.gitlab-ci.yml

@@ -54,10 +54,12 @@ stages:
   - test-integration
   - quality
   - deploy
+  - sign
+  - verify
   - release
   - cleanup
 
-.image-matrix:
+.image-matrix:build:
   parallel:
     matrix:
       - OPENTOFU_VERSION: !reference [.data, supported_versions]
@@ -65,6 +67,36 @@ stages:
           - 'alpine'
           - 'debian'
 
+.image-matrix:deploy:
+  parallel:
+    # OPENTOFU_VERSION: opentofu version to release in the job (from gitlab-opentofu-image:build)
+    # RELEASE_VERSION:  Tag base for the release image
+    # RELEASE_OPENTOFU_VERSION:  opentofu version to contained in the release tag
+    matrix:
+      - # :{commit-tag}-opentofu{opentofu-version}
+        OPENTOFU_VERSION: !reference [.data, supported_versions]
+        RELEASE_VERSION: $CI_COMMIT_TAG
+        RELEASE_OPENTOFU_VERSION: $OPENTOFU_VERSION
+        RELEASE_BASE_IMAGE_OS: ['alpine', 'debian']
+      - # :latest-opentofu{opentofu-version}
+        OPENTOFU_VERSION: !reference [.data, supported_versions]
+        RELEASE_VERSION: latest
+        RELEASE_OPENTOFU_VERSION: $OPENTOFU_VERSION
+        RELEASE_BASE_IMAGE_OS: ['alpine', 'debian']
+      - # :{commit-tag|latest}{-opentofulatest|}
+        OPENTOFU_VERSION: $LATEST_OPENTOFU_VERSION
+        RELEASE_VERSION: ["${CI_COMMIT_TAG}", latest]
+        RELEASE_OPENTOFU_VERSION: ["", latest]
+        RELEASE_BASE_IMAGE_OS: ['alpine', 'debian']
+
+.image-matrix:deploy:release-name-script: &image-matrix-deploy-release-name-script
+  # OCI image tags are not compatible with semver, specifically the build metadata part
+  # indicated with a `+` sign, see https://github.com/distribution/distribution/issues/1201
+  # We use a dash `-` here, instead of the `+`.
+  # This may be problematic, because it indicates a semver prerelease.
+  - export RELEASE_IMAGE_NAME="$CI_REGISTRY_IMAGE/gitlab-opentofu"
+  - export RELEASE_IMAGE="${RELEASE_IMAGE_NAME}:${RELEASE_VERSION}${RELEASE_OPENTOFU_VERSION:+-opentofu$RELEASE_OPENTOFU_VERSION}${RELEASE_BASE_IMAGE_OS:+-$RELEASE_BASE_IMAGE_OS}"
+
 variables:
   # OpenTofu variables
   LATEST_OPENTOFU_VERSION: !reference [.data, latest_version]
@@ -85,10 +117,24 @@ check-semantic-version:
     - echo -n "$CI_COMMIT_TAG" | ./.gitlab/scripts/check-semantic-version.sh
 
 gitlab-opentofu-image:build:
-  extends: .image-matrix
+  extends: '.image-matrix:build'
   stage: build
-  image: quay.io/containers/buildah:v1.37.3
+  image: quay.io/containers/buildah:v1.37.5
   before_script:
+    # Supporting GitLab dependency proxies:
+    # see https://docs.gitlab.com/ee/user/packages/dependency_proxy/
+    - |
+      if [ -n "$CI_DEPENDENCY_PROXY_DIRECT_GROUP_IMAGE_PREFIX" ]; then
+        echo "Detected GitLab Dependency Proxy at '$CI_DEPENDENCY_PROXY_DIRECT_GROUP_IMAGE_PREFIX', configuring it for buildah ..."
+        cat > /etc/containers/registries.conf.d/dependency-proxy.conf <<EOF
+        [[registry]]
+        location = "docker.io"
+        [[registry.mirror]]
+        location = "${CI_DEPENDENCY_PROXY_DIRECT_GROUP_IMAGE_PREFIX}"
+      EOF
+
+        buildah login -u "$CI_DEPENDENCY_PROXY_USER" -p "$CI_DEPENDENCY_PROXY_PASSWORD" "$CI_DEPENDENCY_PROXY_SERVER"
+      fi
     - buildah login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" "$CI_REGISTRY"
   script:
     - echo "Building $GITLAB_OPENTOFU_IMAGE_NAME"
@@ -166,52 +212,23 @@ shellcheck:
 #     - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
 
