From 407a900bbc18ea535dcced35277fabb774d91b00 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 9 Jun 2025 12:28:37 +0000 Subject: [PATCH 01/25] gh-actions: bump cycjimmy/semantic-release-action from 4.2.0 to 4.2.1 Bumps [cycjimmy/semantic-release-action](https://github.com/cycjimmy/semantic-release-action) from 4.2.0 to 4.2.1. - [Release notes](https://github.com/cycjimmy/semantic-release-action/releases) - [Changelog](https://github.com/cycjimmy/semantic-release-action/blob/main/docs/CHANGELOG.md) - [Commits](https://github.com/cycjimmy/semantic-release-action/compare/0a51e81a6baff2acad3ee88f4121c589c73d0f0e...c4a2fa890676fc2db25ad0aacd8ab4a0f1f4c024) --- updated-dependencies: - dependency-name: cycjimmy/semantic-release-action dependency-version: 4.2.1 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 385b387..716bc60 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -24,7 +24,7 @@ jobs: fetch-depth: 0 - name: Release - uses: cycjimmy/semantic-release-action@0a51e81a6baff2acad3ee88f4121c589c73d0f0e # v4.2.0 + uses: cycjimmy/semantic-release-action@c4a2fa890676fc2db25ad0aacd8ab4a0f1f4c024 # v4.2.1 with: semantic_version: 18.0.0 extra_plugins: | From d94583baf874f48ce56fa3071c384801b46e64df Mon Sep 17 00:00:00 2001 From: Benjamin Richter Date: Wed, 18 Jun 2025 12:24:20 +0200 Subject: [PATCH 02/25] Update README.md fix tofu_fmt heading --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 73c4bb0..023ad0c 100644 --- a/README.md +++ b/README.md @@ -552,7 +552,7 @@ To replicate functionality in `tofu_docs` hook: - --args=--config=.terraform-docs.yml ``` -### terraftofu_fmtorm_fmt +### tofu_fmt 1. `tofu_fmt` supports custom arguments so you can pass [supported flags](https://www.terraform.io/docs/cli/commands/fmt.html#usage). Eg: From 977d08e2d1627a6f7cebe28b637b4bc4fae9eff3 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 7 Jul 2025 14:24:37 +0000 Subject: [PATCH 03/25] gh-actions: bump cycjimmy/semantic-release-action from 4.2.1 to 4.2.2 Bumps [cycjimmy/semantic-release-action](https://github.com/cycjimmy/semantic-release-action) from 4.2.1 to 4.2.2. - [Release notes](https://github.com/cycjimmy/semantic-release-action/releases) - [Changelog](https://github.com/cycjimmy/semantic-release-action/blob/main/docs/CHANGELOG.md) - [Commits](https://github.com/cycjimmy/semantic-release-action/compare/c4a2fa890676fc2db25ad0aacd8ab4a0f1f4c024...16ca923e6ccbb50770c415a0ccd43709a8c5f7a4) --- updated-dependencies: - dependency-name: cycjimmy/semantic-release-action dependency-version: 4.2.2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 716bc60..78d7954 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -24,7 +24,7 @@ jobs: fetch-depth: 0 - name: Release - uses: cycjimmy/semantic-release-action@c4a2fa890676fc2db25ad0aacd8ab4a0f1f4c024 # v4.2.1 + uses: cycjimmy/semantic-release-action@16ca923e6ccbb50770c415a0ccd43709a8c5f7a4 # v4.2.2 with: semantic_version: 18.0.0 extra_plugins: | From b2658a3f8e7a1f379343d9fbba4f9597d0ef1c9e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 12 Aug 2025 17:26:54 +0000 Subject: [PATCH 04/25] gh-actions: bump actions/checkout from 4 to 5 Bumps [actions/checkout](https://github.com/actions/checkout) from 4 to 5. - [Release notes](https://github.com/actions/checkout/releases) - [Commits](https://github.com/actions/checkout/compare/v4...v5) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: '5' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/build-image-test.yaml | 2 +- .github/workflows/build-image.yaml | 2 +- .github/workflows/pre-commit.yaml | 4 ++-- .github/workflows/release.yml | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/build-image-test.yaml b/.github/workflows/build-image-test.yaml index 1003867..0abc018 100644 --- a/.github/workflows/build-image-test.yaml +++ b/.github/workflows/build-image-test.yaml @@ -9,7 +9,7 @@ jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: fetch-depth: 0 diff --git a/.github/workflows/build-image.yaml b/.github/workflows/build-image.yaml index 2d0c497..68a054f 100644 --- a/.github/workflows/build-image.yaml +++ b/.github/workflows/build-image.yaml @@ -13,7 +13,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@v5 - name: Set up QEMU uses: docker/setup-qemu-action@v3 diff --git a/.github/workflows/pre-commit.yaml b/.github/workflows/pre-commit.yaml index 3fab3c2..a8e86e6 100644 --- a/.github/workflows/pre-commit.yaml +++ b/.github/workflows/pre-commit.yaml @@ -6,7 +6,7 @@ jobs: pre-commit: runs-on: ubuntu-latest steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - run: | git fetch --no-tags --prune --depth=1 origin +refs/heads/*:refs/remotes/origin/* @@ -31,7 +31,7 @@ jobs: curl -L "$(curl -s https://api.github.com/repos/hadolint/hadolint/releases/latest | grep -o -E -m 1 "https://.+?/hadolint-Linux-x86_64")" > hadolint \ && chmod +x hadolint && sudo mv hadolint /usr/bin/ # Need to success pre-commit fix push - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: fetch-depth: 0 ref: ${{ github.event.pull_request.head.sha }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 78d7954..cf3441c 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -18,7 +18,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false fetch-depth: 0 From f81b28692c07dfd206871b74736a17d658b2d765 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 22 Aug 2025 11:43:05 +0000 Subject: [PATCH 05/25] gh-actions: bump amannn/action-semantic-pull-request from 5.5.3 to 6.1.1 Bumps [amannn/action-semantic-pull-request](https://github.com/amannn/action-semantic-pull-request) from 5.5.3 to 6.1.1. - [Release notes](https://github.com/amannn/action-semantic-pull-request/releases) - [Changelog](https://github.com/amannn/action-semantic-pull-request/blob/main/CHANGELOG.md) - [Commits](https://github.com/amannn/action-semantic-pull-request/compare/0723387faaf9b38adef4775cd42cfd5155ed6017...48f256284bd46cdaab1048c3721360e808335d50) --- updated-dependencies: - dependency-name: amannn/action-semantic-pull-request dependency-version: 6.1.1 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/pr-title.