Use early variables for additional commands

Use early variables for:
- tofu workspace
- tofu show
- tofu validate
- tofu init, even when the backend is not needed

Author: dflook

.github/workflows/test-early-eval.yaml

@@ -10,9 +10,13 @@ jobs:
   s3-backend:
     runs-on: ubuntu-24.04
     name: Plan with early eval
+    permissions:
+      contents: read
+      pull-requests: write
     env:
       AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
       AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -21,9 +25,25 @@ jobs:
 
       - name: tofu plan
         uses: ./tofu-plan
+        id: plan
+        with:
+          path: tests/workflows/test-early-eval/s3
+          variables: |
+            passphrase = "tofuqwertyuiopasdfgh"
+
+      - name: Verify outputs
+        env:
+          JSON_PLAN_PATH: ${{ steps.plan.outputs.json_plan_path }}
+        run: |
+          if [[ ! -f "$JSON_PLAN_PATH" ]]; then
+            echo "::error:: json_plan_path not set correctly"
+            exit 1
+          fi
+
+      - name: tofu apply
+        uses: ./tofu-apply
         with:
           path: tests/workflows/test-early-eval/s3
-          add_github_comment: false
           variables: |
             passphrase = "tofuqwertyuiopasdfgh"
 

.github/workflows/test-version.yaml

@@ -611,7 +611,7 @@ jobs:
         run: |
           echo "The terraform version was $DETECTED_TERRAFORM_VERSION"
 
-          if [[ "$DETECTED_TERRAFORM_VERSION" != *"1.11"* ]]; then
+          if [[ "$DETECTED_TERRAFORM_VERSION" != *"1.12"* ]]; then
             echo "::error:: Latest version was not used"
             exit 1
           fi
@@ -632,7 +632,7 @@ jobs:
         run: |
           echo "The terraform version was $DETECTED_TERRAFORM_VERSION"
 
-          if [[ "$DETECTED_TERRAFORM_VERSION" != *"1.11"* ]]; then
+          if [[ "$DETECTED_TERRAFORM_VERSION" != *"1.12"* ]]; then
             echo "::error:: Latest version was not used"
             exit 1
           fi

.github/workflows/test.yaml

@@ -119,13 +119,6 @@ jobs:
             docs/*.md
             **/README.md
 
-      - name: ensure-sha-pinned-actions
-        uses: zgosalvez/github-actions-ensure-sha-pinned-actions@25ed13d0628a1601b4b44048e63cc4328ed03633 # v3
-        with:
-          allowlist: |
-            actions/
-            dflook/
-
       - name: Lint Dockerfile
         uses: hadolint/hadolint-action@54c9adbab1582c2ef04b2016b760714a4bfde3cf # v3.1.0
         with:

.github/zizmor.yml

@@ -0,0 +1,7 @@
+rules:
+  unpinned-uses:
+    config:
+      policies:
+        dflook/terraform-apply: ref-pin
+        dflook/terraform-plan: ref-pin
+        actions/*: ref-pin

docs-gen/actions/fmt.py

@@ -1,11 +1,13 @@
 import dataclasses
 
-from action import Action
+from action import Action, OpenTofu
 from environment_variables.GITHUB_DOT_COM_TOKEN import GITHUB_DOT_COM_TOKEN
 from environment_variables.TERRAFORM_CLOUD_TOKENS import TERRAFORM_CLOUD_TOKENS
 from inputs.backend_config import backend_config
 from inputs.backend_config_file import backend_config_file
 from inputs.path import path
+from inputs.var_file import var_file
+from inputs.variables import variables
 from inputs.workspace import workspace
 