 .gitlab-opentofu-image:deploy:base:
+  extends: '.image-matrix:deploy'
   stage: deploy
   image:
-    name: gcr.io/go-containerregistry/crane:debug
+    name: alpine/crane:0.20.2
     entrypoint: [""]
   variables:
     GITLAB_OPENTOFU_BASE_IMAGE_OS: $RELEASE_BASE_IMAGE_OS
   before_script:
+    - *image-matrix-deploy-release-name-script
     - crane auth login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" "$CI_REGISTRY"
-    # OCI image tags are not compatible with semver, specifically the build metadata part
-    # indicated with a `+` sign, see https://github.com/distribution/distribution/issues/1201
-    # We use a dash `-` here, instead of the `+`.
-    # This may be problematic, because it indicates a semver prerelease.
-    - export RELEASE_IMAGE_NAME="$CI_REGISTRY_IMAGE/gitlab-opentofu"
-    - export RELEASE_IMAGE="${RELEASE_IMAGE_NAME}:${RELEASE_VERSION}${RELEASE_OPENTOFU_VERSION:+-opentofu$RELEASE_OPENTOFU_VERSION}${RELEASE_BASE_IMAGE_OS:+-$RELEASE_BASE_IMAGE_OS}"
     - 'echo "base image OS: $GITLAB_OPENTOFU_BASE_IMAGE_OS"'
     - echo "Deploying $GITLAB_OPENTOFU_IMAGE_NAME as $RELEASE_IMAGE"
-  parallel:
-    # OPENTOFU_VERSION: opentofu version to release in the job (from gitlab-opentofu-image:build)
-    # RELEASE_VERSION:  Tag base for the release image
-    # RELEASE_OPENTOFU_VERSION:  opentofu version to contained in the release tag
-    matrix:
-      - # :{commit-tag}-opentofu{opentofu-version}
-        OPENTOFU_VERSION: !reference [.data, supported_versions]
-        RELEASE_VERSION: $CI_COMMIT_TAG
-        RELEASE_OPENTOFU_VERSION: $OPENTOFU_VERSION
-        RELEASE_BASE_IMAGE_OS: ['alpine', 'debian']
-      - # :latest-opentofu{opentofu-version}
-        OPENTOFU_VERSION: !reference [.data, supported_versions]
-        RELEASE_VERSION: latest
-        RELEASE_OPENTOFU_VERSION: $OPENTOFU_VERSION
-        RELEASE_BASE_IMAGE_OS: ['alpine', 'debian']
-      - # :{commit-tag|latest}{-opentofulatest|}
-        OPENTOFU_VERSION: $LATEST_OPENTOFU_VERSION
-        RELEASE_VERSION: ["${CI_COMMIT_TAG}", latest]
-        RELEASE_OPENTOFU_VERSION: ["", latest]
-        RELEASE_BASE_IMAGE_OS: ['alpine', 'debian']
 
 gitlab-opentofu-image:deploy:
   extends: ['.gitlab-opentofu-image:deploy:base']
   script:
     - crane copy "$GITLAB_OPENTOFU_IMAGE_NAME" "$RELEASE_IMAGE"
-    - export image_digest="$(crane digest $RELEASE_IMAGE)"
-    - 'echo "- \`$RELEASE_IMAGE\` (digest: \`$image_digest\`)" > image$CI_JOB_ID.md'
-  artifacts:
-    paths:
-      - 'image*.md'
   rules:
     - if: $CI_COMMIT_TAG
 
@@ -230,14 +247,57 @@ gitlab-opentofu-image:deploy:dry-run:
         - .gitlab-ci.yml
         - src/**/*
 
+gitlab-opentofu-image:sign:
+  extends: '.image-matrix:deploy'
+  stage: sign
+  image:
+    name: alpine/crane:0.20.2
+    entrypoint: [""]
+  variables:
+    COSIGN_YES: "true"  # Used by Cosign to skip confirmation prompts for non-destructive operations
+  id_tokens:
+    SIGSTORE_ID_TOKEN:
+      aud: sigstore
+  before_script:
+    - *image-matrix-deploy-release-name-script
+    - apk add --update cosign
+    - cosign login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" "$CI_REGISTRY"
+  script:
+    - cosign sign "$(crane digest --full-ref "$RELEASE_IMAGE")"
+    - export image_digest="$(crane digest $RELEASE_IMAGE)"
+    - 'echo "- \`$RELEASE_IMAGE\` (digest: \`$image_digest\`)" > image$CI_JOB_ID.md'
+  artifacts:
+    paths:
+      - 'image*.md'
+  rules:
+    - if: '$CI_SERVER_FQDN == "gitlab.com" && $CI_COMMIT_TAG'
+
+gitlab-opentofu-image:verify-signature:
+  extends: '.image-matrix:deploy'
+  stage: verify
+  image:
+    name: alpine/crane:0.20.2
+    entrypoint: [""]
+  before_script:
+    - *image-matrix-deploy-release-name-script
+    - apk add --update cosign
+  script:
+    - cosign verify
+      --certificate-identity "$CI_PROJECT_URL//.gitlab-ci.yml@refs/tags/$CI_COMMIT_TAG"
+      --certificate-oidc-issuer "https://gitlab.com"
+      "$RELEASE_IMAGE"
+      "$(crane digest --full-ref "$RELEASE_IMAGE")"
+  rules:
+    - if: '$CI_SERVER_FQDN == "gitlab.com" && $CI_COMMIT_TAG'
+
 .release:base:
   stage: release
-  image: registry.gitlab.com/gitlab-org/release-cli:v0.18.0
+  image: registry.gitlab.com/gitlab-org/release-cli:v0.19.0
   before_script:
     - apk add --update yq envsubst
   script:
     - echo "Creating release $RELEASE_TAG_NAME"
-    - ./.gitlab/scripts/release-notes.sh > release-notes.md
+    - ./.gitlab/scripts/generate-release-notes.sh > release-notes.md
   artifacts:
     paths:
       - images.md
@@ -260,7 +320,7 @@ release:dry-run:
       when: never
     - changes:
         - .gitlab-ci.yml
-        - ./.gitlab/scripts/release-notes.sh
+        - ./.gitlab/scripts/generate-release-notes.sh
         - ./.gitlab/release-notes.md.template
   after_script:
     - cat release-notes.md