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pr-title.yml b/.github/workflows/pr-title.yml index 19e48a4..3d86d51 100644 --- a/.github/workflows/pr-title.yml +++ b/.github/workflows/pr-title.yml @@ -14,7 +14,7 @@ jobs: steps: # Please look up the latest version from # https://github.com/amannn/action-semantic-pull-request/releases - - uses: amannn/action-semantic-pull-request@0723387faaf9b38adef4775cd42cfd5155ed6017 # v5.5.3 + - uses: amannn/action-semantic-pull-request@48f256284bd46cdaab1048c3721360e808335d50 # v6.1.1 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: From a4ae94e826b69eb34265d7033a45c25d91a3cedd Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 1 Sep 2025 23:11:04 +0000 Subject: [PATCH 06/25] gh-actions: bump cycjimmy/semantic-release-action from 4.2.2 to 5.0.0 Bumps [cycjimmy/semantic-release-action](https://github.com/cycjimmy/semantic-release-action) from 4.2.2 to 5.0.0. - [Release notes](https://github.com/cycjimmy/semantic-release-action/releases) - [Changelog](https://github.com/cycjimmy/semantic-release-action/blob/main/docs/CHANGELOG.md) - [Commits](https://github.com/cycjimmy/semantic-release-action/compare/16ca923e6ccbb50770c415a0ccd43709a8c5f7a4...9cc899c47e6841430bbaedb43de1560a568dfd16) --- updated-dependencies: - dependency-name: cycjimmy/semantic-release-action dependency-version: 5.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index cf3441c..c1c049b 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -24,7 +24,7 @@ jobs: fetch-depth: 0 - name: Release - uses: cycjimmy/semantic-release-action@16ca923e6ccbb50770c415a0ccd43709a8c5f7a4 # v4.2.2 + uses: cycjimmy/semantic-release-action@9cc899c47e6841430bbaedb43de1560a568dfd16 # v5.0.0 with: semantic_version: 18.0.0 extra_plugins: | From 84d857a5ae5e3758cf01b4443087966d4d88993c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 4 Sep 2025 13:18:51 +0000 Subject: [PATCH 07/25] gh-actions: bump actions/setup-python from 5.6.0 to 6.0.0 Bumps [actions/setup-python](https://github.com/actions/setup-python) from 5.6.0 to 6.0.0. - [Release notes](https://github.com/actions/setup-python/releases) - [Commits](https://github.com/actions/setup-python/compare/a26af69be951a213d495a4c3e4e4022e16d87065...e797f83bcb11b83ae66e0230d6156d7c80228e7c) --- updated-dependencies: - dependency-name: actions/setup-python dependency-version: 6.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/pre-commit.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pre-commit.yaml b/.github/workflows/pre-commit.yaml index a8e86e6..96ca101 100644 --- a/.github/workflows/pre-commit.yaml +++ b/.github/workflows/pre-commit.yaml @@ -36,7 +36,7 @@ jobs: fetch-depth: 0 ref: ${{ github.event.pull_request.head.sha }} # Skip tofu_tflint which interferes to commit pre-commit auto-fixes - - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 + - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 with: python-version: '3.9' - name: Execute pre-commit From f2b0eb603a22d4dd6b5d8d532dc7542cb22bf3f4 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 4 Sep 2025 14:02:40 +0000 Subject: [PATCH 08/25] gh-actions: bump actions/stale from 9.1.0 to 10.0.0 Bumps [actions/stale](https://github.com/actions/stale) from 9.1.0 to 10.0.0. - [Release notes](https://github.com/actions/stale/releases) - [Changelog](https://github.com/actions/stale/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/stale/compare/5bef64f19d7facfb25b37b414482c7164d639639...3a9db7e6a41a89f618792c92c0e97cc736e1b13f) --- updated-dependencies: - dependency-name: actions/stale dependency-version: 10.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/stale-actions.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/stale-actions.yaml b/.github/workflows/stale-actions.yaml index 802c138..d797c08 100644 --- a/.github/workflows/stale-actions.yaml +++ b/.github/workflows/stale-actions.yaml @@ -7,7 +7,7 @@ jobs: stale: runs-on: ubuntu-latest steps: - - uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9.1.0 + - uses: actions/stale@3a9db7e6a41a89f618792c92c0e97cc736e1b13f # v10.0.0 with: repo-token: ${{ secrets.GITHUB_TOKEN }} # Staling issues and PR's From f9d6074ab09f09e5fe2ce8e619349b81aec9e403 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 15 Sep 2025 12:30:24 +0000 Subject: [PATCH 09/25] gh-actions: bump tj-actions/changed-files from 46.0.5 to 47.0.0 Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 46.0.5 to 47.0.0. - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](https://github.com/tj-actions/changed-files/compare/ed68ef82c095e0d48ec87eccea555d944a631a4c...24d32ffd492484c1d75e0c0b894501ddb9d30d62) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-version: 47.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/build-image-test.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-image-test.yaml b/.github/workflows/build-image-test.yaml index 0abc018..1a518e0 100644 --- a/.github/workflows/build-image-test.yaml +++ b/.github/workflows/build-image-test.yaml @@ -15,7 +15,7 @@ jobs: - name: Get changed Dockerfile id: changed-files-specific - uses: tj-actions/changed-files@ed68ef82c095e0d48ec87eccea555d944a631a4c # v46.0.5 + uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0 with: files: | Dockerfile From f1a589bd124b277cc02fcbf04ee05017fb8822c0 Mon Sep 17 00:00:00 2001 From: widnyana Date: Thu, 9 Oct 2025 16:23:02 +0700 Subject: [PATCH 10/25] fix: replace deprecated hclfmt with hcl format command Replace deprecated `terragrunt hclfmt` command with the recommended `terragrunt hcl format` to eliminate deprecation warnings. Resolves warning: "The `hclfmt` command is deprecated and will be removed in a future version of Terragrunt." Signed-off-by: widnyana --- hooks/terragrunt_fmt.