From 451aaa59b552eb3913629c835af8b6b568aab120 Mon Sep 17 00:00:00 2001 From: Michael Rosenfeld Date: Sun, 24 May 2026 21:48:09 -0400 Subject: [PATCH 1/5] fix: expand file extension patterns for tofu hooks Update file matching patterns in .pre-commit-hooks.yaml to support .tofu, .tfvars, and other relevant extensions for OpenTofu workflows. Also clarify log message in tofu_wrapper_module_for_each.sh for missing files. Signed-off-by: Michael Rosenfeld --- .pre-commit-hooks.yaml | 18 +++++++++--------- hooks/tofu_wrapper_module_for_each.sh | 2 +- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/.pre-commit-hooks.yaml b/.pre-commit-hooks.yaml index 8af3d6e..d60a3e5 100644 --- a/.pre-commit-hooks.yaml +++ b/.pre-commit-hooks.yaml @@ -4,7 +4,7 @@ entry: hooks/infracost_breakdown.sh language: script require_serial: true - files: \.((tf|tofu)(vars)?|hcl)$ + files: \.(tf|tofu|tfvars|hcl)$ exclude: \.terraform\/.*$ - id: tofu_fmt @@ -12,7 +12,7 @@ description: Rewrites all OpenTofu configuration files to a canonical format. entry: hooks/tofu_fmt.sh language: script - files: \.(tf|tofu)(vars)?$ + files: \.(tf|tofu|tfvars|(tftest|tofutest|tfmock|tfquery)\.hcl)$ exclude: \.terraform\/.*$ - id: tofu_docs @@ -23,7 +23,7 @@ require_serial: true entry: hooks/tofu_docs.sh language: script - files: (\.(tf|tofu)|\.terraform\.lock\.hcl)$ + files: \.(tf|tofu|terraform\.lock\.hcl)$ exclude: \.terraform\/.*$ - id: tofu_docs_without_aggregate_type_defaults @@ -52,7 +52,7 @@ require_serial: true entry: hooks/tofu_validate.sh language: script - files: \.(tf|tofu)(vars)?$ + files: \.(tf|tofu|tfvars|terraform\.lock\.hcl)$ exclude: \.terraform\/.*$ - id: tofu_providers_lock @@ -70,7 +70,7 @@ require_serial: true entry: hooks/tofu_tflint.sh language: script - files: \.(tf|tofu)(vars)?$ + files: \.(tf|tofu|tfvars)$ exclude: \.terraform\/.*$ - id: terragrunt_fmt @@ -104,7 +104,7 @@ Static analysis of OpenTofu templates to spot potential security issues. require_serial: true entry: hooks/tofu_tfsec.sh - files: \.(tf|tofu)(vars)?$ + files: \.(tf|tofu|tfvars)$ language: script - id: tofu_trivy @@ -113,7 +113,7 @@ Static analysis of OpenTofu templates to spot potential security issues. require_serial: true entry: hooks/tofu_trivy.sh - files: \.(tf|tofu)(vars)?$ + files: \.(tf|tofu|tfvars)$ language: script - id: checkov @@ -123,7 +123,7 @@ language: python pass_filenames: false always_run: false - files: \.tf$ + files: \.(tf|tofu)$ exclude: \.terraform\/.*$ require_serial: true @@ -145,7 +145,7 @@ pass_filenames: false always_run: false require_serial: true - files: \.tf$ + files: \.(tf|tofu)$ exclude: \.terraform\/.*$ - id: terrascan diff --git a/hooks/tofu_wrapper_module_for_each.sh b/hooks/tofu_wrapper_module_for_each.sh index c87db22..4572b58 100755 --- a/hooks/tofu_wrapper_module_for_each.sh +++ b/hooks/tofu_wrapper_module_for_each.sh @@ -315,7 +315,7 @@ EOF all_tf_content=$(find "${full_module_dir}" -regex '.*\.(tf|tofu)' -maxdepth 1 -type f -exec cat {} +) if [[ ! $all_tf_content ]]; then - common::colorify "yellow" "Skipping ${full_module_dir} because there are no *.(tf|tofu) files." + common::colorify "yellow" "Skipping ${full_module_dir} because there are no .tf or .tofu files." continue fi From 9624cc8f24177378449203194b4f0ee71bc6c1a0 Mon Sep 17 00:00:00 2001 From: Michael Rosenfeld Date: Sun, 24 May 2026 22:01:30 -0400 Subject: [PATCH 2/5] feat: support .tofu file extension and update hooks/tools Add support for the `.tofu` file extension in OpenTofu config matching and documentation. Update pre-commit hooks, regex, and README to reflect support for `.tofu` files alongside `.tf` and `.tfvars`. Fix minor shell