd75b655d5c71bd38146d07135fe # v2.0.3
       env:
         SKIP: check-added-large-files,check-merge-conflict,check-vcs-permalinks,forbid-new-submodules,no-commit-to-branch,end-of-file-fixer,trailing-whitespace,check-yaml,check-merge-conflict,check-executables-have-shebangs,check-case-conflict,mixed-line-ending,detect-aws-credentials,detect-private-key,shfmt,shellcheck
       with:

.github/workflows/release.yml

@@ -18,13 +18,13 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
           persist-credentials: false
           fetch-depth: 0
 
       - name: Release
-        uses: cycjimmy/semantic-release-action@ba330626c4750c19d8299de843f05c7aa5574f62 # v5.0.2
+        uses: cycjimmy/semantic-release-action@61680d0e9b02ff86f5648ade99e01be17f0260a4 # v4.0.0
         with:
           semantic_version: 18.0.0
           extra_plugins: |

.github/workflows/stale-actions.yaml

@@ -7,7 +7,7 @@ jobs:
   stale:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/stale@3a9db7e6a41a89f618792c92c0e97cc736e1b13f # v10.0.0
+    - uses: actions/stale@28ca1036281a5e5922ead5184a1bbf96e5fc984e # v9.0.0
       with:
         repo-token: ${{ secrets.GITHUB_TOKEN }}
         # Staling issues and PR's

.pre-commit-hooks.yaml

@@ -4,7 +4,7 @@
   entry: hooks/infracost_breakdown.sh
   language: script
   require_serial: true
-  files: \.((tf|tofu)(vars)?|hcl)$
+  files: \.(tf(vars)?|hcl)$
   exclude: \.terraform\/.*$
 
 - id: tofu_fmt
@@ -12,29 +12,25 @@
   description: Rewrites all OpenTofu configuration files to a canonical format.
   entry: hooks/tofu_fmt.sh
   language: script
-  files: \.(tf|tofu)(vars)?$
+  files: (\.tf|\.tfvars)$
   exclude: \.terraform\/.*$
 
 - id: tofu_docs
   name: OpenTofu docs
-  description:
-    Inserts input and output documentation into README.md (using
-    terraform-docs).
+  description: Inserts input and output documentation into README.md (using terraform-docs).
   require_serial: true
   entry: hooks/tofu_docs.sh
   language: script
-  files: (\.(tf|tofu)|\.terraform\.lock\.hcl)$
+  files: (\.tf|\.terraform\.lock\.hcl)$
   exclude: \.terraform\/.*$
 
 - id: tofu_docs_without_aggregate_type_defaults
   name: OpenTofu docs (without aggregate type defaults)
-  description:
-    Inserts input and output documentation into README.md (using
-    terraform-docs). Identical to terraform_docs.
+  description: Inserts input and output documentation into README.md (using terraform-docs). Identical to terraform_docs.
   require_serial: true
   entry: hooks/tofu_docs.sh
   language: script
-  files: \.(tf|tofu)$
+  files: (\.tf)$
   exclude: \.terraform\/.*$
 
 - id: tofu_docs_replace
@@ -43,7 +39,7 @@
   require_serial: true
   entry: hooks/tofu_docs_replace.py
   language: python
-  files: \.(tf|tofu)$
+  files: (\.tf)$
   exclude: \.terraform\/.*$
 
 - id: tofu_validate
@@ -52,7 +48,7 @@
   require_serial: true
   entry: hooks/tofu_validate.sh
   language: script
-  files: \.(tf|tofu)(vars)?$
+  files: (\.tf|\.tfvars)$
   exclude: \.terraform\/.*$
 
 - id: tofu_providers_lock
@@ -70,13 +66,12 @@
   require_serial: true
   entry: hooks/tofu_tflint.sh
   language: script
-  files: \.(tf|tofu)(vars)?$
+  files: (\.tf|\.tfvars)$
   exclude: \.terraform\/.*$
 
 - id: terragrunt_fmt
   name: Terragrunt fmt
-  description:
-    Rewrites all Terragrunt configuration files to a canonical format.
+  description: Rewrites all Terragrunt configuration files to a canonical format.
   entry: hooks/terragrunt_fmt.sh
   language: script
   files: (\.hcl)$
@@ -92,20 +87,18 @@
 