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/hooks/terragrunt_fmt.sh b/hooks/terragrunt_fmt.sh index 7c78b92..0b4165a 100755 --- a/hooks/terragrunt_fmt.sh +++ b/hooks/terragrunt_fmt.sh @@ -12,7 +12,7 @@ function main { common::parse_cmdline "$@" common::export_provided_env_vars "${ENV_VARS[@]}" common::parse_and_export_env_vars - # JFYI: terragrunt hclfmt color already suppressed via PRE_COMMIT_COLOR=never + # JFYI: terragrunt hcl format color already suppressed via PRE_COMMIT_COLOR=never # shellcheck disable=SC2153 # False positive common::per_dir_hook "$HOOK_ID" "${#ARGS[@]}" "${ARGS[@]}" "${FILES[@]}" @@ -40,7 +40,7 @@ function per_dir_hook_unique_part { local -a -r args=("$@") # pass the arguments to hook - terragrunt hclfmt "${args[@]}" + terragrunt hcl format "${args[@]}" # return exit code to common::per_dir_hook local exit_code=$? @@ -57,7 +57,7 @@ function run_hook_on_whole_repo { local -a -r args=("$@") # pass the arguments to hook - terragrunt hclfmt "$(pwd)" "${args[@]}" + terragrunt hcl format "$(pwd)" "${args[@]}" # return exit code to common::per_dir_hook local exit_code=$? From 211d65d43d91eb474c630a8dd82d205a2f889eee Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 9 Oct 2025 11:22:49 +0000 Subject: [PATCH 11/25] gh-actions: bump cycjimmy/semantic-release-action from 5.0.0 to 5.0.1 Bumps [cycjimmy/semantic-release-action](https://github.com/cycjimmy/semantic-release-action) from 5.0.0 to 5.0.1. - [Release notes](https://github.com/cycjimmy/semantic-release-action/releases) - [Changelog](https://github.com/cycjimmy/semantic-release-action/blob/main/docs/CHANGELOG.md) - [Commits](https://github.com/cycjimmy/semantic-release-action/compare/9cc899c47e6841430bbaedb43de1560a568dfd16...ebcbc663748eae8da59a127a7d8b8e22f82514b2) --- updated-dependencies: - dependency-name: cycjimmy/semantic-release-action dependency-version: 5.0.1 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index c1c049b..200ef37 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -24,7 +24,7 @@ jobs: fetch-depth: 0 - name: Release - uses: cycjimmy/semantic-release-action@9cc899c47e6841430bbaedb43de1560a568dfd16 # v5.0.0 + uses: cycjimmy/semantic-release-action@ebcbc663748eae8da59a127a7d8b8e22f82514b2 # v5.0.1 with: semantic_version: 18.0.0 extra_plugins: | From 430f50f0bd82b5ac7ac0cb132c05b609705e9308 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 10 Oct 2025 11:22:34 +0000 Subject: [PATCH 12/25] gh-actions: bump cycjimmy/semantic-release-action from 5.0.1 to 5.0.2 Bumps [cycjimmy/semantic-release-action](https://github.com/cycjimmy/semantic-release-action) from 5.0.1 to 5.0.2. - [Release notes](https://github.com/cycjimmy/semantic-release-action/releases) - [Changelog](https://github.com/cycjimmy/semantic-release-action/blob/main/docs/CHANGELOG.md) - [Commits](https://github.com/cycjimmy/semantic-release-action/compare/ebcbc663748eae8da59a127a7d8b8e22f82514b2...ba330626c4750c19d8299de843f05c7aa5574f62) --- updated-dependencies: - dependency-name: cycjimmy/semantic-release-action dependency-version: 5.0.2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 200ef37..d75e4e3 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -24,7 +24,7 @@ jobs: fetch-depth: 0 - name: Release - uses: cycjimmy/semantic-release-action@ebcbc663748eae8da59a127a7d8b8e22f82514b2 # v5.0.1 + uses: cycjimmy/semantic-release-action@ba330626c4750c19d8299de843f05c7aa5574f62 # v5.0.2 with: semantic_version: 18.0.0 extra_plugins: | From a3716be334939ca767ac9113bcf8e78beaf1fce4 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 13 Oct 2025 12:21:03 +0000 Subject: [PATCH 13/25] gh-actions: bump MaxymVlasov/dive-action from 1.5.0 to 1.5.1 Bumps [MaxymVlasov/dive-action](https://github.com/maxymvlasov/dive-action) from 1.5.0 to 1.5.1. - [Release notes](https://github.com/maxymvlasov/dive-action/releases) - [Commits](https://github.com/maxymvlasov/dive-action/compare/b08c8287e603d028c986d7044e83fa76bcca6a65...fafb796951b322cc4926b8a5eafda89ab9de8edf) --- updated-dependencies: - dependency-name: MaxymVlasov/dive-action dependency-version: 1.5.1 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- .github/workflows/build-image-test.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-image-test.yaml b/.github/workflows/build-image-test.yaml index 1a518e0..0346a8f 100644 --- a/.github/workflows/build-image-test.yaml +++ b/.github/workflows/build-image-test.yaml @@ -52,7 +52,7 @@ jobs: - name: Dive - check image for waste files if: steps.changed-files-specific.outputs.any_changed == 'true' - uses: MaxymVlasov/dive-action@b08c8287e603d028c986d7044e83fa76bcca6a65 # v1.5.0 + uses: MaxymVlasov/dive-action@fafb796951b322cc4926b8a5eafda89ab9de8edf # v1.5.1 with: image: ghcr.io/${{ github.repository }}:${{ env.IMAGE_TAG }} config-file: ${{ github.workspace }}/.github/.dive-ci.yaml From 10864545ddc58bd96330029b6bff16da3d072237 Mon Sep 17 00:00:00 2001 From: semantic-release-bot Date: Wed, 22 Oct 2025 12:57:51 +0000 Subject: [PATCH 14/25] chore(release): version 2.2.2 [skip ci] ## [2.2.2](https://github.com/tofuutils/pre-commit-opentofu/compare/v2.2.1...v2.2.2) (2025-10-22) ### Bug Fixes * replace deprecated hclfmt with hcl format command ([f1a589b](https://github.com/tofuutils/pre-commit-opentofu/commit/f1a589bd124b277cc02fcbf04ee05017fb8822c0)) --- CHANGELOG.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4c0f74a..9e2ef95 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,13 @@ All notable changes to this project will be documented in this file. +## [2.2.2](https://github.com/tofuutils/pre-commit-opentofu/compare/v2.2.1...v2.2.2) (2025-10-22) + + +### Bug Fixes + +* replace deprecated hclfmt with hcl format command ([f1a589b](https://github.com/tofuutils/pre-commit-opentofu/commit/f1a589bd124b277cc02fcbf04ee05017fb8822c0)) + ## [2.2.1](https://github.com/tofuutils/pre-commit-opentofu/compare/v2.2.0...v2.2.1) (2025-06-04) From c3397c32d9a9a4c105306b9ba65251ec3e6061fa Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 18 Nov 2025 11:21:09 +0000 Subject: [PATCH 15/25] gh-actions: bump cycjimmy/semantic-release-action from 5.0.2 to 6.0.0 Bumps [cycjimmy/semantic-release-action](https://github.com/cycjimmy/semantic-release-action) from 5.0.2 to 6.0.0. - [Release notes](https://github.com/cycjimmy/semantic-release-action/releases) - [Changelog](https://github.com/cycjimmy/semantic-release-action/blob/main/docs/CHANGELOG.md) - [Commits](https://github.com/cycjimmy/semantic-release-action/compare/ba330626c4750c19d8299de843f05c7aa5574f62...b12c8f6015dc215fe37bc154d4ad456dd3833c90) --- updated-dependencies: - dependency-name: cycjimmy/semantic-release-action dependency-version: 6.