Merge pull request #48 from tofuutils/dependabot/github_actions/MaxymVlasov/dive-action-1.5.1

gh-actions: bump MaxymVlasov/dive-action from 1.5.0 to 1.5.1
2025-10-15 17:38:54 +02:00 · 2025-10-13 16:44:01 +04:00 · 2025-10-13 12:21:03 +00:00 · 2025-10-10 19:10:36 +04:00 · 2025-10-10 11:22:34 +00:00 · 2025-10-09 19:59:42 +04:00
15 changed files with 238 additions and 123 deletions
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@ -0,0 +1,10 @@
+---
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: /
+    schedule:
+      interval: daily
+      time: "11:00"
+    commit-message:
+      prefix: "gh-actions:"
--- a/.github/workflows/build-image-test.yaml
+++ b/.github/workflows/build-image-test.yaml
@ -9,13 +9,13 @@ jobs:
  build:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          fetch-depth: 0

      - name: Get changed Dockerfile
        id: changed-files-specific
-        uses: tj-actions/changed-files@2c85495a7bb72f2734cb5181e29b2ee5e08e61f7 # v13.1
+        uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0
        with:
          files: |
            Dockerfile
@ -52,7 +52,7 @@ jobs:

      - name: Dive - check image for waste files
        if: steps.changed-files-specific.outputs.any_changed == 'true'
-        uses: MaxymVlasov/dive-action@0035999cae50d4ef657ac94be84f01812aa192a5 # v0.1.0
+        uses: MaxymVlasov/dive-action@fafb796951b322cc4926b8a5eafda89ab9de8edf # v1.5.1
        with:
          image: ghcr.io/${{ github.repository }}:${{ env.IMAGE_TAG }}
          config-file: ${{ github.workspace }}/.github/.dive-ci.yaml
--- a/.github/workflows/build-image.yaml
+++ b/.github/workflows/build-image.yaml
@ -13,27 +13,28 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@v5
+
      - name: Set up QEMU
-        uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
+        uses: docker/setup-qemu-action@v3
+
      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
-      - name: Login to GitHub Container Registry
-        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
+        uses: docker/setup-buildx-action@v3
+
+      - name: Login to ghcr.io
+        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
+
      - name: Set tag for image
        run: |
          echo IMAGE_TAG=$([ ${{ github.ref_type }} == 'tag' ] && echo ${{ github.ref_name }} || echo 'latest') >> $GITHUB_ENV

-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
-
-      - name: Build and Push release
+      - name: Build and Push release to ghcr.io
        if: github.event_name != 'schedule'
-        uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0
+        uses: docker/build-push-action@v5
        with:
          context: .
          build-args: |
@ -48,9 +49,9 @@ jobs:
          secrets: |
            "github_token=${{ secrets.GITHUB_TOKEN }}"

-      - name: Build and Push nightly
+      - name: Build and Push nightly to ghcr.io
        if: github.event_name == 'schedule'
-        uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0
+        uses: docker/build-push-action@v5
        with:
          context: .
          build-args: |
@ -63,3 +64,38 @@ jobs:
          provenance: false
          secrets: |
            "github_token=${{ secrets.GITHUB_TOKEN }}"
+
+      - name: Login to DockerHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: registry.hub.docker.com
+          username: ${{ secrets.DOCKERHUB_USER }}
+          password: ${{ secrets.DOCKERHUB_PASSWORD }}
+
+      - name: Build and Push release to DockerHub
+        if: github.event_name != 'schedule'
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          build-args: |
+            INSTALL_ALL=true
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: |
+            registry.hub.docker.com/tofuutils/pre-commit-opentofu:${{ env.IMAGE_TAG }}
+            registry.hub.docker.com/tofuutils/pre-commit-opentofu:latest
+          provenance: false
+
+      - name: Build and Push nightly to DockerHub
+        if: github.event_name == 'schedule'
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          build-args: |
+            INSTALL_ALL=true
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: |
+            registry.hub.docker.com/tofuutils/pre-commit-opentofu:nightly
+          provenance: false
+
--- a/.github/workflows/pr-title.yml
+++ b/.github/workflows/pr-title.yml
@ -14,7 +14,7 @@ jobs:
    steps:
      # Please look up the latest version from
      # https://github.com/amannn/action-semantic-pull-request/releases
-      - uses: amannn/action-semantic-pull-request@e9fabac35e210fea40ca5b14c0da95a099eff26f # v5.4.0
+      - uses: amannn/action-semantic-pull-request@48f256284bd46cdaab1048c3721360e808335d50 # v6.1.1
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
--- a/.github/workflows/pre-commit.yaml
+++ b/.github/workflows/pre-commit.yaml
@ -6,7 +6,7 @@ jobs:
  pre-commit:
    runs-on: ubuntu-latest
    steps:
-    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+    - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
    - run: |
        git fetch --no-tags --prune --depth=1 origin +refs/heads/*:refs/remotes/origin/*

