dflook · dflook · May 29, 2025 · Dec 28, 2024 · Mar 29, 2025 · Mar 29, 2025
diff --git a/.github/workflows/test-early-eval.yaml b/.github/workflows/test-early-eval.yaml
@@ -0,0 +1,72 @@
+name: Test OpenTofu early eval
+
+on:
+  - pull_request
+
+permissions:
+  contents: read
+
+jobs:
+  s3-backend:
+    runs-on: ubuntu-24.04
+    name: Plan with early eval
+    permissions:
+      contents: read
+      pull-requests: write
+    env:
+      AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+      AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      - name: tofu plan
+        uses: ./tofu-plan
+        id: plan
+        with:
+          path: tests/workflows/test-early-eval/s3
+          variables: |
+            passphrase = "tofuqwertyuiopasdfgh"
+
+      - name: Verify outputs
+        env:
+          JSON_PLAN_PATH: ${{ steps.plan.outputs.json_plan_path }}
+        run: |
+          if [[ ! -f "$JSON_PLAN_PATH" ]]; then
+            echo "::error:: json_plan_path not set correctly"
+            exit 1
+          fi
+
+      - name: tofu apply
+        uses: ./tofu-apply
+        with:
+          path: tests/workflows/test-early-eval/s3
+          variables: |
+            passphrase = "tofuqwertyuiopasdfgh"
+
+      - name: Create workspace
+        uses: ./tofu-new-workspace
+        with:
+          path: tests/workflows/test-early-eval/s3
+          workspace: test-workspace
+          variables: |
+            passphrase = "tofuqwertyuiopasdfgh"
+
+      - name: Create workspace again
+        uses: ./tofu-new-workspace
+        with:
+          path: tests/workflows/test-early-eval/s3
+          workspace: test-workspace
+          variables: |
+            passphrase = "tofuqwertyuiopasdfgh"
+
+      - name: Destroy workspace
+        uses: ./tofu-destroy-workspace
+        with:
+          path: tests/workflows/test-early-eval/s3
+          workspace: test-workspace
+          variables: |
+            passphrase = "tofuqwertyuiopasdfgh"
diff --git a/.github/workflows/test-version.yaml b/.github/workflows/test-version.yaml
@@ -611,7 +611,7 @@ jobs:
         run: |
           echo "The terraform version was $DETECTED_TERRAFORM_VERSION"
 
-          if [[ "$DETECTED_TERRAFORM_VERSION" != *"1.11"* ]]; then
+          if [[ "$DETECTED_TERRAFORM_VERSION" != *"1.12"* ]]; then
             echo "::error:: Latest version was not used"
             exit 1
           fi
@@ -632,7 +632,7 @@ jobs:
         run: |
           echo "The terraform version was $DETECTED_TERRAFORM_VERSION"
 
-          if [[ "$DETECTED_TERRAFORM_VERSION" != *"1.11"* ]]; then
+          if [[ "$DETECTED_TERRAFORM_VERSION" != *"1.12"* ]]; then
             echo "::error:: Latest version was not used"
             exit 1
           fi

diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
@@ -119,13 +119,6 @@ jobs:
             docs/*.md
             **/README.md
 
-      - name: ensure-sha-pinned-actions
-        uses: zgosalvez/github-actions-ensure-sha-pinned-actions@25ed13d0628a1601b4b44048e63cc4328ed03633 # v3
-        with:
-          allowlist: |
-            actions/
-            dflook/
-
       - name: Lint Dockerfile
         uses: hadolint/hadolint-action@54c9adbab1582c2ef04b2016b760714a4bfde3cf # v3.1.0
         with:

diff --git a/.github/zizmor.yml b/.github/zizmor.yml
@@ -0,0 +1,7 @@
+rules:
+  unpinned-uses:
+    config:
+      policies:
+        dflook/terraform-apply: ref-pin
+        dflook/terraform-plan: ref-pin
+        actions/*: ref-pin
diff --git a/docs-gen/action.py b/docs-gen/action.py
@@ -45,6 +45,7 @@ class Input:
     deprecation_message: str = None
     show_in_docs: bool = True
     example: str = None
+    available_in: list[Type[Terraform] | Type[OpenTofu]] = dataclasses.field(default_factory=lambda: [Terraform, OpenTofu])
 