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index d75e4e3..3233cf3 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -24,7 +24,7 @@ jobs: fetch-depth: 0 - name: Release - uses: cycjimmy/semantic-release-action@ba330626c4750c19d8299de843f05c7aa5574f62 # v5.0.2 + uses: cycjimmy/semantic-release-action@b12c8f6015dc215fe37bc154d4ad456dd3833c90 # v6.0.0 with: semantic_version: 18.0.0 extra_plugins: | From 624daa51ed46971066ba8c3f27203af8906dbbdc Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 18 Nov 2025 11:21:15 +0000 Subject: [PATCH 16/25] gh-actions: bump actions/checkout from 5.0.0 to 5.0.1 Bumps [actions/checkout](https://github.com/actions/checkout) from 5.0.0 to 5.0.1. - [Release notes](https://github.com/actions/checkout/releases) - [Commits](https://github.com/actions/checkout/compare/v5...v5.0.1) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 5.0.1 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- .github/workflows/build-image-test.yaml | 2 +- .github/workflows/build-image.yaml | 2 +- .github/workflows/pre-commit.yaml | 4 ++-- .github/workflows/release.yml | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/build-image-test.yaml b/.github/workflows/build-image-test.yaml index 0346a8f..9f56ead 100644 --- a/.github/workflows/build-image-test.yaml +++ b/.github/workflows/build-image-test.yaml @@ -9,7 +9,7 @@ jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: fetch-depth: 0 diff --git a/.github/workflows/build-image.yaml b/.github/workflows/build-image.yaml index 68a054f..26460e7 100644 --- a/.github/workflows/build-image.yaml +++ b/.github/workflows/build-image.yaml @@ -13,7 +13,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v5 + uses: actions/checkout@v5.0.1 - name: Set up QEMU uses: docker/setup-qemu-action@v3 diff --git a/.github/workflows/pre-commit.yaml b/.github/workflows/pre-commit.yaml index 96ca101..1e873b6 100644 --- a/.github/workflows/pre-commit.yaml +++ b/.github/workflows/pre-commit.yaml @@ -6,7 +6,7 @@ jobs: pre-commit: runs-on: ubuntu-latest steps: - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 - run: | git fetch --no-tags --prune --depth=1 origin +refs/heads/*:refs/remotes/origin/* @@ -31,7 +31,7 @@ jobs: curl -L "$(curl -s https://api.github.com/repos/hadolint/hadolint/releases/latest | grep -o -E -m 1 "https://.+?/hadolint-Linux-x86_64")" > hadolint \ && chmod +x hadolint && sudo mv hadolint /usr/bin/ # Need to success pre-commit fix push - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: fetch-depth: 0 ref: ${{ github.event.pull_request.head.sha }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index d75e4e3..1b5d4f9 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -18,7 +18,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: persist-credentials: false fetch-depth: 0 From 4f6be1dd0d6849fb63712b37b5fc3fe3b92201bd Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 3 Mar 2026 11:06:54 +0000 Subject: [PATCH 17/25] gh-actions: bump tj-actions/changed-files from 47.0.0 to 47.0.5 Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 47.0.0 to 47.0.5. - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](https://github.com/tj-actions/changed-files/compare/24d32ffd492484c1d75e0c0b894501ddb9d30d62...22103cc46bda19c2b464ffe86db46df6922fd323) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-version: 47.0.5 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- .github/workflows/build-image-test.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-image-test.yaml b/.github/workflows/build-image-test.yaml index 9f56ead..c7223f0 100644 --- a/.github/workflows/build-image-test.yaml +++ b/.github/workflows/build-image-test.yaml @@ -15,7 +15,7 @@ jobs: - name: Get changed Dockerfile id: changed-files-specific - uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0 + uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5 with: files: | Dockerfile From 50351cae8e48bc4b8366af3b9fe370176c17c0c5 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 4 Mar 2026 11:07:57 +0000 Subject: [PATCH 18/25] gh-actions: bump docker/login-action from 3 to 4 Bumps [docker/login-action](https://github.com/docker/login-action) from 3 to 4. - [Release notes](https://github.com/docker/login-action/releases) - [Commits](https://github.com/docker/login-action/compare/v3...v4) --- updated-dependencies: - dependency-name: docker/login-action dependency-version: '4' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/build-image.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build-image.yaml b/.github/workflows/build-image.yaml index 26460e7..3bf9105 100644 --- a/.github/workflows/build-image.yaml +++ b/.github/workflows/build-image.yaml @@ -22,7 +22,7 @@ jobs: uses: docker/setup-buildx-action@v3 - name: Login to ghcr.io - uses: docker/login-action@v3 + uses: docker/login-action@v4 with: registry: ghcr.io username: ${{ github.repository_owner }} @@ -66,7 +66,7 @@ jobs: "github_token=${{ secrets.GITHUB_TOKEN }}" - name: Login to DockerHub Container Registry - uses: docker/login-action@v3 + uses: docker/login-action@v4 with: registry: registry.hub.docker.com username: ${{ secrets.DOCKERHUB_USER }} From 0ca9eca3823420f31d09c62bf1672bea03ca3e07 Mon Sep 17 00:00:00 2001 From: mketteringham Date: Tue, 21 Apr 2026 11:31:02 +0100 Subject: [PATCH 19/25] feat: add terragrunt_validate_inputs hook Signed-off-by: mketteringham --- .pre-commit-hooks.yaml | 8 ++ README.md | 29 +++- hooks/_common.sh | 2 +- hooks/terragrunt_validate_inputs.sh | 198 ++++++++++++++++++++++++++++ 4 files changed, 235 insertions(+), 2 deletions(-) create mode 100755 hooks/terragrunt_validate_inputs.sh diff --git a/.pre-commit-hooks.yaml b/.pre-commit-hooks.yaml index c5c5f66..8af3d6e 100644 --- a/.pre-commit-hooks.yaml +++ b/.pre-commit-hooks.yaml @@ -90,6 +90,14 @@ files: (\.hcl)$ exclude: \.terraform\/.*$ +- id: terragrunt_validate_inputs + name: Terragrunt validate inputs + description: Validates Terragrunt unused and undefined inputs. + entry: hooks/terragrunt_validate_inputs.sh + language: script + files: (\.hcl)$ + exclude: \.terraform\/.*$ + - id: tofu_tfsec name: OpenTofu validate with tfsec (deprecated, use "tofu_trivy") description: diff --git a/README.md b/README.md index 023ad0c..afb9387 100644 --- a/README.md +++ b/README.md @@ -60,7 +60,7 @@ If you are using `pre-commit-opentofu` already or want to support its developmen