.gitlab/README.md.template

@@ -26,7 +26,7 @@ include:
       # The version must currently be specified explicitly as an input,
       # to find the correctly associated images. # This can be removed
       # once https://gitlab.com/gitlab-org/gitlab/-/issues/438275 is solved.
-      version: <VERSION>
+      version: <VERSION> # component version
       opentofu_version: <OPENTOFU_VERSION>
 
 stages: [validate, test, build, deploy, cleanup]
@@ -40,7 +40,7 @@ include:
       # The version must currently be specified explicitly as an input,
       # to find the correctly associated images. # This can be removed
       # once https://gitlab.com/gitlab-org/gitlab/-/issues/438275 is solved.
-      version: <VERSION>
+      version: <VERSION> # component version
       opentofu_version: <OPENTOFU_VERSION>
 
 stages: [validate, build, deploy]
@@ -56,7 +56,7 @@ include:
       # The version must currently be specified explicitly as an input,
       # to find the correctly associated images. # This can be removed
       # once https://gitlab.com/gitlab-org/gitlab/-/issues/438275 is solved.
-      version: 0.10.0
+      version: 0.10.0 # component version
       opentofu_version: 1.6.1
 
 stages: [validate, test, build, deploy, cleanup]
@@ -71,7 +71,7 @@ include:
       # The version must currently be specified explicitly as an input,
       # to find the correctly associated images. # This can be removed
       # once https://gitlab.com/gitlab-org/gitlab/-/issues/438275 is solved.
-      version: latest
+      version: latest # component version
       opentofu_version: 1.6.1
 
 stages: [validate, test, build, deploy, cleanup]
@@ -86,7 +86,7 @@ include:
       # The version must currently be specified explicitly as an input,
       # to find the correctly associated images. # This can be removed
       # once https://gitlab.com/gitlab-org/gitlab/-/issues/438275 is solved.
-      version: <VERSION>
+      version: <VERSION> # component version
       opentofu_version: <OPENTOFU_VERSION>
 
 stages: [...]
@@ -190,18 +190,19 @@ plan:
       - TF_ROOT: prod/
 ```
 
-Have a look at the [`full-pipeline`](templates/full-pipeline.yml) for how it's constructed.
+Have a look at the [`full-pipeline`](templates/job-templates.yml) for how it's constructed.
 
 The following job components exist:
 
-- [`fmt`](templates/fmt.yml)
-- [`validate`](templates/validate.yml)
-- [`test`](templates/test.yml)
-- [`plan`](templates/plan.yml)
-- [`apply`](templates/apply.yml)
-- [`destroy`](templates/destroy.yml)
-- [`delete-state`](templates/delete-state.yml)
-- [`custom-command`](templates/custom-command.yml)
+- [`fmt`](templates/fmt.yml): Check formatting of configuration files.
+- [`validate`](templates/validate.yml): Validate configuration.
+- [`test`](templates/test.yml): Test configuration.
+- [`plan`](templates/plan.yml): Plan an apply or destroy.
+- [`apply`](templates/apply.yml): Apply a configuration.
+- [`destroy`](templates/destroy.yml): Destroy a configuration.
+- [`delete-state`](templates/delete-state.yml): Delete the GitLab-managed Terraform state.
+- [`custom-command`](templates/custom-command.yml): Run a custom OpenTofu command.
+- [`module-release`](templates/module-release.yml): Release an OpenTofu module to the GitLab Terraform Module Registry.
 
 Have a look at the individual template spec to learn about the available inputs.
 
@@ -285,6 +286,14 @@ or `TF_CLI_ARGS_init` (handled by OpenTofu directly) to `-lockfile=readonly`
 to prevent any changes to the lockfile during the pipeline job and with
 that ensuring that OpenTofu really uses the locked dependencies.
 
+### Examples
+
+Here are some example repositories to demonstrate how this component maybe used:
+
+- [timofurrer/opentofu-test](https://gitlab.com/timofurrer/opentofu-test): uses multiple environments configured for different kinds of pipelines with a single branch.
+
+Please contribute your own examples!
+
 ## Releases & Versioning
 
 This project currently releases tagged commits.
@@ -327,6 +336,29 @@ However, we cannot use the alternative `+` which would indicate build metadata
 as we'd like.
 See https://github.com/distribution/distribution/issues/1201*
 
+### Image Signing
+
+Every released image is [signed](https://docs.gitlab.com/ee/ci/yaml/signing_examples.html)
+using [`sigstore/cosign`](https://github.com/sigstore/cosign).
+
+You can use the following command to verify the signatures:
+
+```shell
+VERSION=X.Y.Z # put a released components/opentofu version here
+IMAGE_REF=... # put a released components/opentofu image reference here
+cosign verify "${IMAGE_REF}" --certificate-identity="https://gitlab.com/components/opentofu//.gitlab-ci.yml@refs/tags/${VERSION}" --certificate-oidc-issuer="https://gitlab.com"
+```
+
+For example, for image ref `registry.gitlab.com/components/opentofu/gitlab-opentofu:0.34.0-opentofu1.6.0-alpine` and version `0.34.0`:
+
+```shell
+cosign verify "registry.gitlab.com/components/opentofu/gitlab-opentofu:0.34.0-opentofu1.6.0-alpine" \
+    --certificate-identity "https://gitlab.com/components/opentofu//.gitlab-ci.yml@refs/tags/0.34.0" \
+    --certificate-oidc-issuer "https://gitlab.com"
+```
+
+For self-managed mirrors the OIDC issuer must be changed, too.
+
 ### Using with Renovate
 
 To keep the component versions up to date you could use [Renovate](https://docs.renovatebot.com/).
@@ -341,6 +373,23 @@ so that the OpenTofu version is raised to a maximum of the version suitable for
   ...
 }
 ```
+
+The above renovate config allows to update the `version` input together with the component include
+version if the `version` input has a `# component version` comment suffix, like so:
+
+```yaml
+include:
+  - component: $CI_SERVER_FQDN/components/opentofu/validate-plan-apply@<VERSION>
+    inputs:
+      # The version must currently be specified explicitly as an input,
+      # to find the correctly associated images. # This can be removed
+      # once https://gitlab.com/gitlab-org/gitlab/-/issues/438275 is solved.
+      version: <VERSION> # component version
+      opentofu_version: <OPENTOFU_VERSION>
+
+stages: [validate, test, build, deploy, cleanup]
+```
+
 (You may need to adjust the path to the `components/opentofu` to match your mirror.)
 Fore more details refer to the [Renovate documentation](https://docs.renovatebot.com/config-presets/).
 
