.github/dependabot.yml

@@ -1,10 +0,0 @@
----
-version: 2
-updates:
-  - package-ecosystem: "github-actions"
-    directory: /
-    schedule:
-      interval: daily
-      time: "11:00"
-    commit-message:
-      prefix: "gh-actions:"

.github/workflows/build-image-test.yaml

@@ -9,13 +9,13 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
           fetch-depth: 0
 
       - name: Get changed Dockerfile
         id: changed-files-specific
-        uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0
+        uses: tj-actions/changed-files@2c85495a7bb72f2734cb5181e29b2ee5e08e61f7 # v13.1
         with:
           files: |
             Dockerfile
@@ -52,7 +52,7 @@ jobs:
 
       - name: Dive - check image for waste files
         if: steps.changed-files-specific.outputs.any_changed == 'true'
-        uses: MaxymVlasov/dive-action@fafb796951b322cc4926b8a5eafda89ab9de8edf # v1.5.1
+        uses: MaxymVlasov/dive-action@0035999cae50d4ef657ac94be84f01812aa192a5 # v0.1.0
         with:
           image: ghcr.io/${{ github.repository }}:${{ env.IMAGE_TAG }}
           config-file: ${{ github.workspace }}/.github/.dive-ci.yaml

.github/workflows/build-image.yaml

@@ -13,7 +13,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
 
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v3

.github/workflows/pr-title.yml

@@ -14,7 +14,7 @@ jobs:
     steps:
       # Please look up the latest version from
       # https://github.com/amannn/action-semantic-pull-request/releases
-      - uses: amannn/action-semantic-pull-request@48f256284bd46cdaab1048c3721360e808335d50 # v6.1.1
+      - uses: amannn/action-semantic-pull-request@e9fabac35e210fea40ca5b14c0da95a099eff26f # v5.4.0
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:

.github/workflows/pre-commit.yaml

@@ -6,7 +6,7 @@ jobs:
   pre-commit:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
     - run: |
         git fetch --no-tags --prune --depth=1 origin +refs/heads/*:refs/remotes/origin/*
 
@@ -31,16 +31,16 @@ jobs:
         curl -L "$(curl -s https://api.github.com/repos/hadolint/hadolint/releases/latest | grep -o -E -m 1 "https://.+?/hadolint-Linux-x86_64")" > hadolint \
         && chmod +x hadolint && sudo mv hadolint /usr/bin/
     # Need to success pre-commit fix push
-    - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       with:
         fetch-depth: 0
         ref: ${{ github.event.pull_request.head.sha }}
     # Skip tofu_tflint which interferes to commit pre-commit auto-fixes
-    - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
+    - uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0
       with:
         python-version: '3.9'
     - name: Execute pre-commit
-      uses: pre-commit/action@576ff52938d158a24ac7e009dfa94b1455e7df99
+      uses: pre-commit/action@9b88afc9cd57fd75b655d5c71bd38146d07135fe # v2.0.3
       env:
         SKIP: no-commit-to-branch,hadolint
       with:
@@ -49,7 +49,7 @@ jobs:
     # Run only skipped checks
     - name: Execute pre-commit check that have no auto-fixes
       if: always()
-      uses: pre-commit/action@576ff52938d158a24ac7e009dfa94b1455e7df99
+      uses: pre-commit/action@9b88afc9cd57fd75b655d5c71bd38146d07135fe # v2.0.3
       env:
         SKIP: check-added-large-files,check-merge-conflict,check-vcs-permalinks,forbid-new-submodules,no-commit-to-branch,end-of-file-fixer,trailing-whitespace,check-yaml,check-merge-conflict,check-executables-have-shebangs,check-case-conflict,mixed-line-ending,detect-aws-credentials,detect-private-key,shfmt,shellcheck
       with:

.github/workflows/release.yml

@@ -18,13 +18,13 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
           persist-credentials: false
           fetch-depth: 0
 
       - name: Release
-        uses: cycjimmy/semantic-release-action@ba330626c4750c19d8299de843f05c7aa5574f62 # v5.0.2
+        uses: cycjimmy/semantic-release-action@61680d0e9b02ff86f5648ade99e01be17f0260a4 # v4.0.0
         with:
           semantic_version: 18.0.0
           extra_plugins: |