 - id: tofu_tfsec
   name: OpenTofu validate with tfsec (deprecated, use "tofu_trivy")
-  description:
-    Static analysis of OpenTofu templates to spot potential security issues.
+  description: Static analysis of OpenTofu templates to spot potential security issues.
   require_serial: true
   entry: hooks/tofu_tfsec.sh
-  files: \.(tf|tofu)(vars)?$
+  files: \.tf(vars)?$
   language: script
 
 - id: tofu_trivy
   name: OpenTofu validate with trivy
-  description:
-    Static analysis of OpenTofu templates to spot potential security issues.
+  description: Static analysis of OpenTofu templates to spot potential security issues.
   require_serial: true
   entry: hooks/tofu_trivy.sh
-  files: \.(tf|tofu)(vars)?$
+  files: \.tf(vars)?$
   language: script
 
 - id: checkov
@@ -125,7 +118,7 @@
   entry: hooks/tofu_checkov.sh
   language: script
   always_run: false
-  files: \.(tf|tofu)$
+  files: \.tf$
   exclude: \.terraform\/.*$
   require_serial: true
 
@@ -145,7 +138,7 @@
   description: Runs terrascan on OpenTofu templates.
   language: script
   entry: hooks/terrascan.sh
-  files: \.(tf|tofu)$
+  files: \.tf$
   exclude: \.terraform\/.*$
   require_serial: true
 
@@ -156,5 +149,5 @@
   entry: hooks/tfupdate.sh
   args:
     - --args=terraform
-  files: \.(tf|tofu)$
+  files: \.tf$
   require_serial: true

CHANGELOG.md

@@ -2,40 +2,6 @@
 
 All notable changes to this project will be documented in this file.
 
-## [2.2.1](https://github.com/tofuutils/pre-commit-opentofu/compare/v2.2.0...v2.2.1) (2025-06-04)
-
-
-### Bug Fixes
-
-* make infracost_breakdown.sh compatible with bash 3.2 (macOS) ([df886fa](https://github.com/tofuutils/pre-commit-opentofu/commit/df886fa772e7d1eedf5603327c0cf02968e7d779))
-* Update pre-commit/action version ([#30](https://github.com/tofuutils/pre-commit-opentofu/issues/30)) ([44c7b5d](https://github.com/tofuutils/pre-commit-opentofu/commit/44c7b5dec9362d2fe7ed5e8786f4d95956791d3d))
-
-# [2.2.0](https://github.com/tofuutils/pre-commit-opentofu/compare/v2.1.0...v2.2.0) (2025-03-29)
-
-
-### Features
-
-* make release ([e625db1](https://github.com/tofuutils/pre-commit-opentofu/commit/e625db13ec285e132f43cdf6e5aa3f3272e45451))
-
-# [2.1.0](https://github.com/tofuutils/pre-commit-opentofu/compare/v2.0.0...v2.1.0) (2024-10-16)
-
-
-### Features
-
-* spport .tofu files ([#6](https://github.com/tofuutils/pre-commit-opentofu/issues/6)) ([e059c58](https://github.com/tofuutils/pre-commit-opentofu/commit/e059c5859bceddf1ca018f55851f6940ad51f1c2))
-
-# [2.0.0](https://github.com/tofuutils/pre-commit-opentofu/compare/v1.0.4...v2.0.0) (2024-09-25)
-
-
-### Features
-
-* **tofu:** add handling for missing tofu binary in Docker image  This commit introduces logic to gracefully handle the case when the tofu binary is not found in the Docker image, improving the overall user experience.  BREAKING CHANGE: The previous behavior of the application when the tofu binary was missing may have caused unexpected crashes. ([14fc63e](https://github.com/tofuutils/pre-commit-opentofu/commit/14fc63eb5b04e3ad1525d06e437b15935841775f))
-
-
-### BREAKING CHANGES
-
-* **tofu:** The previous behavior of the application when the tofu binary was missing may have caused unexpected crashes."
-
 ## [1.0.4](https://github.com/tofuutils/pre-commit-opentofu/compare/v1.0.3...v1.0.4) (2024-09-21)
 
 