@@ -375,6 +424,10 @@ Some more example configurations for your `renovate.json`:
   },
   ```
 
+**Example Repositories**:
+
+- [timofurrer/opentofu-test](https://gitlab.com/timofurrer/opentofu-test)
+
 ## Usage on self-managed
 
 GitLab CI/CD components are not yet distributed and available on self-managed GitLab instances.
@@ -395,6 +448,11 @@ See also the official GitLab documentation for it
 If you want to save runner resources you may disable the unit and integration tests
 by setting the `SKIP_TESTS` CI/CD variable to `true`.
 
+The pipeline of this component respects the
+[GitLab Dependency Proxy](https://docs.gitlab.com/ee/user/packages/dependency_proxy/) configuration
+by detecting the `CI_DEPENDENCY_PROXY_DIRECT_GROUP_IMAGE_PREFIX` environment variable
+and configuring `buildah` to use it when building the container images.
+
 ## Migrating from the Terraform CI/CD templates
 
 When migrating from the GitLab Terraform CI/CD templates you can use the following migration rules:

.gitlab/changelog_config.yml

@@ -11,6 +11,7 @@ categories:
   removed: Removed
   security: Security
   performance: Performance
+  development: Development
   other: Other
 
 tag_regex: '^(?P<major>0|[1-9]\d*)\.(?P<minor>0|[1-9]\d*)\.(?P<patch>0|[1-9]\d*)(?:-(?P<pre>(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+(?P<meta>[0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$'

.gitlab/release-notes.md.template

 Release $CI_COMMIT_TAG of components repository $CI_PROJECT_PATH.
 
-See the [CHANGELOG](CHANGELOG.md) for what changes happened in this release.
+## Changelog
+
+$CHANGELOG
+
+See the [CHANGELOG.md](CHANGELOG.md) file for the entire history.
 
 ## Usage
 
@@ -13,7 +17,7 @@ include:
       # The version must currently be specified explicitly as an input,
       # to find the correctly associated images. # This can be removed
       # once https://gitlab.com/gitlab-org/gitlab/-/issues/438275 is solved.
-      version: $CI_COMMIT_TAG
+      version: $CI_COMMIT_TAG # component version
       opentofu_version: $LATEST_OPENTOFU_VERSION
 
 stages: [validate, test, build, deploy, cleanup]
@@ -43,6 +47,19 @@ And with the follow base OS images:
 - `alpine`, use `base_os: alpine` input to use it (default).
 - `debian`, use `base_os: debian` input to use it.
 
+The images have been signed with `cosign` and can be verified with the following command:
+
+```shell
+cosign verify \
+  "$CI_REGISTRY_IMAGE/gitlab-opentofu:$CI_COMMIT_TAG-alpine" \
+  --certificate-identity "$CI_PROJECT_URL//.gitlab-ci.yml@refs/tags/$CI_COMMIT_TAG" \
+  --certificate-oidc-issuer "https://gitlab.com"
+```
+
+The `image_digest` input can be used to strictly pull by the image digest.
+The `image_digest` input value needs to have the format of `@<type>:<hash>`
+where `<type>:<hash>` is the `digest` value from the images list above.
+
 > **Note:**
 >
 > When using the component with the inputs `version` and `opentofu_version`,<br>

.gitlab/scripts/generate-readme.sh

+#!/usr/bin/env sh
+
+set -o errexit
+
+script_dir=$(dirname "$0")
+
+csplit -sf readme -n 1 "${script_dir}/../README.md.template" '/<RENDER>/'
+
+# shellcheck disable=SC2016
+{
+  echo '<!-- This document is generated by `make docs` from `.gitlab/README.md` -->'
+  echo
+  cat readme0
+  echo
+  echo '### Available OpenTofu Versions'
+  echo
+  echo 'The following OpenTofu versions are available with this component via the `opentofu_version` input:'
+  echo
+  yq '.".data".supported_versions | .[] | "- [`" + . + "`](https://github.com/opentofu/opentofu/releases/tag/v" + . + ")"' "${script_dir}/../../opentofu_versions.yaml"
+  tail -n+2 readme1
+} > "${script_dir}/../../README.md"
+
+rm -f readme0 readme1 readme_inputs.md

.gitlab/scripts/release-notes.sh → .gitlab/scripts/generate-release-notes.sh

@@ -9,4 +9,7 @@ export AVAILABLE_OPENTOFU_VERSIONS