.github/workflows/stale-actions.yaml

@@ -7,7 +7,7 @@ jobs:
   stale:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/stale@3a9db7e6a41a89f618792c92c0e97cc736e1b13f # v10.0.0
+    - uses: actions/stale@28ca1036281a5e5922ead5184a1bbf96e5fc984e # v9.0.0
       with:
         repo-token: ${{ secrets.GITHUB_TOKEN }}
         # Staling issues and PR's

.pre-commit-hooks.yaml

@@ -4,7 +4,7 @@
   entry: hooks/infracost_breakdown.sh
   language: script
   require_serial: true
-  files: \.((tf|tofu)(vars)?|hcl)$
+  files: \.(tf(vars)?|hcl)$
   exclude: \.terraform\/.*$
 
 - id: tofu_fmt
@@ -12,29 +12,25 @@
   description: Rewrites all OpenTofu configuration files to a canonical format.
   entry: hooks/tofu_fmt.sh
   language: script
-  files: \.(tf|tofu)(vars)?$
+  files: (\.tf|\.tfvars)$
   exclude: \.terraform\/.*$
 
 - id: tofu_docs
   name: OpenTofu docs
-  description:
+  description: Inserts input and output documentation into README.md (using terraform-docs).
-    Inserts input and output documentation into README.md (using
-    terraform-docs).
   require_serial: true
   entry: hooks/tofu_docs.sh
   language: script
-  files: (\.(tf|tofu)|\.terraform\.lock\.hcl)$
+  files: (\.tf|\.terraform\.lock\.hcl)$
   exclude: \.terraform\/.*$
 
 - id: tofu_docs_without_aggregate_type_defaults
   name: OpenTofu docs (without aggregate type defaults)
-  description:
+  description: Inserts input and output documentation into README.md (using terraform-docs). Identical to terraform_docs.
-    Inserts input and output documentation into README.md (using
-    terraform-docs). Identical to terraform_docs.
   require_serial: true
   entry: hooks/tofu_docs.sh
   language: script
-  files: \.(tf|tofu)$
+  files: (\.tf)$
   exclude: \.terraform\/.*$
 
 - id: tofu_docs_replace
@@ -43,7 +39,7 @@
   require_serial: true
   entry: hooks/tofu_docs_replace.py
   language: python
-  files: \.(tf|tofu)$
+  files: (\.tf)$
   exclude: \.terraform\/.*$
 
 - id: tofu_validate
@@ -52,7 +48,7 @@
   require_serial: true
   entry: hooks/tofu_validate.sh
   language: script
-  files: \.(tf|tofu)(vars)?$
+  files: (\.tf|\.tfvars)$
   exclude: \.terraform\/.*$
 
 - id: tofu_providers_lock
@@ -70,13 +66,12 @@
   require_serial: true
   entry: hooks/tofu_tflint.sh
   language: script
-  files: \.(tf|tofu)(vars)?$
+  files: (\.tf|\.tfvars)$
   exclude: \.terraform\/.*$
 
 - id: terragrunt_fmt
   name: Terragrunt fmt
-  description:
+  description: Rewrites all Terragrunt configuration files to a canonical format.
-    Rewrites all Terragrunt configuration files to a canonical format.
   entry: hooks/terragrunt_fmt.sh
   language: script
   files: (\.hcl)$
@@ -92,20 +87,18 @@
 
 - id: tofu_tfsec
   name: OpenTofu validate with tfsec (deprecated, use "tofu_trivy")
-  description:
+  description: Static analysis of OpenTofu templates to spot potential security issues.
-    Static analysis of OpenTofu templates to spot potential security issues.
   require_serial: true
   entry: hooks/tofu_tfsec.sh
-  files: \.(tf|tofu)(vars)?$
+  files: \.tf(vars)?$
   language: script
 
 - id: tofu_trivy
   name: OpenTofu validate with trivy
-  description:
+  description: Static analysis of OpenTofu templates to spot potential security issues.
-    Static analysis of OpenTofu templates to spot potential security issues.
   require_serial: true
   entry: hooks/tofu_trivy.sh
-  files: \.(tf|tofu)(vars)?$
+  files: \.tf(vars)?$
   language: script
 
 - id: checkov
@@ -125,7 +118,7 @@
   entry: hooks/tofu_checkov.sh
   language: script
   always_run: false
-  files: \.(tf|tofu)$
+  files: \.tf$
   exclude: \.terraform\/.*$
   require_serial: true
 
@@ -145,7 +138,7 @@
   description: Runs terrascan on OpenTofu templates.
   language: script
   entry: hooks/terrascan.sh
-  files: \.(tf|tofu)$
+  files: \.tf$
   exclude: \.terraform\/.*$
   require_serial: true
 
@@ -156,5 +149,5 @@
   entry: hooks/tfupdate.sh
   args:
     - --args=terraform
-  files: \.(tf|tofu)$
+  files: \.tf$
   require_serial: true

CHANGELOG.md

@@ -2,28 +2,6 @@
 
 All notable changes to this project will be documented in this file.
 