* [`checkov`](https://github.com/bridgecrewio/checkov) required for `tofu_checkov` hook. * [`terraform-docs`](https://github.com/terraform-docs/terraform-docs) required for `tofu_docs` hook. -* [`terragrunt`](https://terragrunt.gruntwork.io/docs/getting-started/install/) required for `terragrunt_validate` hook. +* [`terragrunt`](https://terragrunt.gruntwork.io/docs/getting-started/install/) required for `terragrunt_validate` and `terragrunt_validate_inputs` hooks. * [`terrascan`](https://github.com/tenable/terrascan) required for `terrascan` hook. * [`TFLint`](https://github.com/terraform-linters/tflint) required for `tofu_tflint` hook. * [`TFSec`](https://github.com/liamg/tfsec) required for `tofu_tfsec` hook. @@ -266,6 +266,32 @@ TAG=latest docker run --rm --entrypoint cat tofuutils/pre-commit-opentofu:$TAG /usr/bin/tools_versions_info ``` +### Example: Terragrunt Input Validation + +Use `terragrunt_validate_inputs` to check that Terragrunt inputs line up with the module variables they are passed into: + +```yaml +repos: +- repo: https://github.com/tofuutils/pre-commit-opentofu + rev: # Get the latest from: https://github.com/tofuutils/pre-commit-opentofu/releases + hooks: + - id: terragrunt_fmt + - id: terragrunt_validate_inputs + args: + - --args=--terragrunt-strict-validate +``` + +> **Note**: This hook automatically uses `terragrunt validate-inputs` for older Terragrunt releases and `terragrunt hcl validate --inputs` for newer releases. +> +> If Terragrunt reports intermittent `.terragrunt-cache` download or `file exists` errors in your repository, run this hook serially in your consumer configuration: +> +> ```yaml +> - id: terragrunt_validate_inputs +> require_serial: true +> args: +> - --args=--terragrunt-strict-validate +> ``` + ## Available Hooks There are several [pre-commit](https://pre-commit.com/) hooks to keep OpenTofu configurations (both `*.tf` and `*.tfvars`) and Terragrunt configurations (`*.hcl`) in a good shape: @@ -286,6 +312,7 @@ There are several [pre-commit](https://pre-commit.com/) hooks to keep OpenTofu c | `tofu_validate` | Validates all Terraform configuration files. [Hook notes](#tofu_validate) | `jq`, only for `--retry-once-with-cleanup` flag | | `terragrunt_fmt` | Reformat all [Terragrunt](https://github.com/gruntwork-io/terragrunt) configuration files (`*.hcl`) to a canonical format. | `terragrunt` | | `terragrunt_validate` | Validates all [Terragrunt](https://github.com/gruntwork-io/terragrunt) configuration files (`*.hcl`) | `terragrunt` | +| `terragrunt_validate_inputs` | Validates Terragrunt unused and undefined inputs. | `terragrunt` | | `tofu_wrapper_module_for_each` | Generates OpenTofu wrappers with `for_each` in module. [Hook notes](#terraform_wrapper_module_for_each) | `hcledit` | | `terrascan` | [terrascan](https://github.com/tenable/terrascan) Detect compliance and security violations. [Hook notes](#terrascan) | `terrascan` | | `tfupdate` | [tfupdate](https://github.com/minamijoyo/tfupdate) Update version constraints of OpenTofu core, providers, and modules. [Hook notes](#tfupdate) | `tfupdate` | diff --git a/hooks/_common.sh b/hooks/_common.sh index 133e457..3f4bdc4 100644 --- a/hooks/_common.sh +++ b/hooks/_common.sh @@ -112,7 +112,7 @@ function common::parse_and_export_env_vars { while true; do # Check if at least 1 env var exists in `$arg` # shellcheck disable=SC2016 # '${' should not be expanded - if [[ "$arg" =~ .*'${'[A-Z_][A-Z0-9_]+?'}'.* ]]; then + if [[ "$arg" =~ .*'${'[A-Z_][A-Z0-9_]*'}'.* ]]; then # Get `ENV_VAR` from `.*${ENV_VAR}.*` local env_var_name=${arg#*$\{} env_var_name=${env_var_name%%\}*} diff --git a/hooks/terragrunt_validate_inputs.sh b/hooks/terragrunt_validate_inputs.sh new file mode 100755 index 0000000..a7b0f78 --- /dev/null +++ b/hooks/terragrunt_validate_inputs.sh @@ -0,0 +1,198 @@ +#!/usr/bin/env bash +set -eo pipefail + +# globals variables +# shellcheck disable=SC2155 # No way to assign to readonly variable in separate lines +readonly SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd -P)" +# shellcheck source=_common.sh +. "$SCRIPT_DIR/_common.sh" + +function main { + common::initialize "$SCRIPT_DIR" + common::parse_cmdline "$@" + common::export_provided_env_vars "${ENV_VARS[@]}" + common::parse_and_export_env_vars + # JFYI: terragrunt validate color already suppressed via PRE_COMMIT_COLOR=never + + if terragrunt_version_ge_0_78; then + normalize_validate_args_for_modern_terragrunt + readonly SUBCOMMAND=("hcl" "validate" "--inputs") + readonly RUN_ALL_SUBCOMMAND=("run" "--all" "hcl" "validate" "--inputs") + + # shellcheck disable=SC2153 # False positive + common::per_dir_hook "$HOOK_ID" "${#ARGS[@]}" "${ARGS[@]}" "${FILES[@]}" + return + fi + + run_legacy_validate_inputs +} + +function normalize_validate_args_for_modern_terragrunt { + local arg_idx + + for arg_idx in "${!ARGS[@]}"; do + case "${ARGS[$arg_idx]}" in + --terragrunt-strict-validate|--strict-validate) + ARGS[$arg_idx]="--strict" + ;; + esac + done +} + +function terragrunt_version_ge_0_78 { + local version_raw + local version + local major + local minor + + version_raw=$(terragrunt --version 2>/dev/null || true) + version=$(echo "$version_raw" | sed -E 's/.*v?([0-9]+)\.([0-9]+)\.([0-9]+).*/\1.\2.