 AVAILABLE_IMAGES="$(cat image*.md | sort -r | tee images.md | sed -E "s/(\(digest: .*\))/\n  - \1/")"
 export AVAILABLE_IMAGES
 
+CHANGELOG="$(awk '/^## /{i++} i==1 && NR>1' CHANGELOG.md)"
+export CHANGELOG
+
 envsubst < .gitlab/release-notes.md.template

.gitlab/scripts/release.sh

+#!/usr/bin/env bash
+
+set -o errexit
+set -o errtrace
+
+if [ -z "$1" ]; then
+  echo "Error: please provide a version for this release as the first argument." >&2
+  exit 1
+fi
+
+if [ -z "${GITLAB_TOKEN}" ]; then
+  echo "Error: please set the GITLAB_TOKEN environment variable." >&2
+  exit 1
+fi
+
+if [ "main" != "$(git rev-parse --abbrev-ref HEAD)" ]; then
+  echo "Error: please checkout the main branch first: git checkout main." >&2
+  exit 1
+fi
+
+script_dir=$(dirname "$0")
+version="$1"
+
+echo "Verifying release version '${version}' ..."
+echo "${version}" | "${script_dir}/check-semantic-version.sh"
+
+echo "Starting release process for ${version} ..."
+
+echo "Determing last stable version ..."
+last_stable_version_sha="$(git tag | grep -E '^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)$' | sort --version-sort --reverse | head -n1 | xargs git rev-list -n1)"
+echo "Using commit '${last_stable_version_sha}' to start the changelog from ..."
+
+echo "Creating changelog ..."
+curl \
+  --fail-with-body \
+  --request POST \
+  --header "PRIVATE-TOKEN: ${GITLAB_TOKEN}" \
+  --header 'Content-Type: application/json' \
+  'https://gitlab.com/api/v4/projects/components%2Fopentofu/repository/changelog' \
+  --data "
+  {
+    \"version\": \"${version}\",
+    \"from\": \"${last_stable_version_sha}\",
+    \"message\": \"Add changelog for ${version}\"
+  }"
+
+echo "Pulling changelog ..."
+git pull
+
+echo "Tagging ${version} ..."
+git tag "${version}"
+
+echo "Pushing tag ${version} ..."
+
+git push origin "${version}"
+
+echo "Created tag ${version}, pipeline triggered, release will be available soon!"

CHANGELOG.md

+## 0.38.0 (2024-11-02)
+
+### Fixed (2 changes)
+
+- [Fix job dependency in full-pipeline when using job prefix](https://gitlab.com/components/opentofu/-/commit/ddf4404f2b0c6df799c40c15eabb08aeca623e90)
+- [Fix component version regex in renovate config](https://gitlab.com/components/opentofu/-/commit/879b197004e5d22f57e7f9cc590ba8165f7f2d96)
+
+## 0.37.0-rc7 (2024-10-31)
+
+### Added (4 changes)
+
+- [Support var_file input in all templates](https://gitlab.com/components/opentofu/-/commit/e5efc717c1343000432f0b076933243dc8726770) ([merge request](https://gitlab.com/components/opentofu/-/merge_requests/160))
+- [Document renovate usage for version input](https://gitlab.com/components/opentofu/-/commit/4827eb3c8f0a738bed6095f71a080ff4a6888f6b)
+- [Support renovate custom manager for component version annotation](https://gitlab.com/components/opentofu/-/commit/106ada49cf28a34dcda1e6456003fc05b4ad9ac2)
+- [Support unquoted opentofu_version input variables in renovate config](https://gitlab.com/components/opentofu/-/commit/47764fbd6179fb986f4bc0132bacba2208b24757)
+
+### Fixed (1 change)
+
+- [Fix renovate custom manager currentValue delimiters](https://gitlab.com/components/opentofu/-/commit/aadc8ab2c77a0effabfe4143847f52cc2af82a19)
+
+### Development (4 changes)
+
+- [Fix last stable version finding in release script](https://gitlab.com/components/opentofu/-/commit/f5e24ee1c793a9393e5a31b7afb5f8c42f49ddd5)
+- [Use sh in README generation script instead of bash](https://gitlab.com/components/opentofu/-/commit/50b559706ced918875ecd186f440f64ddd8835d1)
+- [Rename release notes generation script](https://gitlab.com/components/opentofu/-/commit/744a6c388e3cdbe1a97c5038d0131b34852feffc)
+- [Outsource README generation script from Makefile into script](https://gitlab.com/components/opentofu/-/commit/b6c567adb188ec34f4a77f234bebbe52493bf3a4)
+
+## 0.37.0-rc6 (2024-10-31)
+
+### Development (4 changes)
+