@ -31,16 +31,16 @@ jobs:
        curl -L "$(curl -s https://api.github.com/repos/hadolint/hadolint/releases/latest | grep -o -E -m 1 "https://.+?/hadolint-Linux-x86_64")" > hadolint \
        && chmod +x hadolint && sudo mv hadolint /usr/bin/
    # Need to success pre-commit fix push
-    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+    - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      with:
        fetch-depth: 0
        ref: ${{ github.event.pull_request.head.sha }}
    # Skip tofu_tflint which interferes to commit pre-commit auto-fixes
-    - uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0
+    - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
      with:
        python-version: '3.9'
    - name: Execute pre-commit
-      uses: pre-commit/action@9b88afc9cd57fd75b655d5c71bd38146d07135fe # v2.0.3
+      uses: pre-commit/action@576ff52938d158a24ac7e009dfa94b1455e7df99
      env:
        SKIP: no-commit-to-branch,hadolint
      with:
@ -49,7 +49,7 @@ jobs:
    # Run only skipped checks
    - name: Execute pre-commit check that have no auto-fixes
      if: always()
-      uses: pre-commit/action@9b88afc9cd57fd75b655d5c71bd38146d07135fe # v2.0.3
+      uses: pre-commit/action@576ff52938d158a24ac7e009dfa94b1455e7df99
      env:
        SKIP: check-added-large-files,check-merge-conflict,check-vcs-permalinks,forbid-new-submodules,no-commit-to-branch,end-of-file-fixer,trailing-whitespace,check-yaml,check-merge-conflict,check-executables-have-shebangs,check-case-conflict,mixed-line-ending,detect-aws-credentials,detect-private-key,shfmt,shellcheck
      with:
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -18,13 +18,13 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          persist-credentials: false
          fetch-depth: 0

      - name: Release
-        uses: cycjimmy/semantic-release-action@61680d0e9b02ff86f5648ade99e01be17f0260a4 # v4.0.0
+        uses: cycjimmy/semantic-release-action@ba330626c4750c19d8299de843f05c7aa5574f62 # v5.0.2
        with:
          semantic_version: 18.0.0
          extra_plugins: |
--- a/.github/workflows/stale-actions.yaml
+++ b/.github/workflows/stale-actions.yaml
@ -7,7 +7,7 @@ jobs:
  stale:
    runs-on: ubuntu-latest
    steps:
-    - uses: actions/stale@28ca1036281a5e5922ead5184a1bbf96e5fc984e # v9.0.0
+    - uses: actions/stale@3a9db7e6a41a89f618792c92c0e97cc736e1b13f # v10.0.0
      with:
        repo-token: ${{ secrets.GITHUB_TOKEN }}
        # Staling issues and PR's
--- a/.pre-commit-hooks.yaml
+++ b/.pre-commit-hooks.yaml
@ -4,7 +4,7 @@
  entry: hooks/infracost_breakdown.sh
  language: script
  require_serial: true
-  files: \.(tf(vars)?|hcl)$
+  files: \.((tf|tofu)(vars)?|hcl)$
  exclude: \.terraform\/.*$

 - id: tofu_fmt
@ -12,34 +12,38 @@
  description: Rewrites all OpenTofu configuration files to a canonical format.
  entry: hooks/tofu_fmt.sh
  language: script
-  files: (\.tf|\.tfvars)$
+  files: \.(tf|tofu)(vars)?$
  exclude: \.terraform\/.*$

 - id: tofu_docs
  name: OpenTofu docs
-  description: Inserts input and output documentation into README.md (using terraform-docs).
+  description:
+    Inserts input and output documentation into README.md (using
+    terraform-docs).
  require_serial: true
  entry: hooks/tofu_docs.sh
  language: script
-  files: (\.tf|\.terraform\.lock\.hcl)$
+  files: (\.(tf|tofu)|\.terraform\.lock\.hcl)$
  exclude: \.terraform\/.*$

 - id: tofu_docs_without_aggregate_type_defaults
  name: OpenTofu docs (without aggregate type defaults)
-  description: Inserts input and output documentation into README.md (using terraform-docs). Identical to terraform_docs.
+  description:
+    Inserts input and output documentation into README.md (using
+    terraform-docs). Identical to terraform_docs.
  require_serial: true
  entry: hooks/tofu_docs.sh
  language: script
-  files: (\.tf)$
+  files: \.(tf|tofu)$
  exclude: \.terraform\/.*$

 - id: tofu_docs_replace
  name: OpenTofu docs (overwrite README.md)
  description: Overwrite content of README.md with terraform-docs.
  require_serial: true
-  entry: terraform_docs_replace
+  entry: hooks/tofu_docs_replace.py
  language: python
-  files: (\.tf)$
+  files: \.(tf|tofu)$
  exclude: \.terraform\/.*$

 - id: tofu_validate
@ -48,7 +52,7 @@
  require_serial: true
  entry: hooks/tofu_validate.sh
  language: script
-  files: (\.tf|\.tfvars)$
+  files: \.(tf|tofu)(vars)?$
  exclude: \.terraform\/.*$

 - id: tofu_providers_lock
@ -66,12 +70,13 @@
  require_serial: true
  entry: hooks/tofu_tflint.sh
  language: script
-  files: (\.tf|\.tfvars)$
+  files: \.(tf|tofu)(vars)?$
  exclude: \.terraform\/.*$

 - id: terragrunt_fmt
  name: Terragrunt fmt
-  description: Rewrites all Terragrunt configuration files to a canonical format.
+  description:
+    Rewrites all Terragrunt configuration files to a canonical format.
  entry: hooks/terragrunt_fmt.sh
  language: script
  files: (\.hcl)$
@ -87,18 +92,20 @@

 - id: tofu_tfsec
  name: OpenTofu validate with tfsec (deprecated, use "tofu_trivy")
-  description: Static analysis of OpenTofu templates to spot potential security issues.
+  description:
+    Static analysis of OpenTofu templates to spot potential security issues.
  require_serial: true
  entry: hooks/tofu_tfsec.sh
-  files: \.tf(vars)?$
+  files: \.(tf|tofu)(vars)?$
  language: script

 - id: tofu_trivy
  name: OpenTofu validate with trivy
-  description: Static analysis of OpenTofu templates to spot potential security issues.
+  description:
+    Static analysis of OpenTofu templates to spot potential security issues.
  require_serial: true
  entry: hooks/tofu_trivy.sh
-  files: \.tf(vars)?$
+  files: \.(tf|tofu)(vars)?$
  language: script