     def markdown(self, tool: Tool) -> str:
         if self.deprecation_message is None:
@@ -226,6 +227,8 @@ def markdown(self, tool: Tool) -> str:
             for input in self.inputs:
                 if not input.show_in_docs:
                     continue
+                if tool not in input.available_in:
+                    continue
                 s += text_chunk(input.markdown(tool))
 
         if self.outputs:
@@ -264,7 +267,7 @@ def action_yaml(self, tool: Tool) -> str:
         if self.inputs:
             s += 'inputs:\n'
 
-        for input in self.inputs:
+        for input in (input for input in self.inputs if tool in input.available_in):
             s += f'  {input.name}:\n'
 
             description = input.meta_description or input.description

diff --git a/docs-gen/actions/destroy_workspace.py b/docs-gen/actions/destroy_workspace.py
@@ -114,4 +114,4 @@
           workspace: ${{ github.head_ref }}
 ```
 '''
-)
+)
diff --git a/docs-gen/actions/fmt.py b/docs-gen/actions/fmt.py
@@ -1,11 +1,13 @@
 import dataclasses
 
-from action import Action
+from action import Action, OpenTofu
 from environment_variables.GITHUB_DOT_COM_TOKEN import GITHUB_DOT_COM_TOKEN
 from environment_variables.TERRAFORM_CLOUD_TOKENS import TERRAFORM_CLOUD_TOKENS
 from inputs.backend_config import backend_config
 from inputs.backend_config_file import backend_config_file
 from inputs.path import path
+from inputs.var_file import var_file
+from inputs.variables import variables
 from inputs.workspace import workspace
 
 fmt = Action(
@@ -20,6 +22,11 @@
             $ProductName workspace to inspect when discovering the $ProductName version to use, if the version is not otherwise specified.
             See [dflook/$ToolName-version](https://github.com/dflook/terraform-github-actions/tree/main/$ToolName-version#$ToolName-version-action) for details.
         '''),
+        dataclasses.replace(variables, available_in=[OpenTofu], description='''
+            Variables to set when initializing $ProductName. This should be valid $ProductName syntax - like a [variable definition file]($VariableDefinitionUrl).
+            Variables set here override any given in `var_file`s.
+        '''),
+        dataclasses.replace(var_file, available_in=[OpenTofu]),
         dataclasses.replace(backend_config, description='''
             List of $ProductName backend config values, one per line. This is used for discovering the $ProductName version to use, if the version is not otherwise specified.
             See [dflook/$ToolName-version](https://github.com/dflook/terraform-github-actions/tree/main/$ToolName-version#$ToolName-version-action) for details.
@@ -70,4 +77,4 @@
           branch: automated-$ToolName-fmt
 ```
 '''
-)
+)
diff --git a/docs-gen/actions/fmt_check.py b/docs-gen/actions/fmt_check.py
@@ -1,11 +1,13 @@
 import dataclasses
 
-from action import Action
+from action import Action, OpenTofu
 from environment_variables.GITHUB_DOT_COM_TOKEN import GITHUB_DOT_COM_TOKEN
 from environment_variables.TERRAFORM_CLOUD_TOKENS import TERRAFORM_CLOUD_TOKENS
 from inputs.backend_config import backend_config
 from inputs.backend_config_file import backend_config_file
 from inputs.path import path
+from inputs.var_file import var_file
+from inputs.variables import variables
 from inputs.workspace import workspace
 from outputs.failure_reason import failure_reason
 