+- [Fix last stable version finding in release script](https://gitlab.com/components/opentofu/-/commit/f5e24ee1c793a9393e5a31b7afb5f8c42f49ddd5)
+- [Use sh in README generation script instead of bash](https://gitlab.com/components/opentofu/-/commit/50b559706ced918875ecd186f440f64ddd8835d1)
+- [Rename release notes generation script](https://gitlab.com/components/opentofu/-/commit/744a6c388e3cdbe1a97c5038d0131b34852feffc)
+- [Outsource README generation script from Makefile into script](https://gitlab.com/components/opentofu/-/commit/b6c567adb188ec34f4a77f234bebbe52493bf3a4)
+
+## 0.37.0-rc5 (2024-10-31)
+
+No changes.
+
+## 0.37.0-rc4 (2024-10-31)
+
+No changes.
+
+## 0.37.0-rc3 (2024-10-31)
+
+No changes.
+
+## 0.37.0-rc2 (2024-10-31)
+
+No changes.
+
+## 0.37.0-rc1 (2024-10-31)
+
+No changes.
+
+## 0.36.0 (2024-10-31)
+
+No changes.
+
+## 0.35.0-rc6 (2024-10-30)
+
+### Fixed (1 change)
+
+- [Only sign images on GitLab.com](https://gitlab.com/components/opentofu/-/commit/bafd24de55b17039204e9dbf1a6c9cdbb718a009) ([merge request](https://gitlab.com/components/opentofu/-/merge_requests/155))
+
+### feature (2 changes)
+
+- [Add support for job name prefix in full-pipeline](https://gitlab.com/components/opentofu/-/commit/72675b768dc3ddf81b0d665e0b5eadbebe10388e) ([merge request](https://gitlab.com/components/opentofu/-/merge_requests/153))
+- [Support specifying image digests](https://gitlab.com/components/opentofu/-/commit/e6460418e6f1846f16474f6cadab2b935be556e7) ([merge request](https://gitlab.com/components/opentofu/-/merge_requests/152))
+
+## 0.35.0-rc5 (2024-10-30)
+
+### Fixed (1 change)
+
+- [Only sign images on GitLab.com](https://gitlab.com/components/opentofu/-/commit/bafd24de55b17039204e9dbf1a6c9cdbb718a009) ([merge request](https://gitlab.com/components/opentofu/-/merge_requests/155))
+
+### feature (2 changes)
+
+- [Add support for job name prefix in full-pipeline](https://gitlab.com/components/opentofu/-/commit/72675b768dc3ddf81b0d665e0b5eadbebe10388e) ([merge request](https://gitlab.com/components/opentofu/-/merge_requests/153))
+- [Support specifying image digests](https://gitlab.com/components/opentofu/-/commit/e6460418e6f1846f16474f6cadab2b935be556e7) ([merge request](https://gitlab.com/components/opentofu/-/merge_requests/152))
+
+## 0.35.0-rc4 (2024-10-30)
+
+### Fixed (1 change)
+
+- [Only sign images on GitLab.com](https://gitlab.com/components/opentofu/-/commit/bafd24de55b17039204e9dbf1a6c9cdbb718a009) ([merge request](https://gitlab.com/components/opentofu/-/merge_requests/155))
+
+### feature (2 changes)
+
+- [Add support for job name prefix in full-pipeline](https://gitlab.com/components/opentofu/-/commit/72675b768dc3ddf81b0d665e0b5eadbebe10388e) ([merge request](https://gitlab.com/components/opentofu/-/merge_requests/153))
+- [Support specifying image digests](https://gitlab.com/components/opentofu/-/commit/e6460418e6f1846f16474f6cadab2b935be556e7) ([merge request](https://gitlab.com/components/opentofu/-/merge_requests/152))
+
+## 0.35.0-rc3 (2024-10-30)
+
+### Fixed (1 change)
+
+- [Only sign images on GitLab.com](https://gitlab.com/components/opentofu/-/commit/bafd24de55b17039204e9dbf1a6c9cdbb718a009) ([merge request](https://gitlab.com/components/opentofu/-/merge_requests/155))
+
+### feature (2 changes)
+
+- [Add support for job name prefix in full-pipeline](https://gitlab.com/components/opentofu/-/commit/72675b768dc3ddf81b0d665e0b5eadbebe10388e) ([merge request](https://gitlab.com/components/opentofu/-/merge_requests/153))
+- [Support specifying image digests](https://gitlab.com/components/opentofu/-/commit/e6460418e6f1846f16474f6cadab2b935be556e7) ([merge request](https://gitlab.com/components/opentofu/-/merge_requests/152))
+
+## 0.35.0-rc2 (2024-10-30)
+
+### Fixed (1 change)
+
+- [Only sign images on GitLab.com](https://gitlab.com/components/opentofu/-/commit/bafd24de55b17039204e9dbf1a6c9cdbb718a009) ([merge request](https://gitlab.com/components/opentofu/-/merge_requests/155))