 - id: checkov
@ -118,7 +125,7 @@
  entry: hooks/tofu_checkov.sh
  language: script
  always_run: false
-  files: \.tf$
+  files: \.(tf|tofu)$
  exclude: \.terraform\/.*$
  require_serial: true

@ -138,7 +145,7 @@
  description: Runs terrascan on OpenTofu templates.
  language: script
  entry: hooks/terrascan.sh
-  files: \.tf$
+  files: \.(tf|tofu)$
  exclude: \.terraform\/.*$
  require_serial: true

@ -149,5 +156,5 @@
  entry: hooks/tfupdate.sh
  args:
    - --args=terraform
-  files: \.tf$
+  files: \.(tf|tofu)$
  require_serial: true
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -2,6 +2,50 @@

 All notable changes to this project will be documented in this file.

+## [2.2.1](https://github.com/tofuutils/pre-commit-opentofu/compare/v2.2.0...v2.2.1) (2025-06-04)
+
+
+### Bug Fixes
+
+* make infracost_breakdown.sh compatible with bash 3.2 (macOS) ([df886fa](https://github.com/tofuutils/pre-commit-opentofu/commit/df886fa772e7d1eedf5603327c0cf02968e7d779))
+* Update pre-commit/action version ([#30](https://github.com/tofuutils/pre-commit-opentofu/issues/30)) ([44c7b5d](https://github.com/tofuutils/pre-commit-opentofu/commit/44c7b5dec9362d2fe7ed5e8786f4d95956791d3d))
+
+# [2.2.0](https://github.com/tofuutils/pre-commit-opentofu/compare/v2.1.0...v2.2.0) (2025-03-29)
+
+
+### Features
+
+* make release ([e625db1](https://github.com/tofuutils/pre-commit-opentofu/commit/e625db13ec285e132f43cdf6e5aa3f3272e45451))
+
+# [2.1.0](https://github.com/tofuutils/pre-commit-opentofu/compare/v2.0.0...v2.1.0) (2024-10-16)
+
+
+### Features
+
+* spport .tofu files ([#6](https://github.com/tofuutils/pre-commit-opentofu/issues/6)) ([e059c58](https://github.com/tofuutils/pre-commit-opentofu/commit/e059c5859bceddf1ca018f55851f6940ad51f1c2))
+
+# [2.0.0](https://github.com/tofuutils/pre-commit-opentofu/compare/v1.0.4...v2.0.0) (2024-09-25)
+
+
+### Features
+
+* **tofu:** add handling for missing tofu binary in Docker image  This commit introduces logic to gracefully handle the case when the tofu binary is not found in the Docker image, improving the overall user experience.  BREAKING CHANGE: The previous behavior of the application when the tofu binary was missing may have caused unexpected crashes. ([14fc63e](https://github.com/tofuutils/pre-commit-opentofu/commit/14fc63eb5b04e3ad1525d06e437b15935841775f))
+
+
+### BREAKING CHANGES
+
+* **tofu:** The previous behavior of the application when the tofu binary was missing may have caused unexpected crashes."
+
+## [1.0.4](https://github.com/tofuutils/pre-commit-opentofu/compare/v1.0.3...v1.0.4) (2024-09-21)
+
+
+### Bug Fixes
+
+* docker image reference in README.md ([7b04f0c](https://github.com/tofuutils/pre-commit-opentofu/commit/7b04f0c24940f1642c8f599bfd0794dd46b0b274))
+* docker image reference in README.md ([f9b71fe](https://github.com/tofuutils/pre-commit-opentofu/commit/f9b71fe08fedd4ceb23ced6fe2171edf24add290))
+* dockerhub ([0fac591](https://github.com/tofuutils/pre-commit-opentofu/commit/0fac59197f2f2cb4bc417917e5adb6ac92a20b7a))
+* entry for tofu_docs_replace ([f146463](https://github.com/tofuutils/pre-commit-opentofu/commit/f146463ac8effcfa441f3f6b21e811095f0da73c))
+
 ## [1.0.2](https://github.com/tofuutils/pre-commit-opentofu/compare/v1.0.1...v1.0.2) (2024-03-08)


--- a/108
+++ b/108
@ -10,22 +10,22 @@ RUN apk add --no-cache \
    curl=~8 && \
    # Upgrade packages for be able get latest Checkov
    python3 -m pip install --no-cache-dir --upgrade \
-        pip \
-        setuptools
+    pip \
+    setuptools

 ARG PRE_COMMIT_VERSION=${PRE_COMMIT_VERSION:-latest}
-ARG TOFU_VERSION=${TOFU_VERSION:-1.6.1}
+ARG TOFU_VERSION=${TOFU_VERSION:-1.9.0}

 # Install pre-commit
 RUN [ ${PRE_COMMIT_VERSION} = "latest" ] && pip3 install --no-cache-dir pre-commit \
    || pip3 install --no-cache-dir pre-commit==${PRE_COMMIT_VERSION}