quoting and array assignment issues. Upgrade pre-commit-hooks to v6.0.0. Signed-off-by: Michael Rosenfeld --- .github/workflows/build-image.yaml | 1 - .pre-commit-config.yaml | 2 +- Dockerfile | 3 +-- README.md | 6 ++++-- hooks/_common.sh | 2 +- hooks/terragrunt_validate_inputs.sh | 14 +++++++------- 6 files changed, 14 insertions(+), 14 deletions(-) diff --git a/.github/workflows/build-image.yaml b/.github/workflows/build-image.yaml index 3bf9105..a79e218 100644 --- a/.github/workflows/build-image.yaml +++ b/.github/workflows/build-image.yaml @@ -98,4 +98,3 @@ jobs: tags: | registry.hub.docker.com/tofuutils/pre-commit-opentofu:nightly provenance: false - diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 17fc5a6..e801df2 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,6 +1,6 @@ repos: - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v4.5.0 + rev: v6.0.0 hooks: # Git style - id: check-added-large-files diff --git a/Dockerfile b/Dockerfile index 1616bfd..6699cb2 100644 --- a/Dockerfile +++ b/Dockerfile @@ -22,7 +22,7 @@ RUN [ ${PRE_COMMIT_VERSION} = "latest" ] && pip3 install --no-cache-dir pre-comm RUN curl -LO https://github.com/opentofu/opentofu/releases/download/v${TOFU_VERSION}/tofu_${TOFU_VERSION}_${TARGETOS}_${TARGETARCH}.zip \ && curl -LO https://github.com/opentofu/opentofu/releases/download/v${TOFU_VERSION}/tofu_${TOFU_VERSION}_SHA256SUMS \ - && [ $(sha256sum "tofu_${TOFU_VERSION}_${TARGETOS}_${TARGETARCH}.zip" | cut -f 1 -d ' ') = "$(grep "tofu_${TOFU_VERSION}_${TARGETOS}_${TARGETARCH}.zip" tofu_*_SHA256SUMS | cut -f 1 -d ' ')" ] \ + && [ "$(sha256sum "tofu_${TOFU_VERSION}_${TARGETOS}_${TARGETARCH}.zip" | cut -f 1 -d ' ')" = "$(grep "tofu_${TOFU_VERSION}_${TARGETOS}_${TARGETARCH}.zip" tofu_*_SHA256SUMS | cut -f 1 -d ' ')" ] \ && unzip tofu_${TOFU_VERSION}_${TARGETOS}_${TARGETARCH}.zip -d /usr/bin/ \ && rm "tofu_${TOFU_VERSION}_${TARGETOS}_${TARGETARCH}.zip" \ && rm "tofu_${TOFU_VERSION}_SHA256SUMS" @@ -235,4 +235,3 @@ ENV INFRACOST_API_KEY=${INFRACOST_API_KEY:-} ENV INFRACOST_SKIP_UPDATE_CHECK=${INFRACOST_SKIP_UPDATE_CHECK:-false} ENTRYPOINT [ "/entrypoint.sh" ] - diff --git a/README.md b/README.md index afb9387..c5f25a9 100644 --- a/README.md +++ b/README.md @@ -294,7 +294,7 @@ repos: ## Available Hooks -There are several [pre-commit](https://pre-commit.com/) hooks to keep OpenTofu configurations (both `*.tf` and `*.tfvars`) and Terragrunt configurations (`*.hcl`) in a good shape: +There are several [pre-commit](https://pre-commit.com/) hooks to keep OpenTofu configurations (`*.tf`, `*.tofu`, and `*.tfvars`) and Terragrunt configurations (`*.hcl`) in a good shape: | Hook name | Description | Dependencies
[Install instructions here](#1-install-dependencies) | @@ -326,6 +326,8 @@ Check the [source file](https://github.com/tofuutils/pre-commit-opentofu/blob/ma OpenTofu operates on a per-dir basis, while `pre-commit` framework only supports files and files that exist. This means if you only remove the TF-related file without any other changes in the same dir, checks will be skipped. Example and details [here](https://github.com/pre-commit/pre-commit/issues/3048). +Hooks match `*.tofu` files where OpenTofu configuration files are supported, but some wrapped third-party tools may lag behind OpenTofu's native `*.tofu` parsing. If a hook runs `terraform-docs`, `tflint`, `tfsec`, `trivy`, `checkov`, `infracost`, or `tfupdate`, make sure the installed tool version supports the file extensions used in your repository. + ### All hooks: Usage of environment variables in `--args` > All, except deprecated hooks: `checkov`, `tofu_docs_replace` @@ -930,7 +932,7 @@ To replicate functionality in `tofu_docs` hook: require_serial: true entry: .generate-providers.sh language: script - files: \.tf(vars)?