+
+### feature (2 changes)
+
+- [Add support for job name prefix in full-pipeline](https://gitlab.com/components/opentofu/-/commit/72675b768dc3ddf81b0d665e0b5eadbebe10388e) ([merge request](https://gitlab.com/components/opentofu/-/merge_requests/153))
+- [Support specifying image digests](https://gitlab.com/components/opentofu/-/commit/e6460418e6f1846f16474f6cadab2b935be556e7) ([merge request](https://gitlab.com/components/opentofu/-/merge_requests/152))
+
+## 0.35.0-rc1 (2024-10-30)
+
+### Fixed (1 change)
+
+- [Only sign images on GitLab.com](https://gitlab.com/components/opentofu/-/commit/bafd24de55b17039204e9dbf1a6c9cdbb718a009) ([merge request](https://gitlab.com/components/opentofu/-/merge_requests/155))
+
+### feature (2 changes)
+
+- [Add support for job name prefix in full-pipeline](https://gitlab.com/components/opentofu/-/commit/72675b768dc3ddf81b0d665e0b5eadbebe10388e) ([merge request](https://gitlab.com/components/opentofu/-/merge_requests/153))
+- [Support specifying image digests](https://gitlab.com/components/opentofu/-/commit/e6460418e6f1846f16474f6cadab2b935be556e7) ([merge request](https://gitlab.com/components/opentofu/-/merge_requests/152))
+
+## 0.34.0-rc1 (2024-10-29)
+
+No changes.
+
+## 0.33.0 (2024-10-28)
+
+### feature (2 changes)
+
+- [Support GitLab dependency proxy when building gitlab-tofu images](https://gitlab.com/components/opentofu/-/commit/6bd8a73fa6c0445ec2cd44ad5bbd715afdd619a0) ([merge request](https://gitlab.com/components/opentofu/-/merge_requests/147))
+- [Check for dependencies when running gitlab-tofu](https://gitlab.com/components/opentofu/-/commit/67acb93ba910d879884144e4dc27d2ff2b432dea) ([merge request](https://gitlab.com/components/opentofu/-/merge_requests/146))
+
+## 0.32.0 (2024-10-28)
+
+No changes.
+
+## 0.31.0 (2024-10-24)
+
+### Changed (1 change)
+
+- [Improve documentation around module release](https://gitlab.com/components/opentofu/-/commit/1deda55c7f4a12b69b439af0f6d2eec4e9b97783) ([merge request](https://gitlab.com/components/opentofu/-/merge_requests/139))
+
 ## 0.30.0 (2024-10-07)
 
 No changes.

Dockerfile.debian

-ARG BASE_IMAGE=debian:12.7
+ARG BASE_IMAGE=debian:12.7-slim
 
 FROM $BASE_IMAGE
 
@@ -11,6 +11,7 @@ RUN apt-get update && apt-get install -y \
   jq \
   openssh-client \
   unzip \
+  idn2 \
   && rm -rf /var/lib/apt/lists/*
 
 # NOTE: cosign is not yet available in the debian apt sources
@@ -21,7 +22,7 @@ RUN wget https://github.com/sigstore/cosign/releases/download/v${COSIGN_VERSION}
     rm -f /tmp/*.deb
 
 # NOTE: glab is not yet available in the debian apt sources
-ARG GLAB_VERSION=1.47.0
+ARG GLAB_VERSION=1.48.0
 WORKDIR /tmp
 RUN wget https://gitlab.com/gitlab-org/cli/-/releases/v${GLAB_VERSION}/downloads/glab_${GLAB_VERSION}_linux_${TARGETARCH}.deb && \
     dpkg -i *.deb && \

Makefile

+GENERATE_README_SCRIPT ?= ./.gitlab/scripts/generate-readme.sh
+RELEASE_SCRIPT ?= ./.gitlab/scripts/release.sh
+
+.PHONY: all
 all: docs
 
 .PHONY: docs
 docs:
-	csplit -sf readme -n 1 .gitlab/README.md.template '/<RENDER>/'
-	echo '<!-- This document is generated by `make docs` from `.gitlab/README.md` -->' > README.md
-	echo >> README.md
-	cat readme0 >> README.md
-	echo >> README.md
-	echo '### Available OpenTofu Versions' >> README.md
-	echo >> README.md
-	echo 'The following OpenTofu versions are available with this component via the `opentofu_version` input:' >> README.md
-	echo >> README.md
-	yq '.".data".supported_versions | .[] | "- [`" + . + "`](https://github.com/opentofu/opentofu/releases/tag/v" + . + ")"' opentofu_versions.yaml >> README.md
-	tail -n+2 readme1 >> README.md
-	rm -f readme0 readme1 readme_inputs.md
+	$(GENERATE_README_SCRIPT)
 
 .PHONY: release
 release:
-	@[ -n "$(VERSION)" ] || (echo "Please provide a VERSION argument for this release" && false)