-
 RUN curl -LO https://github.com/opentofu/opentofu/releases/download/v${TOFU_VERSION}/tofu_${TOFU_VERSION}_${TARGETOS}_${TARGETARCH}.zip \
- && curl -LO https://github.com/opentofu/opentofu/releases/download/v${TOFU_VERSION}/tofu_${TOFU_VERSION}_SHA256SUMS \
- && [ $(sha256sum "tofu_${TOFU_VERSION}_${TARGETOS}_${TARGETARCH}.zip" | cut -f 1 -d ' ') = "$(grep "tofu_${TOFU_VERSION}_${TARGETOS}_${TARGETARCH}.zip" tofu_*_SHA256SUMS | cut -f 1 -d ' ')" ] \
- && unzip tofu_${TOFU_VERSION}_${TARGETOS}_${TARGETARCH}.zip \
- && mv tofu /usr/bin/tofu
+    && curl -LO https://github.com/opentofu/opentofu/releases/download/v${TOFU_VERSION}/tofu_${TOFU_VERSION}_SHA256SUMS \
+    && [ $(sha256sum "tofu_${TOFU_VERSION}_${TARGETOS}_${TARGETARCH}.zip" | cut -f 1 -d ' ') = "$(grep "tofu_${TOFU_VERSION}_${TARGETOS}_${TARGETARCH}.zip" tofu_*_SHA256SUMS | cut -f 1 -d ' ')" ] \
+    && unzip tofu_${TOFU_VERSION}_${TARGETOS}_${TARGETARCH}.zip -d /usr/bin/ \
+    && rm "tofu_${TOFU_VERSION}_${TARGETOS}_${TARGETARCH}.zip" \
+    && rm "tofu_${TOFU_VERSION}_SHA256SUMS"

 #
 # Install tools
@ -47,18 +47,18 @@ ARG HCLEDIT_VERSION=${HCLEDIT_VERSION:-false}
 # specified in step below
 ARG INSTALL_ALL=${INSTALL_ALL:-false}
 RUN if [ "$INSTALL_ALL" != "false" ]; then \
-        echo "export CHECKOV_VERSION=latest" >> /.env && \
-        echo "export INFRACOST_VERSION=latest" >> /.env && \
-        echo "export TERRAFORM_DOCS_VERSION=latest" >> /.env && \
-        echo "export TERRAGRUNT_VERSION=latest" >> /.env && \
-        echo "export TERRASCAN_VERSION=latest" >> /.env && \
-        echo "export TFLINT_VERSION=latest" >> /.env && \
-        echo "export TFSEC_VERSION=latest" >> /.env && \
-        echo "export TRIVY_VERSION=latest" >> /.env && \
-        echo "export TFUPDATE_VERSION=latest" >> /.env && \
-        echo "export HCLEDIT_VERSION=latest" >> /.env \
+    echo "export CHECKOV_VERSION=latest" >> /.env && \
+    echo "export INFRACOST_VERSION=latest" >> /.env && \
+    echo "export TERRAFORM_DOCS_VERSION=latest" >> /.env && \
+    echo "export TERRAGRUNT_VERSION=latest" >> /.env && \
+    echo "export TERRASCAN_VERSION=latest" >> /.env && \
+    echo "export TFLINT_VERSION=latest" >> /.env && \
+    echo "export TFSEC_VERSION=latest" >> /.env && \
+    echo "export TRIVY_VERSION=latest" >> /.env && \
+    echo "export TFUPDATE_VERSION=latest" >> /.env && \
+    echo "export HCLEDIT_VERSION=latest" >> /.env \
    ; else \
-        touch /.env \
+    touch /.env \
    ; fi


@ -66,10 +66,10 @@ RUN if [ "$INSTALL_ALL" != "false" ]; then \
 RUN . /.env && \
    if [ "$CHECKOV_VERSION" != "false" ]; then \
    ( \
-        apk add --no-cache gcc=~12 libffi-dev=~3 musl-dev=~1; \
-        [ "$CHECKOV_VERSION" = "latest" ] && pip3 install --no-cache-dir checkov \
-        || pip3 install --no-cache-dir checkov==${CHECKOV_VERSION}; \
-        apk del gcc libffi-dev musl-dev \
+    apk add --no-cache gcc=~12 libffi-dev=~3 musl-dev=~1; \
+    [ "$CHECKOV_VERSION" = "latest" ] && pip3 install --no-cache-dir checkov \
+    || pip3 install --no-cache-dir checkov==${CHECKOV_VERSION}; \
+    apk del gcc libffi-dev musl-dev \
    ) \
    ; fi

@ -77,9 +77,9 @@ RUN . /.env && \
 RUN . /.env && \
    if [ "$INFRACOST_VERSION" != "false" ]; then \
    ( \
-        INFRACOST_RELEASES="https://api.github.com/repos/infracost/infracost/releases" && \
-        [ "$INFRACOST_VERSION" = "latest" ] && curl -L "$(curl -s ${INFRACOST_RELEASES}/latest | grep -o -E -m 1 "https://.+?-${TARGETOS}-${TARGETARCH}.tar.gz")" > infracost.tgz \
-        || curl -L "$(curl -s ${INFRACOST_RELEASES} | grep -o -E "https://.+?v${INFRACOST_VERSION}/infracost-${TARGETOS}-${TARGETARCH}.tar.gz")" > infracost.tgz \
+    INFRACOST_RELEASES="https://api.github.com/repos/infracost/infracost/releases" && \
+    [ "$INFRACOST_VERSION" = "latest" ] && curl -L "$(curl -s ${INFRACOST_RELEASES}/latest | grep -o -E -m 1 "https://.+?-${TARGETOS}-${TARGETARCH}.tar.gz")" > infracost.tgz \
+    || curl -L "$(curl -s ${INFRACOST_RELEASES} | grep -o -E "https://.+?v${INFRACOST_VERSION}/infracost-${TARGETOS}-${TARGETARCH}.tar.gz")" > infracost.tgz \
    ) && tar -xzf infracost.tgz && rm infracost.tgz && mv infracost-${TARGETOS}-${TARGETARCH} infracost \
    ; fi