 fmt = Action(
@@ -20,6 +22,11 @@
             $ProductName workspace to inspect when discovering the $ProductName version to use, if the version is not otherwise specified.
             See [dflook/$ToolName-version](https://github.com/dflook/terraform-github-actions/tree/main/$ToolName-version#$ToolName-version-action) for details.
         '''),
+        dataclasses.replace(variables, available_in=[OpenTofu], description='''
+            Variables to set when initializing $ProductName. This should be valid $ProductName syntax - like a [variable definition file]($VariableDefinitionUrl).
+            Variables set here override any given in `var_file`s.
+        '''),
+        dataclasses.replace(var_file, available_in=[OpenTofu]),
         dataclasses.replace(backend_config, description='''
             List of $ProductName backend config values, one per line. This is used for discovering the $ProductName version to use, if the version is not otherwise specified.
             See [dflook/$ToolName-version](https://github.com/dflook/terraform-github-actions/tree/main/$ToolName-version#$ToolName-version-action) for details.
@@ -70,4 +77,4 @@
           branch: automated-$ToolName-fmt
 ```
 '''
-)
+)

docs-gen/actions/fmt_check.py

@@ -1,11 +1,13 @@
 import dataclasses
 
-from action import Action
+from action import Action, OpenTofu
 from environment_variables.GITHUB_DOT_COM_TOKEN import GITHUB_DOT_COM_TOKEN
 from environment_variables.TERRAFORM_CLOUD_TOKENS import TERRAFORM_CLOUD_TOKENS
 from inputs.backend_config import backend_config
 from inputs.backend_config_file import backend_config_file
 from inputs.path import path
+from inputs.var_file import var_file
+from inputs.variables import variables
 from inputs.workspace import workspace
 from outputs.failure_reason import failure_reason
 
@@ -24,6 +26,11 @@
             $ProductName workspace to inspect when discovering the $ProductName version to use, if the version is not otherwise specified.
             See [dflook/$ToolName-version](https://github.com/dflook/terraform-github-actions/tree/main/$ToolName-version#$ToolName-version-action) for details.
         '''),
+        dataclasses.replace(variables, available_in=[OpenTofu], description='''
+            Variables to set when initializing $ProductName. This should be valid $ProductName syntax - like a [variable definition file]($VariableDefinitionUrl).
+            Variables set here override any given in `var_file`s.
+        '''),
+        dataclasses.replace(var_file, available_in=[OpenTofu]),
         dataclasses.replace(backend_config, description='''
             List of $ProductName backend config values, one per line. This is used for discovering the $ProductName version to use, if the version is not otherwise specified.
             See [dflook/$ToolName-version](https://github.com/dflook/terraform-github-actions/tree/main/$ToolName-version#$ToolName-version-action) for details.
@@ -96,4 +103,4 @@
         run: echo "formatting check failed"
 ```
 '''
-)
+)

docs-gen/actions/new_workspace.py

@@ -21,11 +21,11 @@
     inputs=[
         path,
         dataclasses.replace(workspace, description='The name of the $ProductName workspace to create.', required=True, default=None),
-        dataclasses.replace(variables, description='''
+        dataclasses.replace(variables, available_in=[OpenTofu], description='''
         Variables to set when initializing $ProductName. This should be valid $ProductName syntax - like a [variable definition file]($VariableDefinitionUrl).
 
         Variables set here override any given in `var_file`s.
-        ''', available_in=[OpenTofu]),
+        '''),
         dataclasses.replace(var_file, available_in=[OpenTofu]),
         backend_config,
         backend_config_file,

docs-gen/actions/output.py

@@ -1,6 +1,6 @@
 import dataclasses
 
-from action import Action
+from action import Action, OpenTofu
 from environment_variables.GITHUB_DOT_COM_TOKEN import GITHUB_DOT_COM_TOKEN
 from environment_variables.TERRAFORM_CLOUD_TOKENS import TERRAFORM_CLOUD_TOKENS
 from environment_variables.TERRAFORM_HTTP_CREDENTIALS import TERRAFORM_HTTP_CREDENTIALS
@@ -9,6 +9,8 @@
 from inputs.backend_config import backend_config
 from inputs.backend_config_file import backend_config_file
 from inputs.path import path
+from inputs.var_file import var_file
+from inputs.variables import variables
 from inputs.workspace import workspace
 from outputs.terraform_outputs import terraform_outputs
 
@@ -20,8 +22,14 @@
     inputs=[
         path,
         dataclasses.replace(workspace, description='$ProductName workspace to get outputs from'),
+        dataclasses.replace(variables, available_in=[OpenTofu], description='''
+            Variables to set when initializing $ProductName. This should be valid $ProductName syntax - like a [variable definition file]($VariableDefinitionUrl).
+
+            Variables set here override any given in `var_file`s.
+        '''),
+        dataclasses.replace(var_file, available_in=[OpenTofu]),
         backend_config,
-        backend_config_file,
+        backend_config_file
     ],
     environment_variables=[
         GITHUB_DOT_COM_TOKEN,
@@ -106,4 +114,4 @@
 The subnet-ids are subnet-053008016a2c1768c,subnet-07d4ce437c43eba2f,subnet-0a5f8c3a20023b8c0
 ```
 '''
-)
+)