Dockerfile

@@ -14,18 +14,18 @@ RUN apk add --no-cache \
         setuptools
 
 ARG PRE_COMMIT_VERSION=${PRE_COMMIT_VERSION:-latest}
-ARG TOFU_VERSION=${TOFU_VERSION:-1.9.0}
+ARG TOFU_VERSION=${TOFU_VERSION:-1.6.1}
 
 # Install pre-commit
 RUN [ ${PRE_COMMIT_VERSION} = "latest" ] && pip3 install --no-cache-dir pre-commit \
     || pip3 install --no-cache-dir pre-commit==${PRE_COMMIT_VERSION}
 
+
 RUN curl -LO https://github.com/opentofu/opentofu/releases/download/v${TOFU_VERSION}/tofu_${TOFU_VERSION}_${TARGETOS}_${TARGETARCH}.zip \
  && curl -LO https://github.com/opentofu/opentofu/releases/download/v${TOFU_VERSION}/tofu_${TOFU_VERSION}_SHA256SUMS \
  && [ $(sha256sum "tofu_${TOFU_VERSION}_${TARGETOS}_${TARGETARCH}.zip" | cut -f 1 -d ' ') = "$(grep "tofu_${TOFU_VERSION}_${TARGETOS}_${TARGETARCH}.zip" tofu_*_SHA256SUMS | cut -f 1 -d ' ')" ] \
-    && unzip tofu_${TOFU_VERSION}_${TARGETOS}_${TARGETARCH}.zip -d /usr/bin/ \
-    && rm "tofu_${TOFU_VERSION}_${TARGETOS}_${TARGETARCH}.zip" \
-    && rm "tofu_${TOFU_VERSION}_SHA256SUMS"
+ && unzip tofu_${TOFU_VERSION}_${TARGETOS}_${TARGETARCH}.zip \
+ && mv tofu /usr/bin/tofu
 
 #
 # Install tools
@@ -208,7 +208,6 @@ COPY --from=builder \
     /usr/local/bin/pre-commit \
     # Hooks and terraform binaries
     /bin_dir/ \
-    /usr/bin/tofu \
     /usr/local/bin/checkov* \
         /usr/bin/
 # Copy pre-commit packages
@@ -235,4 +234,3 @@ ENV INFRACOST_API_KEY=${INFRACOST_API_KEY:-}
 ENV INFRACOST_SKIP_UPDATE_CHECK=${INFRACOST_SKIP_UPDATE_CHECK:-false}
 
 ENTRYPOINT [ "/entrypoint.sh" ]
-

README.md

@@ -552,7 +552,7 @@ To replicate functionality in `tofu_docs` hook:
         - --args=--config=.terraform-docs.yml
     ```
 
-### tofu_fmt
+### terraftofu_fmtorm_fmt
 
 1. `tofu_fmt` supports custom arguments so you can pass [supported flags](https://www.terraform.io/docs/cli/commands/fmt.html#usage). Eg:
 

hooks/infracost_breakdown.sh

@@ -70,24 +70,19 @@ function infracost_breakdown_ {
     # -h .totalHourlyCost > 0.1
     # --hook-config=.currency == "USD"
     first_char=${check:0:1}
-    last_char=${check:$((${#check} - 1)):1}
+    last_char=${check: -1}
     if [ "$first_char" == "$last_char" ] && {
       [ "$first_char" == '"' ] || [ "$first_char" == "'" ]
     }; then
-      check="${check:1:$((${#check} - 2))}"
+      check="${check:1:-1}"
     fi
 
-    # Replace mapfile with while read loop for bash 3.2 compatibility
-    operations=()
-    while IFS= read -r line; do
-      operations+=("$line")
-    done < <(echo "$check" | grep -oE '[!<>=]{1,2}')
-
+    mapfile -t operations < <(echo "$check" | grep -oE '[!<>=]{1,2}')
     # Get the very last operator, that is used in comparison inside `jq` query.
     # From the example below we need to pick the `>` which is in between `add` and `1000`,
     # but not the `!=`, which goes earlier in the `jq` expression
     # [.projects[].diff.totalMonthlyCost | select (.!=null) | tonumber] | add > 1000
-    operation=${operations[$((${#operations[@]} - 1))]}
+    operation=${operations[-1]}
 