@ -87,9 +87,9 @@ RUN . /.env && \
 RUN . /.env && \
    if [ "$TERRAFORM_DOCS_VERSION" != "false" ]; then \
    ( \
-        TERRAFORM_DOCS_RELEASES="https://api.github.com/repos/terraform-docs/terraform-docs/releases" && \
-        [ "$TERRAFORM_DOCS_VERSION" = "latest" ] && curl -L "$(curl -s ${TERRAFORM_DOCS_RELEASES}/latest | grep -o -E -m 1 "https://.+?-${TARGETOS}-${TARGETARCH}.tar.gz")" > terraform-docs.tgz \
-        || curl -L "$(curl -s ${TERRAFORM_DOCS_RELEASES} | grep -o -E "https://.+?v${TERRAFORM_DOCS_VERSION}-${TARGETOS}-${TARGETARCH}.tar.gz")" > terraform-docs.tgz \
+    TERRAFORM_DOCS_RELEASES="https://api.github.com/repos/terraform-docs/terraform-docs/releases" && \
+    [ "$TERRAFORM_DOCS_VERSION" = "latest" ] && curl -L "$(curl -s ${TERRAFORM_DOCS_RELEASES}/latest | grep -o -E -m 1 "https://.+?-${TARGETOS}-${TARGETARCH}.tar.gz")" > terraform-docs.tgz \
+    || curl -L "$(curl -s ${TERRAFORM_DOCS_RELEASES} | grep -o -E "https://.+?v${TERRAFORM_DOCS_VERSION}-${TARGETOS}-${TARGETARCH}.tar.gz")" > terraform-docs.tgz \
    ) && tar -xzf terraform-docs.tgz terraform-docs && rm terraform-docs.tgz && chmod +x terraform-docs \
    ; fi

@ -97,9 +97,9 @@ RUN . /.env && \
 RUN . /.env \
    && if [ "$TERRAGRUNT_VERSION" != "false" ]; then \
    ( \
-        TERRAGRUNT_RELEASES="https://api.github.com/repos/gruntwork-io/terragrunt/releases" && \
-        [ "$TERRAGRUNT_VERSION" = "latest" ] && curl -L "$(curl -s ${TERRAGRUNT_RELEASES}/latest | grep -o -E -m 1 "https://.+?/terragrunt_${TARGETOS}_${TARGETARCH}")" > terragrunt \
-        || curl -L "$(curl -s ${TERRAGRUNT_RELEASES} | grep -o -E -m 1 "https://.+?v${TERRAGRUNT_VERSION}/terragrunt_${TARGETOS}_${TARGETARCH}")" > terragrunt \
+    TERRAGRUNT_RELEASES="https://api.github.com/repos/gruntwork-io/terragrunt/releases" && \
+    [ "$TERRAGRUNT_VERSION" = "latest" ] && curl -L "$(curl -s ${TERRAGRUNT_RELEASES}/latest | grep -o -E -m 1 "https://.+?/terragrunt_${TARGETOS}_${TARGETARCH}")" > terragrunt \
+    || curl -L "$(curl -s ${TERRAGRUNT_RELEASES} | grep -o -E -m 1 "https://.+?v${TERRAGRUNT_VERSION}/terragrunt_${TARGETOS}_${TARGETARCH}")" > terragrunt \
    ) && chmod +x terragrunt \
    ; fi

@ -111,9 +111,9 @@ RUN . /.env && \
    # Convert the first letter to Uppercase
    OS="$(echo ${TARGETOS} | cut -c1 | tr '[:lower:]' '[:upper:]' | xargs echo -n; echo ${TARGETOS} | cut -c2-)"; \
    ( \
-        TERRASCAN_RELEASES="https://api.github.com/repos/tenable/terrascan/releases" && \
-        [ "$TERRASCAN_VERSION" = "latest" ] && curl -L "$(curl -s ${TERRASCAN_RELEASES}/latest | grep -o -E -m 1 "https://.+?_${OS}_${ARCH}.tar.gz")" > terrascan.tar.gz \
-        || curl -L "$(curl -s ${TERRASCAN_RELEASES} | grep -o -E "https://.+?${TERRASCAN_VERSION}_${OS}_${ARCH}.tar.gz")" > terrascan.tar.gz \
+    TERRASCAN_RELEASES="https://api.github.com/repos/tenable/terrascan/releases" && \
+    [ "$TERRASCAN_VERSION" = "latest" ] && curl -L "$(curl -s ${TERRASCAN_RELEASES}/latest | grep -o -E -m 1 "https://.+?_${OS}_${ARCH}.tar.gz")" > terrascan.tar.gz \
+    || curl -L "$(curl -s ${TERRASCAN_RELEASES} | grep -o -E "https://.+?${TERRASCAN_VERSION}_${OS}_${ARCH}.tar.gz")" > terrascan.tar.gz \
    ) && tar -xzf terrascan.tar.gz terrascan && rm terrascan.tar.gz && \
    ./terrascan init \
    ; fi
@ -122,9 +122,9 @@ RUN . /.env && \
 RUN . /.env && \
    if [ "$TFLINT_VERSION" != "false" ]; then \
    ( \
-        TFLINT_RELEASES="https://api.github.com/repos/terraform-linters/tflint/releases" && \
-        [ "$TFLINT_VERSION" = "latest" ] && curl -L "$(curl -s ${TFLINT_RELEASES}/latest | grep -o -E -m 1 "https://.+?_${TARGETOS}_${TARGETARCH}.zip")" > tflint.zip \
-        || curl -L "$(curl -s ${TFLINT_RELEASES} | grep -o -E "https://.+?/v${TFLINT_VERSION}/tflint_${TARGETOS}_${TARGETARCH}.zip")" > tflint.zip \
+    TFLINT_RELEASES="https://api.github.com/repos/terraform-linters/tflint/releases" && \
+    [ "$TFLINT_VERSION" = "latest" ] && curl -L "$(curl -s ${TFLINT_RELEASES}/latest | grep -o -E -m 1 "https://.+?_${TARGETOS}_${TARGETARCH}.zip")" > tflint.zip \
+    || curl -L "$(curl -s ${TFLINT_RELEASES} | grep -o -E "https://.+?/v${TFLINT_VERSION}/tflint_${TARGETOS}_${TARGETARCH}.zip")" > tflint.zip \
    ) && unzip tflint.zip && rm tflint.zip \
    ; fi