\3/') + + if [[ ! $version =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then + return 1 + fi + + IFS=. read -r major minor _ <<< "$version" + + if ((major > 0)); then + return 0 + fi + + if ((minor >= 78)); then + return 0 + fi + + return 1 +} + +function run_legacy_validate_inputs { + local -a unit_dirs=() + local final_exit_code=0 + local dir_path + + while read -r dir_path; do + if [[ -n $dir_path ]]; then + unit_dirs+=("$dir_path") + fi + done < <(legacy_unit_dirs_from_files) + + if [[ ${#unit_dirs[@]} -eq 0 ]]; then + return 0 + fi + + # preserve errexit status + shopt -qo errexit && ERREXIT_IS_SET=true + set +e + + for dir_path in "${unit_dirs[@]}"; do + pushd "$dir_path" > /dev/null || continue + terragrunt validate-inputs "${ARGS[@]}" + + local exit_code=$? + if [ $exit_code -ne 0 ]; then + final_exit_code=$exit_code + fi + + popd > /dev/null + done + + [[ $ERREXIT_IS_SET ]] && set -e + exit $final_exit_code +} + +function legacy_unit_dirs_from_files { + local -a unit_files=() + local file_with_path + local file_dir + local file_name + + if common::is_hook_run_on_whole_repo "$HOOK_ID" "${FILES[@]}"; then + find . -type f -name terragrunt.hcl \ + -not -path '*/.terragrunt-cache/*' \ + -not -path '*/.terraform/*' \ + | sort -u | while read -r unit_file; do + dirname "$unit_file" + done + return + fi + + for file_with_path in "${FILES[@]}"; do + file_dir=$(dirname "$file_with_path") + file_name=$(basename "$file_with_path") + + if [[ $file_name == terragrunt.hcl ]]; then + unit_files+=("$file_with_path") + continue + fi + + while read -r unit_file; do + if [[ -n $unit_file ]]; then + unit_files+=("$unit_file") + fi + done < <(find "$file_dir" -type f -name terragrunt.hcl \ + -not -path '*/.terragrunt-cache/*' \ + -not -path '*/.terraform/*' | sort -u) + done + + if [[ ${#unit_files[@]} -eq 0 ]]; then + find . -type f -name terragrunt.hcl \ + -not -path '*/.terragrunt-cache/*' \ + -not -path '*/.terraform/*' \ + | sort -u | while read -r unit_file; do + dirname "$unit_file" + done + return + fi + + printf '%s\n' "${unit_files[@]}" | sort -u | while read -r unit_file; do + dirname "$unit_file" + done +} + +####################################################################### +# Unique part of `common::per_dir_hook`. The function is executed in loop +# on each provided dir path. Run wrapped tool with specified arguments +# Arguments: +# dir_path (string) PATH to dir relative to git repo root. +# Can be used in error logging +# change_dir_in_unique_part (string/false) Modifier which creates +# possibilities to use non-common chdir strategies. +# Availability depends on hook. +# args (array) arguments that configure wrapped tool behavior +# Outputs: +# If failed - print out hook checks status +####################################################################### +function per_dir_hook_unique_part { + # shellcheck disable=SC2034 # Unused var. + local -r dir_path="$1" + # shellcheck disable=SC2034 # Unused var. + local -r change_dir_in_unique_part="$2" + shift 2 + local -a -r args=("$@") + + # pass the arguments to hook + terragrunt "${SUBCOMMAND[@]}" "${args[@]}" + + # return exit code to common::per_dir_hook + local exit_code=$? + return $exit_code +} + +####################################################################### +# Unique part of `common::per_dir_hook`. The function is executed one time +# in the root git repo +# Arguments: +# args (array) arguments that configure wrapped tool behavior +####################################################################### +function run_hook_on_whole_repo { + local -a -r args=("$@") + + # pass the arguments to hook + terragrunt "${RUN_ALL_SUBCOMMAND[@]}" "${args[@]}" + + # return exit code to common::per_dir_hook + local exit_code=$? + return $exit_code +} + +[ "${BASH_SOURCE[0]}" != "$0" ] || main "$@" From ba566610310affb03b323a94f13f560d3e027c68 Mon Sep 17 00:00:00 2001 From: semantic-release-bot Date: Tue, 21 Apr 2026 11:00:03 +0000 Subject: [PATCH 20/25] chore(release): version 2.3.0 [skip ci] # [2.3.0](https://github.com/tofuutils/pre-commit-opentofu/compare/v2.2.2...v2.3.0) (2026-04-21) ### Features * add terragrunt_validate_inputs hook ([0ca9eca](https://github.com/tofuutils/pre-commit-opentofu/commit/0ca9eca3823420f31d09c62bf1672bea03ca3e07)) --- CHANGELOG.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9e2ef95..c631c8c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,13 @@ All notable changes to this project will be documented in this file. +# [2.3.0](https://github.com/tofuutils/pre-commit-opentofu/compare/v2.2.2...v2.3.0) (2026-04-21) + + +### Features + +* add terragrunt_validate_inputs hook ([0ca9eca](https://github.com/tofuutils/pre-commit-opentofu/commit/0ca9eca3823420f31d09c62bf1672bea03ca3e07)) + ## [2.2.2](https://github.com/tofuutils/pre-commit-opentofu/compare/v2.2.1...v2.2.2) (2025-10-22) From 451aaa59b552eb3913629c835af8b6b568aab120 Mon Sep 17 00:00:00 2001 From: Michael Rosenfeld Date: Sun, 24 May 2026 21:48:09 -0400 Subject: [PATCH 21/25] fix: expand file extension patterns for tofu hooks Update file matching patterns in .pre-commit-hooks.yaml to support .tofu, .tfvars, and other relevant extensions for OpenTofu workflows. Also clarify log message in tofu_wrapper_module_for_each.sh for missing files. Signed-off-by: Michael Rosenfeld --- .pre-commit-hooks.yaml | 18 +++++++++--------- hooks/tofu_wrapper_module_for_each.sh | 2 +- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/.pre-commit-hooks.yaml b/.pre-commit-hooks.yaml index 8af3d6e..d60a3e5 100644 --- a/.pre-commit-hooks.yaml +++ b/.pre-commit-hooks.yaml @@ -4,7 +4,7 @@ entry: hooks/infracost_breakdown.sh language: script require_serial: true - files: \.((tf|tofu)(vars)?|hcl)$ + files: \.(tf|tofu|tfvars|hcl)$ exclude: \.terraform\/.*$ - id: tofu_fmt @@ -12,7 +12,7 @@ description: Rewrites all OpenTofu configuration files to a canonical format. entry: hooks/tofu_fmt.sh language: script - files: \.(tf|tofu)(vars)?$ + files: \.(tf|tofu|tfvars|(tftest|tofutest|tfmock|tfquery)\.hcl)$ exclude: \.terraform\/.*$ - id: tofu_docs @@ -23,7 +23,7 @@ require_serial: true entry: hooks/tofu_docs.sh language: script - files: (\.(tf|tofu)|\.terraform\.lock\.hcl)$ + files: \.(tf|tofu|terraform\.lock\.hcl)$ exclude: \.terraform\/.*$ - id: tofu_docs_without_aggregate_type_defaults @@ -52,7 +52,7 @@ require_serial: true entry: hooks/tofu_validate.sh language: script - files: \.(tf|tofu)(vars)?$ + files: \.(tf|tofu|tfvars|terraform\.lock\.hcl)$ exclude: \.terraform\/.*$ - id: tofu_providers_lock @@ -70,7 +70,7 @@ require_serial: true entry: hooks/tofu_tflint.sh language: script - files: \.(tf|tofu)(vars)?$ + files: \.(tf|tofu|tfvars)$ exclude: \.terraform\/.*$ - id: terragrunt_fmt @@ -104,7 +104,7 @@ Static analysis of OpenTofu templates to spot potential security issues. require_serial: true entry: hooks/tofu_tfsec.sh - files: \.(tf|tofu)(vars)?$ + files: \.(tf|tofu|tfvars)$ language: script - id: tofu_trivy @@ -113,7 +113,7 @@ Static analysis of OpenTofu templates to spot potential security issues. require_serial: true entry: hooks/tofu_trivy.sh - files: \.