     IFS="$operation" read -r -a jq_check <<< "$check"
     real_value="$(jq "${jq_check[0]}" <<< "$RESULTS")"

hooks/tofu_docs.sh

@@ -155,7 +155,7 @@ function tofu_docs {
     #
     if $create_if_not_exist && [[ ! -f "$text_file" ]]; then
       dir_have_tf_files="$(
-        find . -maxdepth 1 -type f | sed 's|.*\.||' | sort -u | grep -oE '^tofu|^tf$|^tfvars$' ||
+        find . -maxdepth 1 -type f | sed 's|.*\.||' | sort -u | grep -oE '^tf$|^tfvars$' ||
           exit 0
       )"
 

hooks/tofu_docs_replace.py

@@ -7,41 +7,30 @@ import sys
 def main(argv=None):
     parser = argparse.ArgumentParser(
         description="""Run terraform-docs on a set of files. Follows the standard convention of
-                       pulling the documentation from main.(tf|tofu) in order to replace the entire
+                       pulling the documentation from main.tf in order to replace the entire
                        README.md file each time."""
     )
     parser.add_argument(
-        "--dest",
-        dest="dest",
-        default="README.md",
+        '--dest', dest='dest', default='README.md',
     )
     parser.add_argument(
-        "--sort-inputs-by-required",
-        dest="sort",
-        action="store_true",
-        help="[deprecated] use --sort-by-required instead",
+        '--sort-inputs-by-required', dest='sort', action='store_true',
+        help='[deprecated] use --sort-by-required instead',
     )
     parser.add_argument(
-        "--sort-by-required",
-        dest="sort",
-        action="store_true",
+        '--sort-by-required', dest='sort', action='store_true',
     )
     parser.add_argument(
-        "--with-aggregate-type-defaults",
-        dest="aggregate",
-        action="store_true",
-        help="[deprecated]",
+        '--with-aggregate-type-defaults', dest='aggregate', action='store_true',
+        help='[deprecated]',
     )
-    parser.add_argument("filenames", nargs="*", help="Filenames to check.")
+    parser.add_argument('filenames', nargs='*', help='Filenames to check.')
     args = parser.parse_args(argv)
 
     dirs = []
     for filename in args.filenames:
-        if os.path.realpath(filename) not in dirs and (
-            filename.endswith(".tf")
-            or filename.endswith(".tofu")
-            or filename.endswith(".tfvars")
-        ):
+        if (os.path.realpath(filename) not in dirs and
+                (filename.endswith(".tf") or filename.endswith(".tfvars"))):
             dirs.append(os.path.dirname(filename))
 
     retval = 0
@@ -49,12 +38,12 @@ def main(argv=None):
     for dir in dirs:
         try:
             procArgs = []
-            procArgs.append("terraform-docs")
+            procArgs.append('terraform-docs')
             if args.sort:
-                procArgs.append("--sort-by-required")
-            procArgs.append("md")
+                procArgs.append('--sort-by-required')
+            procArgs.append('md')
             procArgs.append("./{dir}".format(dir=dir))
-            procArgs.append(">")
+            procArgs.append('>')
             procArgs.append("./{dir}/{dest}".format(dir=dir, dest=args.dest))
             subprocess.check_call(" ".join(procArgs), shell=True)
         except subprocess.CalledProcessError as e:
@@ -63,5 +52,5 @@ def main(argv=None):
     return retval
 
 
-if __name__ == "__main__":
+if __name__ == '__main__':
     sys.exit(main())

hooks/tofu_wrapper_module_for_each.sh

@@ -312,10 +312,10 @@ EOF
 
     # Read content of all OpenTofu files
     # shellcheck disable=SC2207
-    all_tf_content=$(find "${full_module_dir}" -regex '.*\.(tf|tofu)' -maxdepth 1 -type f -exec cat {} +)
+    all_tf_content=$(find "${full_module_dir}" -name '*.tf' -maxdepth 1 -type f -exec cat {} +)
 
     if [[ ! $all_tf_content ]]; then
-      common::colorify "yellow" "Skipping ${full_module_dir} because there are no *.(tf|tofu) files."
+      common::colorify "yellow" "Skipping ${full_module_dir} because there are no *.tf files."
       continue
     fi