@ -132,9 +132,9 @@ RUN . /.env && \
 RUN . /.env && \
    if [ "$TFSEC_VERSION" != "false" ]; then \
    ( \
-        TFSEC_RELEASES="https://api.github.com/repos/aquasecurity/tfsec/releases" && \
-        [ "$TFSEC_VERSION" = "latest" ] && curl -L "$(curl -s ${TFSEC_RELEASES}/latest | grep -o -E -m 1 "https://.+?/tfsec-${TARGETOS}-${TARGETARCH}")" > tfsec \
-        || curl -L "$(curl -s ${TFSEC_RELEASES} | grep -o -E -m 1 "https://.+?v${TFSEC_VERSION}/tfsec-${TARGETOS}-${TARGETARCH}")" > tfsec \
+    TFSEC_RELEASES="https://api.github.com/repos/aquasecurity/tfsec/releases" && \
+    [ "$TFSEC_VERSION" = "latest" ] && curl -L "$(curl -s ${TFSEC_RELEASES}/latest | grep -o -E -m 1 "https://.+?/tfsec-${TARGETOS}-${TARGETARCH}")" > tfsec \
+    || curl -L "$(curl -s ${TFSEC_RELEASES} | grep -o -E -m 1 "https://.+?v${TFSEC_VERSION}/tfsec-${TARGETOS}-${TARGETARCH}")" > tfsec \
    ) && chmod +x tfsec \
    ; fi

@ -143,9 +143,9 @@ RUN . /.env && \
    if [ "$TRIVY_VERSION" != "false" ]; then \
    if [ "$TARGETARCH" != "amd64" ]; then ARCH="$TARGETARCH"; else ARCH="64bit"; fi; \
    ( \
-        TRIVY_RELEASES="https://api.github.com/repos/aquasecurity/trivy/releases" && \
-        [ "$TRIVY_VERSION" = "latest" ] && curl -L "$(curl -s ${TRIVY_RELEASES}/latest | grep -o -E -i -m 1 "https://.+?/trivy_.+?_${TARGETOS}-${ARCH}.tar.gz")" > trivy.tar.gz \
-        || curl -L "$(curl -s ${TRIVY_RELEASES} | grep -o -E -i -m 1 "https://.+?/v${TRIVY_VERSION}/trivy_.+?_${TARGETOS}-${ARCH}.tar.gz")" > trivy.tar.gz \
+    TRIVY_RELEASES="https://api.github.com/repos/aquasecurity/trivy/releases" && \
+    [ "$TRIVY_VERSION" = "latest" ] && curl -L "$(curl -s ${TRIVY_RELEASES}/latest | grep -o -E -i -m 1 "https://.+?/trivy_.+?_${TARGETOS}-${ARCH}.tar.gz")" > trivy.tar.gz \
+    || curl -L "$(curl -s ${TRIVY_RELEASES} | grep -o -E -i -m 1 "https://.+?/v${TRIVY_VERSION}/trivy_.+?_${TARGETOS}-${ARCH}.tar.gz")" > trivy.tar.gz \
    ) && tar -xzf trivy.tar.gz trivy && rm trivy.tar.gz \
    ; fi

@ -153,9 +153,9 @@ RUN . /.env && \
 RUN . /.env && \
    if [ "$TFUPDATE_VERSION" != "false" ]; then \
    ( \
-        TFUPDATE_RELEASES="https://api.github.com/repos/minamijoyo/tfupdate/releases" && \
-        [ "$TFUPDATE_VERSION" = "latest" ] && curl -L "$(curl -s ${TFUPDATE_RELEASES}/latest | grep -o -E -m 1 "https://.+?_${TARGETOS}_${TARGETARCH}.tar.gz")" > tfupdate.tgz \
-        || curl -L "$(curl -s ${TFUPDATE_RELEASES} | grep -o -E -m 1 "https://.+?${TFUPDATE_VERSION}_${TARGETOS}_${TARGETARCH}.tar.gz")" > tfupdate.tgz \
+    TFUPDATE_RELEASES="https://api.github.com/repos/minamijoyo/tfupdate/releases" && \
+    [ "$TFUPDATE_VERSION" = "latest" ] && curl -L "$(curl -s ${TFUPDATE_RELEASES}/latest | grep -o -E -m 1 "https://.+?_${TARGETOS}_${TARGETARCH}.tar.gz")" > tfupdate.tgz \
+    || curl -L "$(curl -s ${TFUPDATE_RELEASES} | grep -o -E -m 1 "https://.+?${TFUPDATE_VERSION}_${TARGETOS}_${TARGETARCH}.tar.gz")" > tfupdate.tgz \
    ) && tar -xzf tfupdate.tgz tfupdate && rm tfupdate.tgz \
    ; fi