(tf|tofu)(vars)?$ + files: \.(tf|tofu|tfvars)$ language: script - id: checkov @@ -123,7 +123,7 @@ language: python pass_filenames: false always_run: false - files: \.tf$ + files: \.(tf|tofu)$ exclude: \.terraform\/.*$ require_serial: true @@ -145,7 +145,7 @@ pass_filenames: false always_run: false require_serial: true - files: \.tf$ + files: \.(tf|tofu)$ exclude: \.terraform\/.*$ - id: terrascan diff --git a/hooks/tofu_wrapper_module_for_each.sh b/hooks/tofu_wrapper_module_for_each.sh index c87db22..4572b58 100755 --- a/hooks/tofu_wrapper_module_for_each.sh +++ b/hooks/tofu_wrapper_module_for_each.sh @@ -315,7 +315,7 @@ EOF all_tf_content=$(find "${full_module_dir}" -regex '.*\.(tf|tofu)' -maxdepth 1 -type f -exec cat {} +) if [[ ! $all_tf_content ]]; then - common::colorify "yellow" "Skipping ${full_module_dir} because there are no *.(tf|tofu) files." + common::colorify "yellow" "Skipping ${full_module_dir} because there are no .tf or .tofu files." continue fi From 9624cc8f24177378449203194b4f0ee71bc6c1a0 Mon Sep 17 00:00:00 2001 From: Michael Rosenfeld Date: Sun, 24 May 2026 22:01:30 -0400 Subject: [PATCH 22/25] feat: support .tofu file extension and update hooks/tools Add support for the `.tofu` file extension in OpenTofu config matching and documentation. Update pre-commit hooks, regex, and README to reflect support for `.tofu` files alongside `.tf` and `.tfvars`. Fix minor shell quoting and array assignment issues. Upgrade pre-commit-hooks to v6.0.0. Signed-off-by: Michael Rosenfeld --- .github/workflows/build-image.yaml | 1 - .pre-commit-config.yaml | 2 +- Dockerfile | 3 +-- README.md | 6 ++++-- hooks/_common.sh | 2 +- hooks/terragrunt_validate_inputs.sh | 14 +++++++------- 6 files changed, 14 insertions(+), 14 deletions(-) diff --git a/.github/workflows/build-image.yaml b/.github/workflows/build-image.yaml index 3bf9105..a79e218 100644 --- a/.github/workflows/build-image.yaml +++ b/.github/workflows/build-image.yaml @@ -98,4 +98,3 @@ jobs: tags: | registry.hub.docker.com/tofuutils/pre-commit-opentofu:nightly provenance: false - diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 17fc5a6..e801df2 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,6 +1,6 @@ repos: - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v4.5.0 + rev: v6.0.0 hooks: # Git style - id: check-added-large-files diff --git a/Dockerfile b/Dockerfile index 1616bfd..6699cb2 100644 --- a/Dockerfile +++ b/Dockerfile @@ -22,7 +22,7 @@ RUN [ ${PRE_COMMIT_VERSION} = "latest" ] && pip3 install --no-cache-dir pre-comm RUN curl -LO https://github.com/opentofu/opentofu/releases/download/v${TOFU_VERSION}/tofu_${TOFU_VERSION}_${TARGETOS}_${TARGETARCH}.zip \ && curl -LO https://github.com/opentofu/opentofu/releases/download/v${TOFU_VERSION}/tofu_${TOFU_VERSION}_SHA256SUMS \ - && [ $(sha256sum "tofu_${TOFU_VERSION}_${TARGETOS}_${TARGETARCH}.zip" | cut -f 1 -d ' ') = "$(grep "tofu_${TOFU_VERSION}_${TARGETOS}_${TARGETARCH}.zip" tofu_*_SHA256SUMS | cut -f 1 -d ' ')" ] \ + && [ "$(sha256sum "tofu_${TOFU_VERSION}_${TARGETOS}_${TARGETARCH}.zip" | cut -f 1 -d ' ')" = "$(grep "tofu_${TOFU_VERSION}_${TARGETOS}_${TARGETARCH}.zip" tofu_*_SHA256SUMS | cut -f 1 -d ' ')" ] \ && unzip tofu_${TOFU_VERSION}_${TARGETOS}_${TARGETARCH}.zip -d /usr/bin/ \ && rm "tofu_${TOFU_VERSION}_${TARGETOS}_${TARGETARCH}.zip" \ && rm "tofu_${TOFU_VERSION}_SHA256SUMS" @@ -235,4 +235,3 @@ ENV INFRACOST_API_KEY=${INFRACOST_API_KEY:-} ENV INFRACOST_SKIP_UPDATE_CHECK=${INFRACOST_SKIP_UPDATE_CHECK:-false} ENTRYPOINT [ "/entrypoint.sh" ] - diff --git a/README.md b/README.md index afb9387..c5f25a9 100644 --- a/README.md +++ b/README.md @@ -294,7 +294,7 @@ repos: ## Available Hooks -There are several [pre-commit](https://pre-commit.com/) hooks to keep OpenTofu configurations (both `*.tf` and `*.tfvars`) and Terragrunt configurations (`*.hcl`) in a good shape: +There are several [pre-commit](https://pre-commit.com/) hooks to keep OpenTofu configurations (`*.tf`, `*.tofu`, and `*.tfvars`) and Terragrunt configurations (`*.hcl`) in a good shape: | Hook name | Description | Dependencies
[Install instructions here](#1-install-dependencies) | @@ -326,6 +326,8 @@ Check the [source file](https://github.com/tofuutils/pre-commit-opentofu/blob/ma OpenTofu operates on a per-dir basis, while `pre-commit` framework only supports files and files that exist. This means if you only remove the TF-related file without any other changes in the same dir, checks will be skipped. Example and details [here](https://github.com/pre-commit/pre-commit/issues/3048). +Hooks match `*.tofu` files where OpenTofu configuration files are supported, but some wrapped third-party tools may lag behind OpenTofu's native `*.tofu` parsing. If a hook runs `terraform-docs`, `tflint`, `tfsec`, `trivy`, `checkov`, `infracost`, or `tfupdate`, make sure the installed tool version supports the file extensions used in your repository. + ### All hooks: Usage of environment variables in `--args` > All, except deprecated hooks: `checkov`, `tofu_docs_replace` @@ -930,7 +932,7 @@ To replicate functionality in `tofu_docs` hook: require_serial: true entry: .generate-providers.sh language: script - files: \.tf(vars)?$ + files: \.(tf|tofu|tfvars)$ pass_filenames: false - repo: https://github.com/pre-commit/pre-commit-hooks diff --git a/hooks/_common.sh b/hooks/_common.sh index 3f4bdc4..5808c19 100644 --- a/hooks/_common.sh +++ b/hooks/_common.sh @@ -123,7 +123,7 @@ function common::parse_and_export_env_vars { # `$arg` will be checked in `if` conditional, `$ARGS` will be used in the next functions. # shellcheck disable=SC2016 # '${' should not be expanded arg=${arg/'${'$env_var_name'}'/$env_var_value} - ARGS[$arg_idx]=$arg + ARGS[arg_idx]=$arg # shellcheck disable=SC2016 # '${' should not be expanded common::colorify "green" 'After ${'"$env_var_name"'} expansion: '"'$arg'\n" continue diff --git a/hooks/terragrunt_validate_inputs.sh b/hooks/terragrunt_validate_inputs.sh index a7b0f78..a406324 100755 --- a/hooks/terragrunt_validate_inputs.sh +++ b/hooks/terragrunt_validate_inputs.sh @@ -32,8 +32,8 @@ function normalize_validate_args_for_modern_terragrunt { for arg_idx in "${!ARGS[@]}"; do case "${ARGS[$arg_idx]}" in - --terragrunt-strict-validate|--strict-validate) - ARGS[$arg_idx]="--strict" + --terragrunt-strict-validate | --strict-validate) + ARGS[arg_idx]="--strict" ;; esac done @@ -45,7 +45,7 @@ function terragrunt_version_ge_0_78 { local major local minor - version_raw=$(terragrunt --version 2>/dev/null || true) + version_raw=$(terragrunt --version 2> /dev/null || true) version=$(echo "$version_raw" | sed -E 's/.