make Dependabot tofu validate stubs satisfy provider validators

The secret-free Dependabot path stubbed every secret as "stub", which
trips provider config validation: hcloud wants a 64-char token and
Grafana wants fleet_management_auth as username:password. So the tofu
plan check went red on every Dependabot PR and I'd merge past it after
checking locally.

Generate stubs that pass the format checks instead - 64 chars for
tokens, stub:stub for *_auth keys. Verified locally: validate fails
with the old stubs (both errors reproduced) and passes with these.
This commit is contained in:
Rasmus Wejlgaard 2026-06-11 18:52:01 +01:00
parent 0a357fc69a
commit 3f284b7112

View file

@ -37,9 +37,19 @@ jobs:
# secrets.yaml is decrypted from SOPS at plan time and can't be # secrets.yaml is decrypted from SOPS at plan time and can't be
# produced here, so stub the keys the config reads (kept in sync by # produced here, so stub the keys the config reads (kept in sync by
# deriving them from the actual secrets["..."] references). # deriving them from the actual secrets["..."] references).
# Stub values must satisfy provider config validators: hcloud
# requires a 64-char token, and Grafana's fleet_management_auth
# must look like `username:password`.
stub64=$(printf 'stub%.0s' {1..16})
grep -rhoE 'secrets\["[^"]+"\]' . \ grep -rhoE 'secrets\["[^"]+"\]' . \
| sed -E 's/.*secrets\["([^"]+)"\].*/\1: "stub"/' \ | sed -E 's/.*secrets\["([^"]+)"\].*/\1/' \
| sort -u > secrets.yaml | sort -u \
| while read -r key; do
case "$key" in
*_auth) echo "$key: \"stub:stub\"" ;;
*) echo "$key: \"$stub64\"" ;;
esac
done > secrets.yaml
tofu init -backend=false tofu init -backend=false
tofu validate tofu validate