-## [2.2.1](https://github.com/tofuutils/pre-commit-opentofu/compare/v2.2.0...v2.2.1) (2025-06-04)
-
-
-### Bug Fixes
-
-* make infracost_breakdown.sh compatible with bash 3.2 (macOS) ([df886fa](https://github.com/tofuutils/pre-commit-opentofu/commit/df886fa772e7d1eedf5603327c0cf02968e7d779))
-* Update pre-commit/action version ([#30](https://github.com/tofuutils/pre-commit-opentofu/issues/30)) ([44c7b5d](https://github.com/tofuutils/pre-commit-opentofu/commit/44c7b5dec9362d2fe7ed5e8786f4d95956791d3d))
-
-# [2.2.0](https://github.com/tofuutils/pre-commit-opentofu/compare/v2.1.0...v2.2.0) (2025-03-29)
-
-
-### Features
-
-* make release ([e625db1](https://github.com/tofuutils/pre-commit-opentofu/commit/e625db13ec285e132f43cdf6e5aa3f3272e45451))
-
-# [2.1.0](https://github.com/tofuutils/pre-commit-opentofu/compare/v2.0.0...v2.1.0) (2024-10-16)
-
-
-### Features
-
-* spport .tofu files ([#6](https://github.com/tofuutils/pre-commit-opentofu/issues/6)) ([e059c58](https://github.com/tofuutils/pre-commit-opentofu/commit/e059c5859bceddf1ca018f55851f6940ad51f1c2))
-
 # [2.0.0](https://github.com/tofuutils/pre-commit-opentofu/compare/v1.0.4...v2.0.0) (2024-09-25)
 
 

Dockerfile

@@ -14,7 +14,7 @@ RUN apk add --no-cache \
         setuptools
 
 ARG PRE_COMMIT_VERSION=${PRE_COMMIT_VERSION:-latest}
-ARG TOFU_VERSION=${TOFU_VERSION:-1.9.0}
+ARG TOFU_VERSION=${TOFU_VERSION:-1.6.1}
 
 # Install pre-commit
 RUN [ ${PRE_COMMIT_VERSION} = "latest" ] && pip3 install --no-cache-dir pre-commit \
@@ -235,4 +235,3 @@ ENV INFRACOST_API_KEY=${INFRACOST_API_KEY:-}
 ENV INFRACOST_SKIP_UPDATE_CHECK=${INFRACOST_SKIP_UPDATE_CHECK:-false}
 
 ENTRYPOINT [ "/entrypoint.sh" ]
-

README.md

@@ -552,7 +552,7 @@ To replicate functionality in `tofu_docs` hook:
         - --args=--config=.terraform-docs.yml
     ```
 
-### tofu_fmt
+### terraftofu_fmtorm_fmt
 
 1. `tofu_fmt` supports custom arguments so you can pass [supported flags](https://www.terraform.io/docs/cli/commands/fmt.html#usage). Eg:
 

hooks/infracost_breakdown.sh

@@ -70,24 +70,19 @@ function infracost_breakdown_ {
     # -h .totalHourlyCost > 0.1
     # --hook-config=.currency == "USD"
     first_char=${check:0:1}
-    last_char=${check:$((${#check} - 1)):1}
+    last_char=${check: -1}
     if [ "$first_char" == "$last_char" ] && {
       [ "$first_char" == '"' ] || [ "$first_char" == "'" ]
     }; then
-      check="${check:1:$((${#check} - 2))}"
+      check="${check:1:-1}"
     fi
 
-    # Replace mapfile with while read loop for bash 3.2 compatibility
+    mapfile -t operations < <(echo "$check" | grep -oE '[!<>=]{1,2}')
-    operations=()
-    while IFS= read -r line; do
-      operations+=("$line")
-    done < <(echo "$check" | grep -oE '[!<>=]{1,2}')
-
     # Get the very last operator, that is used in comparison inside `jq` query.
     # From the example below we need to pick the `>` which is in between `add` and `1000`,
     # but not the `!=`, which goes earlier in the `jq` expression
     # [.projects[].diff.totalMonthlyCost | select (.!=null) | tonumber] | add > 1000
-    operation=${operations[$((${#operations[@]} - 1))]}
+    operation=${operations[-1]}
 