@ -163,9 +163,9 @@ RUN . /.env && \
 RUN . /.env && \
    if [ "$HCLEDIT_VERSION" != "false" ]; then \
    ( \
-        HCLEDIT_RELEASES="https://api.github.com/repos/minamijoyo/hcledit/releases" && \
-        [ "$HCLEDIT_VERSION" = "latest" ] && curl -L "$(curl -s ${HCLEDIT_RELEASES}/latest | grep -o -E -m 1 "https://.+?_${TARGETOS}_${TARGETARCH}.tar.gz")" > hcledit.tgz \
-        || curl -L "$(curl -s ${HCLEDIT_RELEASES} | grep -o -E -m 1 "https://.+?${HCLEDIT_VERSION}_${TARGETOS}_${TARGETARCH}.tar.gz")" > hcledit.tgz \
+    HCLEDIT_RELEASES="https://api.github.com/repos/minamijoyo/hcledit/releases" && \
+    [ "$HCLEDIT_VERSION" = "latest" ] && curl -L "$(curl -s ${HCLEDIT_RELEASES}/latest | grep -o -E -m 1 "https://.+?_${TARGETOS}_${TARGETARCH}.tar.gz")" > hcledit.tgz \
+    || curl -L "$(curl -s ${HCLEDIT_RELEASES} | grep -o -E -m 1 "https://.+?${HCLEDIT_VERSION}_${TARGETOS}_${TARGETARCH}.tar.gz")" > hcledit.tgz \
    ) && tar -xzf hcledit.tgz hcledit && rm hcledit.tgz \
    ; fi

@ -208,8 +208,9 @@ COPY --from=builder \
    /usr/local/bin/pre-commit \
    # Hooks and terraform binaries
    /bin_dir/ \
+    /usr/bin/tofu \
    /usr/local/bin/checkov* \
-        /usr/bin/
+    /usr/bin/
 # Copy pre-commit packages
 COPY --from=builder /usr/local/lib/python3.12/site-packages/ /usr/local/lib/python3.12/site-packages/
 # Copy terrascan policies
@ -217,10 +218,10 @@ COPY --from=builder /root/ /root/

 # Install hooks extra deps
 RUN if [ "$(grep -o '^terraform-docs SKIPPED$' /usr/bin/tools_versions_info)" = "" ]; then \
-        apk add --no-cache perl=~5 \
+    apk add --no-cache perl=~5 \
    ; fi && \
    if [ "$(grep -o '^infracost SKIPPED$' /usr/bin/tools_versions_info)" = "" ]; then \
-        apk add --no-cache jq=~1 \
+    apk add --no-cache jq=~1 \
    ; fi && \
    # Fix git runtime fatal:
    # unsafe repository ('/lint' is owned by someone else)
@ -234,3 +235,4 @@ ENV INFRACOST_API_KEY=${INFRACOST_API_KEY:-}
 ENV INFRACOST_SKIP_UPDATE_CHECK=${INFRACOST_SKIP_UPDATE_CHECK:-false}

 ENTRYPOINT [ "/entrypoint.sh" ]
+
--- a/README.md
+++ b/README.md
@ -76,7 +76,7 @@ If you are using `pre-commit-opentofu` already or want to support its developmen

 ```bash
 TAG=latest
-docker pull ghcr.io/tofuutils/pre-commit-opentofu:$TAG
+docker pull tofuutils/pre-commit-opentofu:$TAG
 ```

 All available tags [here](https://github.com/tofuutils/pre-commit-opentofu/pkgs/container/pre-commit-opentofu/versions).
@ -256,14 +256,14 @@ Or, using Docker ([available tags](https://github.com/tofuutils/pre-commit-opent

 ```bash
 TAG=latest
-docker run -e "USERID=$(id -u):$(id -g)" -v $(pwd):/lint -w /lint ghcr.io/tofuutils/pre-commit-opentofu:$TAG run -a
+docker run -e "USERID=$(id -u):$(id -g)" -v $(pwd):/lint -w /lint tofuutils/pre-commit-opentofu:$TAG run -a
 ```

 Execute this command to list the versions of the tools in Docker:

 ```bash
 TAG=latest
-docker run --rm --entrypoint cat ghcr.io/tofuutils/pre-commit-opentofu:$TAG /usr/bin/tools_versions_info
+docker run --rm --entrypoint cat tofuutils/pre-commit-opentofu:$TAG /usr/bin/tools_versions_info
 ```

 ## Available Hooks
@ -552,7 +552,7 @@ To replicate functionality in `tofu_docs` hook:
        - --args=--config=.terraform-docs.yml
    ```

-### terraftofu_fmtorm_fmt
+### tofu_fmt

 1. `tofu_fmt` supports custom arguments so you can pass [supported flags](https://www.terraform.io/docs/cli/commands/fmt.html#usage). Eg:

@ -997,7 +997,7 @@ The [recommended command](#4-run) to run the Docker container is:

 ```bash
 TAG=latest
-docker run -e "USERID=$(id -u):$(id -g)" -v $(pwd):/lint -w /lint ghcr.io/tofuutils/pre-commit-opentofu:$TAG run -a
+docker run -e "USERID=$(id -u):$(id -g)" -v $(pwd):/lint -w /lint tofuutils/pre-commit-opentofu:$TAG run -a
 ```