*v?([0-9]+)\.([0-9]+)\.([0-9]+).*/\1.\2.\3/') if [[ ! $version =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then @@ -109,8 +109,8 @@ function legacy_unit_dirs_from_files { if common::is_hook_run_on_whole_repo "$HOOK_ID" "${FILES[@]}"; then find . -type f -name terragrunt.hcl \ -not -path '*/.terragrunt-cache/*' \ - -not -path '*/.terraform/*' \ - | sort -u | while read -r unit_file; do + -not -path '*/.terraform/*' | + sort -u | while read -r unit_file; do dirname "$unit_file" done return @@ -137,8 +137,8 @@ function legacy_unit_dirs_from_files { if [[ ${#unit_files[@]} -eq 0 ]]; then find . -type f -name terragrunt.hcl \ -not -path '*/.terragrunt-cache/*' \ - -not -path '*/.terraform/*' \ - | sort -u | while read -r unit_file; do + -not -path '*/.terraform/*' | + sort -u | while read -r unit_file; do dirname "$unit_file" done return From ab333d78c6ab3df72f3711ecc9beadb8b39f9462 Mon Sep 17 00:00:00 2001 From: semantic-release-bot Date: Mon, 25 May 2026 22:53:37 +0000 Subject: [PATCH 23/25] chore(release): version 2.4.0 [skip ci] # [2.4.0](https://github.com/tofuutils/pre-commit-opentofu/compare/v2.3.0...v2.4.0) (2026-05-25) ### Bug Fixes * expand file extension patterns for tofu hooks ([451aaa5](https://github.com/tofuutils/pre-commit-opentofu/commit/451aaa59b552eb3913629c835af8b6b568aab120)) ### Features * support .tofu file extension and update hooks/tools ([9624cc8](https://github.com/tofuutils/pre-commit-opentofu/commit/9624cc8f24177378449203194b4f0ee71bc6c1a0)) --- CHANGELOG.md | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index c631c8c..847c7e6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,18 @@ All notable changes to this project will be documented in this file. +# [2.4.0](https://github.com/tofuutils/pre-commit-opentofu/compare/v2.3.0...v2.4.0) (2026-05-25) + + +### Bug Fixes + +* expand file extension patterns for tofu hooks ([451aaa5](https://github.com/tofuutils/pre-commit-opentofu/commit/451aaa59b552eb3913629c835af8b6b568aab120)) + + +### Features + +* support .tofu file extension and update hooks/tools ([9624cc8](https://github.com/tofuutils/pre-commit-opentofu/commit/9624cc8f24177378449203194b4f0ee71bc6c1a0)) + # [2.3.0](https://github.com/tofuutils/pre-commit-opentofu/compare/v2.2.2...v2.3.0) (2026-04-21) From c9cd4a805d378516a24dac33278fa51deb98bf2e Mon Sep 17 00:00:00 2001 From: Nikolai Mishin Date: Tue, 26 May 2026 23:40:30 +0200 Subject: [PATCH 24/25] fix: Update hadolint installation Signed-off-by: Nikolai Mishin --- .github/workflows/pre-commit.yaml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/.github/workflows/pre-commit.yaml b/.github/workflows/pre-commit.yaml index 1e873b6..b0566cf 100644 --- a/.github/workflows/pre-commit.yaml +++ b/.github/workflows/pre-commit.yaml @@ -27,9 +27,13 @@ jobs: sudo apt update && sudo apt install shellcheck - name: Install hadolint + env: + GH_TOKEN: ${{ github.token }} run: | - curl -L "$(curl -s https://api.github.com/repos/hadolint/hadolint/releases/latest | grep -o -E -m 1 "https://.+?/hadolint-Linux-x86_64")" > hadolint \ - && chmod +x hadolint && sudo mv hadolint /usr/bin/ + gh release download v2.14.0 --repo hadolint/hadolint --pattern "hadolint-linux-x86_64" + mv hadolint-linux-x86_64 hadolint + chmod +x hadolint + sudo mv hadolint /usr/bin/ # Need to success pre-commit fix push - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: From 3f263a968cd776924c3d1f4981e0fbf1cd79ff4d Mon Sep 17 00:00:00 2001 From: Michael Rosenfeld Date: Tue, 26 May 2026 12:06:07 -0400 Subject: [PATCH 25/25] fix: typo fixes Signed-off-by: Michael Rosenfeld --- CHANGELOG.md | 2 +- README.md | 2 +- lib_getopt | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 847c7e6..2112ef2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -48,7 +48,7 @@ All notable changes to this project will be documented in this file. ### Features -* spport .tofu files ([#6](https://github.com/tofuutils/pre-commit-opentofu/issues/6)) ([e059c58](https://github.com/tofuutils/pre-commit-opentofu/commit/e059c5859bceddf1ca018f55851f6940ad51f1c2)) +* support .tofu files ([#6](https://github.com/tofuutils/pre-commit-opentofu/issues/6)) ([e059c58](https://github.com/tofuutils/pre-commit-opentofu/commit/e059c5859bceddf1ca018f55851f6940ad51f1c2)) # [2.0.0](https://github.com/tofuutils/pre-commit-opentofu/compare/v1.0.4...v2.0.0) (2024-09-25) diff --git a/README.md b/README.md index c5f25a9..c8434c9 100644 --- a/README.md +++ b/README.md @@ -718,7 +718,7 @@ To replicate functionality in `tofu_docs` hook: - --args=--config=__GIT_WORKING_DIR__/.tflint.hcl ``` -3. By default, pre-commit-opentofu performs directory switching into the OpenTofu modules for you. If you want to delgate the directory changing to the binary - this will allow tflint to determine the full paths for error/warning messages, rather than just module relative paths. *Note: this requires `tflint>=0.44.0`.* For example: +3. By default, pre-commit-opentofu performs directory switching into the OpenTofu modules for you. If you want to delegate the directory changing to the binary - this will allow tflint to determine the full paths for error/warning messages, rather than just module relative paths. *Note: this requires `tflint>=0.44.0`.* For example: ```yaml - id: tofu_tflint diff --git a/lib_getopt b/lib_getopt index c4b21fa..74e72f1 100644 --- a/lib_getopt +++ b/lib_getopt @@ -360,7 +360,7 @@ getopt() { } _getopt_resolve_abbrev() { - # Resolves an abbrevation from a list of possibilities. + # Resolves an abbreviation from a list of possibilities. # If the abbreviation is unambiguous, echoes the expansion on stdout # and returns 0. If the abbreviation is ambiguous, prints a message on # stderr and returns 1. (For first parse this should convert to exit