@@ -24,6 +26,11 @@
             $ProductName workspace to inspect when discovering the $ProductName version to use, if the version is not otherwise specified.
             See [dflook/$ToolName-version](https://github.com/dflook/terraform-github-actions/tree/main/$ToolName-version#$ToolName-version-action) for details.
         '''),
+        dataclasses.replace(variables, available_in=[OpenTofu], description='''
+            Variables to set when initializing $ProductName. This should be valid $ProductName syntax - like a [variable definition file]($VariableDefinitionUrl).
+            Variables set here override any given in `var_file`s.
+        '''),
+        dataclasses.replace(var_file, available_in=[OpenTofu]),
         dataclasses.replace(backend_config, description='''
             List of $ProductName backend config values, one per line. This is used for discovering the $ProductName version to use, if the version is not otherwise specified.
             See [dflook/$ToolName-version](https://github.com/dflook/terraform-github-actions/tree/main/$ToolName-version#$ToolName-version-action) for details.
@@ -96,4 +103,4 @@
         run: echo "formatting check failed"
 ```
 '''
-)
+)
diff --git a/docs-gen/actions/new_workspace.py b/docs-gen/actions/new_workspace.py
@@ -1,6 +1,6 @@
 import dataclasses
 
-from action import Action
+from action import Action, OpenTofu
 from environment_variables.GITHUB_DOT_COM_TOKEN import GITHUB_DOT_COM_TOKEN
 from environment_variables.TERRAFORM_CLOUD_TOKENS import TERRAFORM_CLOUD_TOKENS
 from environment_variables.TERRAFORM_HTTP_CREDENTIALS import TERRAFORM_HTTP_CREDENTIALS
@@ -9,6 +9,8 @@
 from inputs.backend_config import backend_config
 from inputs.backend_config_file import backend_config_file
 from inputs.path import path
+from inputs.var_file import var_file
+from inputs.variables import variables
 from inputs.workspace import workspace
 
 new_workspace = Action(
@@ -19,6 +21,12 @@
     inputs=[
         path,
         dataclasses.replace(workspace, description='The name of the $ProductName workspace to create.', required=True, default=None),
+        dataclasses.replace(variables, available_in=[OpenTofu], description='''
+        Variables to set when initializing $ProductName. This should be valid $ProductName syntax - like a [variable definition file]($VariableDefinitionUrl).
+
+        Variables set here override any given in `var_file`s.
+        '''),
+        dataclasses.replace(var_file, available_in=[OpenTofu]),
         backend_config,
         backend_config_file,
     ],
@@ -62,4 +70,4 @@
           auto_approve: true
 ```
 '''
-)
+)
diff --git a/docs-gen/actions/output.py b/docs-gen/actions/output.py
@@ -1,6 +1,6 @@
 import dataclasses
 
-from action import Action
+from action import Action, OpenTofu
 from environment_variables.GITHUB_DOT_COM_TOKEN import GITHUB_DOT_COM_TOKEN
 from environment_variables.TERRAFORM_CLOUD_TOKENS import TERRAFORM_CLOUD_TOKENS
 from environment_variables.TERRAFORM_HTTP_CREDENTIALS import TERRAFORM_HTTP_CREDENTIALS
@@ -9,6 +9,8 @@
 from inputs.backend_config import backend_config
 from inputs.backend_config_file import backend_config_file
 from inputs.path import path
+from inputs.var_file import var_file
+from inputs.variables import variables
 from inputs.workspace import workspace
 from outputs.terraform_outputs import terraform_outputs
 
@@ -20,8 +22,14 @@
     inputs=[
         path,
         dataclasses.replace(workspace, description='$ProductName workspace to get outputs from'),
+        dataclasses.replace(variables, available_in=[OpenTofu], description='''
+            Variables to set when initializing $ProductName. This should be valid $ProductName syntax - like a [variable definition file]($VariableDefinitionUrl).
+
+            Variables set here override any given in `var_file`s.
+        '''),
+        dataclasses.replace(var_file, available_in=[OpenTofu]),
         backend_config,
-        backend_config_file,
+        backend_config_file
     ],
     environment_variables=[
         GITHUB_DOT_COM_TOKEN,
@@ -106,4 +114,4 @@
 The subnet-ids are subnet-053008016a2c1768c,subnet-07d4ce437c43eba2f,subnet-0a5f8c3a20023b8c0
 ```
 '''
-)
+)
-Original file line number
+Diff line change
@@ Expand Up / @@ -114,4 +114,4 @@ @@
               workspace: ${{ github.head_ref }}
     ```
     '''
-    )
+    )