 which uses your current session's user ID and group ID to set the variable in the run command.  Without this setting, you may find files and directories owned by `root` in your local repository.
@ -1041,7 +1041,7 @@ Finally, you can execute `docker run` with an additional volume mount so that th
 # run pre-commit-opentofu with docker
 # adding volume for .netrc file
 # .netrc needs to be in /root/ dir
-docker run --rm -e "USERID=$(id -u):$(id -g)" -v ~/.netrc:/root/.netrc -v $(pwd):/lint -w /lint ghcr.io/tofuutils/pre-commit-opentofu:latest run -a
+docker run --rm -e "USERID=$(id -u):$(id -g)" -v ~/.netrc:/root/.netrc -v $(pwd):/lint -w /lint tofuutils/pre-commit-opentofu:latest run -a
 ```

 ## Authors
--- a/hooks/infracost_breakdown.sh
+++ b/hooks/infracost_breakdown.sh
@ -70,19 +70,24 @@ function infracost_breakdown_ {
    # -h .totalHourlyCost > 0.1
    # --hook-config=.currency == "USD"
    first_char=${check:0:1}
-    last_char=${check: -1}
+    last_char=${check:$((${#check} - 1)):1}
    if [ "$first_char" == "$last_char" ] && {
      [ "$first_char" == '"' ] || [ "$first_char" == "'" ]
    }; then
-      check="${check:1:-1}"
+      check="${check:1:$((${#check} - 2))}"
    fi

-    mapfile -t operations < <(echo "$check" | grep -oE '[!<>=]{1,2}')
+    # Replace mapfile with while read loop for bash 3.2 compatibility
+    operations=()
+    while IFS= read -r line; do
+      operations+=("$line")
+    done < <(echo "$check" | grep -oE '[!<>=]{1,2}')
+
    # Get the very last operator, that is used in comparison inside `jq` query.
    # From the example below we need to pick the `>` which is in between `add` and `1000`,
    # but not the `!=`, which goes earlier in the `jq` expression
    # [.projects[].diff.totalMonthlyCost | select (.!=null) | tonumber] | add > 1000
-    operation=${operations[-1]}
+    operation=${operations[$((${#operations[@]} - 1))]}

    IFS="$operation" read -r -a jq_check <<< "$check"
    real_value="$(jq "${jq_check[0]}" <<< "$RESULTS")"
--- a/hooks/tofu_docs.sh
+++ b/hooks/tofu_docs.sh
@ -155,7 +155,7 @@ function tofu_docs {
    #
    if $create_if_not_exist && [[ ! -f "$text_file" ]]; then
      dir_have_tf_files="$(
-        find . -maxdepth 1 -type f | sed 's|.*\.||' | sort -u | grep -oE '^tf$|^tfvars$' ||
+        find . -maxdepth 1 -type f | sed 's|.*\.||' | sort -u | grep -oE '^tofu|^tf$|^tfvars$' ||
          exit 0
      )"

--- a/hooks/tofu_docs_replace.py
+++ b/hooks/tofu_docs_replace.py
@ -7,30 +7,41 @@ import sys
 def main(argv=None):
    parser = argparse.ArgumentParser(
        description="""Run terraform-docs on a set of files. Follows the standard convention of
-                       pulling the documentation from main.tf in order to replace the entire
+                       pulling the documentation from main.(tf|tofu) in order to replace the entire
                       README.md file each time."""
    )
    parser.add_argument(
-        '--dest', dest='dest', default='README.md',
+        "--dest",
+        dest="dest",
+        default="README.md",
    )
    parser.add_argument(
-        '--sort-inputs-by-required', dest='sort', action='store_true',
-        help='[deprecated] use --sort-by-required instead',
+        "--sort-inputs-by-required",
+        dest="sort",
+        action="store_true",
+        help="[deprecated] use --sort-by-required instead",
    )
    parser.add_argument(
-        '--sort-by-required', dest='sort', action='store_true',
+        "--sort-by-required",
+        dest="sort",
+        action="store_true",
    )
    parser.add_argument(
-        '--with-aggregate-type-defaults', dest='aggregate', action='store_true',
-        help='[deprecated]',
+        "--with-aggregate-type-defaults",
+        dest="aggregate",
+        action="store_true",
+        help="[deprecated]",
    )
-    parser.add_argument('filenames', nargs='*', help='Filenames to check.')
+    parser.add_argument("filenames", nargs="*", help="Filenames to check.")
    args = parser.parse_args(argv)

    dirs = []
    for filename in args.filenames:
-        if (os.path.realpath(filename) not in dirs and
-                (filename.endswith(".tf") or filename.endswith(".tfvars"))):
+        if os.path.realpath(filename) not in dirs and (
+            filename.endswith(".tf")
+            or filename.endswith(".tofu")
+            or filename.endswith(".tfvars")
+        ):
            dirs.append(os.path.dirname(filename))

    retval = 0
@ -38,12 +49,12 @@ def main(argv=None):
    for dir in dirs:
        try:
            procArgs = []
-            procArgs.append('terraform-docs')
+            procArgs.append("terraform-docs")
            if args.sort:
-                procArgs.append('--sort-by-required')
-            procArgs.append('md')
+                procArgs.append("--sort-by-required")
+            procArgs.append("md")
            procArgs.append("./{dir}".format(dir=dir))
-            procArgs.append('>')
+            procArgs.append(">")
            procArgs.append("./{dir}/{dest}".format(dir=dir, dest=args.dest))
            subprocess.check_call(" ".join(procArgs), shell=True)
        except subprocess.CalledProcessError as e:
@ -52,5 +63,5 @@ def main(argv=None):
    return retval


-if __name__ == '__main__':
+if __name__ == "__main__":
    sys.exit(main())
--- a/hooks/tofu_wrapper_module_for_each.sh
+++ b/hooks/tofu_wrapper_module_for_each.sh
@ -312,10 +312,10 @@ EOF

    # Read content of all OpenTofu files
    # shellcheck disable=SC2207
-    all_tf_content=$(find "${full_module_dir}" -name '*.tf' -maxdepth 1 -type f -exec cat {} +)
+    all_tf_content=$(find "${full_module_dir}" -regex '.*\.(tf|tofu)' -maxdepth 1 -type f -exec cat {} +)

    if [[ ! $all_tf_content ]]; then
-      common::colorify "yellow" "Skipping ${full_module_dir} because there are no *.tf files."
+      common::colorify "yellow" "Skipping ${full_module_dir} because there are no *.(tf|tofu) files."
      continue
    fi