$ + files: \.(tf|tofu|tfvars)$ pass_filenames: false - repo: https://github.com/pre-commit/pre-commit-hooks diff --git a/hooks/_common.sh b/hooks/_common.sh index 3f4bdc4..5808c19 100644 --- a/hooks/_common.sh +++ b/hooks/_common.sh @@ -123,7 +123,7 @@ function common::parse_and_export_env_vars { # `$arg` will be checked in `if` conditional, `$ARGS` will be used in the next functions. # shellcheck disable=SC2016 # '${' should not be expanded arg=${arg/'${'$env_var_name'}'/$env_var_value} - ARGS[$arg_idx]=$arg + ARGS[arg_idx]=$arg # shellcheck disable=SC2016 # '${' should not be expanded common::colorify "green" 'After ${'"$env_var_name"'} expansion: '"'$arg'\n" continue diff --git a/hooks/terragrunt_validate_inputs.sh b/hooks/terragrunt_validate_inputs.sh index a7b0f78..a406324 100755 --- a/hooks/terragrunt_validate_inputs.sh +++ b/hooks/terragrunt_validate_inputs.sh @@ -32,8 +32,8 @@ function normalize_validate_args_for_modern_terragrunt { for arg_idx in "${!ARGS[@]}"; do case "${ARGS[$arg_idx]}" in - --terragrunt-strict-validate|--strict-validate) - ARGS[$arg_idx]="--strict" + --terragrunt-strict-validate | --strict-validate) + ARGS[arg_idx]="--strict" ;; esac done @@ -45,7 +45,7 @@ function terragrunt_version_ge_0_78 { local major local minor - version_raw=$(terragrunt --version 2>/dev/null || true) + version_raw=$(terragrunt --version 2> /dev/null || true) version=$(echo "$version_raw" | sed -E 's/.*v?([0-9]+)\.([0-9]+)\.([0-9]+).*/\1.\2.\3/') if [[ ! $version =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then @@ -109,8 +109,8 @@ function legacy_unit_dirs_from_files { if common::is_hook_run_on_whole_repo "$HOOK_ID" "${FILES[@]}"; then find . -type f -name terragrunt.hcl \ -not -path '*/.terragrunt-cache/*' \ - -not -path '*/.terraform/*' \ - | sort -u | while read -r unit_file; do + -not -path '*/.terraform/*' | + sort -u | while read -r unit_file; do dirname "$unit_file" done return @@ -137,8 +137,8 @@ function legacy_unit_dirs_from_files { if [[ ${#unit_files[@]} -eq 0 ]]; then find . -type f -name terragrunt.hcl \ -not -path '*/.terragrunt-cache/*' \ - -not -path '*/.terraform/*' \ - | sort -u | while read -r unit_file; do + -not -path '*/.terraform/*' | + sort -u | while read -r unit_file; do dirname "$unit_file" done return From ab333d78c6ab3df72f3711ecc9beadb8b39f9462 Mon Sep 17 00:00:00 2001 From: semantic-release-bot Date: Mon, 25 May 2026 22:53:37 +0000 Subject: [PATCH 3/5] chore(release): version 2.4.0 [skip ci] # [2.4.0](https://github.com/tofuutils/pre-commit-opentofu/compare/v2.3.0...v2.4.0) (2026-05-25) ### Bug Fixes * expand file extension patterns for tofu hooks ([451aaa5](https://github.com/tofuutils/pre-commit-opentofu/commit/451aaa59b552eb3913629c835af8b6b568aab120)) ### Features * support .tofu file extension and update hooks/tools ([9624cc8](https://github.com/tofuutils/pre-commit-opentofu/commit/9624cc8f24177378449203194b4f0ee71bc6c1a0)) --- CHANGELOG.md | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index c631c8c..847c7e6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,18 @@ All notable changes to this project will be documented in this file. +# [2.4.0](https://github.com/tofuutils/pre-commit-opentofu/compare/v2.3.0...v2.4.0) (2026-05-25) + + +### Bug Fixes + +* expand file extension patterns for tofu hooks ([451aaa5](https://github.com/tofuutils/pre-commit-opentofu/commit/451aaa59b552eb3913629c835af8b6b568aab120)) + + +### Features + +* support .tofu file extension and update hooks/tools ([9624cc8](https://github.com/tofuutils/pre-commit-opentofu/commit/9624cc8f24177378449203194b4f0ee71bc6c1a0)) + # [2.3.0](https://github.com/tofuutils/pre-commit-opentofu/compare/v2.2.2...v2.3.0) (2026-04-21) From c9cd4a805d378516a24dac33278fa51deb98bf2e Mon Sep 17 00:00:00 2001 From: Nikolai Mishin Date: Tue, 26 May 2026 23:40:30 +0200 Subject: [PATCH 4/5] fix: Update hadolint installation Signed-off-by: Nikolai Mishin --- .github/workflows/pre-commit.yaml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/.github/workflows/pre-commit.yaml b/.github/workflows/pre-commit.yaml index 1e873b6..b0566cf 100644 --- a/.github/workflows/pre-commit.yaml +++ b/.github/workflows/pre-commit.yaml @@ -27,9 +27,13 @@ jobs: sudo apt update && sudo apt install shellcheck - name: Install hadolint + env: + GH_TOKEN: ${{ github.token }} run: | - curl -L "$(curl -s https://api.github.com/repos/hadolint/hadolint/releases/latest | grep -o -E -m 1 "https://.+?/hadolint-Linux-x86_64")" > hadolint \ - && chmod +x hadolint && sudo mv hadolint /usr/bin/ + gh release download v2.14.0 --repo hadolint/hadolint --pattern "hadolint-linux-x86_64" + mv hadolint-linux-x86_64 hadolint + chmod +x hadolint + sudo mv hadolint /usr/bin/ # Need to success pre-commit fix push - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: From 3f263a968cd776924c3d1f4981e0fbf1cd79ff4d Mon Sep 17 00:00:00 2001 From: Michael Rosenfeld Date: Tue, 26 May 2026 12:06:07 -0400 Subject: [PATCH 5/5] fix: typo fixes Signed-off-by: Michael Rosenfeld --- CHANGELOG.md | 2 +- README.md | 2 +- lib_getopt | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 847c7e6..2112ef2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -48,7 +48,7 @@ All notable changes to this project will be documented in this file. ### Features -* spport .tofu files ([#6](https://github.com/tofuutils/pre-commit-opentofu/issues/6)) ([e059c58](https://github.com/tofuutils/pre-commit-opentofu/commit/e059c5859bceddf1ca018f55851f6940ad51f1c2)) +* support .tofu files ([#6](https://github.com/tofuutils/pre-commit-opentofu/issues/6)) ([e059c58](https://github.com/tofuutils/pre-commit-opentofu/commit/e059c5859bceddf1ca018f55851f6940ad51f1c2)) # [2.0.0](https://github.com/tofuutils/pre-commit-opentofu/compare/v1.0.4...v2.0.0) (2024-09-25) diff --git a/README.md b/README.md index c5f25a9..c8434c9 100644 --- a/README.md +++ b/README.md @@ -718,7 +718,7 @@ To replicate functionality in `tofu_docs` hook: - --args=--config=__GIT_WORKING_DIR__/.tflint.hcl ``` -3. By default, pre-commit-opentofu performs directory switching into the OpenTofu modules for you. If you want to delgate the directory changing to the binary - this will allow tflint to determine the full paths for error/warning messages, rather than just module relative paths. *Note: this requires `tflint>=0.44.0`.* For example: +3. By default, pre-commit-opentofu performs directory switching into the OpenTofu modules for you. If you want to delegate the directory changing to the binary - this will allow tflint to determine the full paths for error/warning messages, rather than just module relative paths. *Note: this requires `tflint>=0.44.0`.* For example: ```yaml - id: tofu_tflint diff --git a/lib_getopt b/lib_getopt index c4b21fa..74e72f1 100644 --- a/lib_getopt +++ b/lib_getopt @@ -360,7 +360,7 @@ getopt() { } _getopt_resolve_abbrev() { - # Resolves an abbrevation from a list of possibilities. + # Resolves an abbreviation from a list of possibilities. # If the abbreviation is unambiguous, echoes the expansion on stdout # and returns 0. If the abbreviation is ambiguous, prints a message on # stderr and returns 1. (For first parse this should convert to exit