     IFS="$operation" read -r -a jq_check <<< "$check"
     real_value="$(jq "${jq_check[0]}" <<< "$RESULTS")"

hooks/tofu_docs.sh

@@ -155,7 +155,7 @@ function tofu_docs {
     #
     if $create_if_not_exist && [[ ! -f "$text_file" ]]; then
       dir_have_tf_files="$(
-        find . -maxdepth 1 -type f | sed 's|.*\.||' | sort -u | grep -oE '^tofu|^tf$|^tfvars$' ||
+        find . -maxdepth 1 -type f | sed 's|.*\.||' | sort -u | grep -oE '^tf$|^tfvars$' ||
           exit 0
       )"
 

hooks/tofu_docs_replace.py

@@ -7,41 +7,30 @@ import sys
 def main(argv=None):
     parser = argparse.ArgumentParser(
         description="""Run terraform-docs on a set of files. Follows the standard convention of
-                       pulling the documentation from main.(tf|tofu) in order to replace the entire
+                       pulling the documentation from main.tf in order to replace the entire
                        README.md file each time."""
     )
     parser.add_argument(
-        "--dest",
+        '--dest', dest='dest', default='README.md',
-        dest="dest",
-        default="README.md",
     )
     parser.add_argument(
-        "--sort-inputs-by-required",
+        '--sort-inputs-by-required', dest='sort', action='store_true',
-        dest="sort",
+        help='[deprecated] use --sort-by-required instead',
-        action="store_true",
-        help="[deprecated] use --sort-by-required instead",
     )
     parser.add_argument(
-        "--sort-by-required",
+        '--sort-by-required', dest='sort', action='store_true',
-        dest="sort",
-        action="store_true",
     )
     parser.add_argument(
-        "--with-aggregate-type-defaults",
+        '--with-aggregate-type-defaults', dest='aggregate', action='store_true',
-        dest="aggregate",
+        help='[deprecated]',
-        action="store_true",
-        help="[deprecated]",
     )
-    parser.add_argument("filenames", nargs="*", help="Filenames to check.")
+    parser.add_argument('filenames', nargs='*', help='Filenames to check.')
     args = parser.parse_args(argv)
 
     dirs = []
     for filename in args.filenames:
-        if os.path.realpath(filename) not in dirs and (
+        if (os.path.realpath(filename) not in dirs and
-            filename.endswith(".tf")
+                (filename.endswith(".tf") or filename.endswith(".tfvars"))):
-            or filename.endswith(".tofu")
-            or filename.endswith(".tfvars")
-        ):
             dirs.append(os.path.dirname(filename))
 
     retval = 0
@@ -49,12 +38,12 @@ def main(argv=None):
     for dir in dirs:
         try:
             procArgs = []
-            procArgs.append("terraform-docs")
+            procArgs.append('terraform-docs')
             if args.sort:
-                procArgs.append("--sort-by-required")
+                procArgs.append('--sort-by-required')
-            procArgs.append("md")
+            procArgs.append('md')
             procArgs.append("./{dir}".format(dir=dir))
-            procArgs.append(">")
+            procArgs.append('>')
             procArgs.append("./{dir}/{dest}".format(dir=dir, dest=args.dest))
             subprocess.check_call(" ".join(procArgs), shell=True)
         except subprocess.CalledProcessError as e:
@@ -63,5 +52,5 @@ def main(argv=None):
     return retval
 
 
-if __name__ == "__main__":
+if __name__ == '__main__':
     sys.exit(main())

hooks/tofu_wrapper_module_for_each.sh

@@ -312,10 +312,10 @@ EOF
 
     # Read content of all OpenTofu files
     # shellcheck disable=SC2207
-    all_tf_content=$(find "${full_module_dir}" -regex '.*\.(tf|tofu)' -maxdepth 1 -type f -exec cat {} +)
+    all_tf_content=$(find "${full_module_dir}" -name '*.tf' -maxdepth 1 -type f -exec cat {} +)
 
     if [[ ! $all_tf_content ]]; then
-      common::colorify "yellow" "Skipping ${full_module_dir} because there are no *.(tf|tofu) files."
+      common::colorify "yellow" "Skipping ${full_module_dir} because there are no *.tf files."
       continue
     fi