From 26f8224941a304edb7a35bab870b9cfb1ea29bca Mon Sep 17 00:00:00 2001 From: "Rasmus \"Pez\" Wejlgaard" Date: Fri, 12 Jun 2026 19:25:24 +0100 Subject: [PATCH] make Dependabot tofu validate stubs satisfy provider validators (#132) --- .github/workflows/validate-terraform.yml | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/.github/workflows/validate-terraform.yml b/.github/workflows/validate-terraform.yml index 6daf4dd..bdda9a8 100644 --- a/.github/workflows/validate-terraform.yml +++ b/.github/workflows/validate-terraform.yml @@ -37,9 +37,19 @@ jobs: # secrets.yaml is decrypted from SOPS at plan time and can't be # produced here, so stub the keys the config reads (kept in sync by # deriving them from the actual secrets["..."] references). + # Stub values must satisfy provider config validators: hcloud + # requires a 64-char token, and Grafana's fleet_management_auth + # must look like `username:password`. + stub64=$(printf 'stub%.0s' {1..16}) grep -rhoE 'secrets\["[^"]+"\]' . \ - | sed -E 's/.*secrets\["([^"]+)"\].*/\1: "stub"/' \ - | sort -u > secrets.yaml + | sed -E 's/.*secrets\["([^"]+)"\].*/\1/' \ + | sort -u \ + | while read -r key; do + case "$key" in + *_auth) echo "$key: \"stub:stub\"" ;; + *) echo "$key: \"$stub64\"" ;; + esac + done > secrets.yaml tofu init -backend=false tofu validate