-	echo "Starting release process for $(VERSION) ..."
-	@echo "$(VERSION)" | ./.gitlab/scripts/check-semantic-version.sh
-	@[ "main" = "$(shell git rev-parse --abbrev-ref HEAD)" ] || (echo "Please checkout the main branch first: git checkout main" && false)
-	@[ -n "$(GITLAB_TOKEN)" ] || (echo "Please set the GITLAB_TOKEN environment variable" && false)
-	@echo "Creating changelog ..."
-	@curl --fail-with-body --request POST --header "PRIVATE-TOKEN: $(GITLAB_TOKEN)" 'https://gitlab.com/api/v4/projects/components%2Fopentofu/repository/changelog' --data "version=$(VERSION)&message=Add changelog for $(VERSION)"
-	@echo "Pulling changelog ..."
-	@git pull
-	@echo "Tagging $(VERSION) ..."
-	@git tag $(VERSION)
-	@echo "Pushing tag $(VERSION) ..."
-	@git push origin $(VERSION)
-	@echo "Created tag $(VERSION), pipeline triggered, release will be available soon!"
+	$(RELEASE_SCRIPT) $(VERSION)

README.md

@@ -28,7 +28,7 @@ include:
       # The version must currently be specified explicitly as an input,
       # to find the correctly associated images. # This can be removed
       # once https://gitlab.com/gitlab-org/gitlab/-/issues/438275 is solved.
-      version: <VERSION>
+      version: <VERSION> # component version
       opentofu_version: <OPENTOFU_VERSION>
 
 stages: [validate, test, build, deploy, cleanup]
@@ -42,7 +42,7 @@ include:
       # The version must currently be specified explicitly as an input,
       # to find the correctly associated images. # This can be removed
       # once https://gitlab.com/gitlab-org/gitlab/-/issues/438275 is solved.
-      version: <VERSION>
+      version: <VERSION> # component version
       opentofu_version: <OPENTOFU_VERSION>
 
 stages: [validate, build, deploy]
@@ -58,7 +58,7 @@ include:
       # The version must currently be specified explicitly as an input,
       # to find the correctly associated images. # This can be removed
       # once https://gitlab.com/gitlab-org/gitlab/-/issues/438275 is solved.
-      version: 0.10.0
+      version: 0.10.0 # component version
       opentofu_version: 1.6.1
 
 stages: [validate, test, build, deploy, cleanup]
@@ -73,7 +73,7 @@ include:
       # The version must currently be specified explicitly as an input,
       # to find the correctly associated images. # This can be removed
       # once https://gitlab.com/gitlab-org/gitlab/-/issues/438275 is solved.
-      version: latest
+      version: latest # component version
       opentofu_version: 1.6.1
 
 stages: [validate, test, build, deploy, cleanup]
@@ -88,7 +88,7 @@ include:
       # The version must currently be specified explicitly as an input,
       # to find the correctly associated images. # This can be removed
       # once https://gitlab.com/gitlab-org/gitlab/-/issues/438275 is solved.
-      version: <VERSION>
+      version: <VERSION> # component version
       opentofu_version: <OPENTOFU_VERSION>
 
 stages: [...]
@@ -192,18 +192,19 @@ plan:
       - TF_ROOT: prod/
 ```
 
-Have a look at the [`full-pipeline`](templates/full-pipeline.yml) for how it's constructed.
+Have a look at the [`full-pipeline`](templates/job-templates.yml) for how it's constructed.
 
 The following job components exist:
 
-- [`fmt`](templates/fmt.yml)
-- [`validate`](templates/validate.yml)
-- [`test`](templates/test.yml)
-- [`plan`](templates/plan.yml)
-- [`apply`](templates/apply.yml)
-- [`destroy`](templates/destroy.yml)
-- [`delete-state`](templates/delete-state.yml)
-- [`custom-command`](templates/custom-command.yml)
+- [`fmt`](templates/fmt.yml): Check formatting of configuration files.
+- [`validate`](templates/validate.yml): Validate configuration.
+- [`test`](templates/test.yml): Test configuration.
+- [`plan`](templates/plan.yml): Plan an apply or destroy.
+- [`apply`](templates/apply.yml): Apply a configuration.
+- [`destroy`](templates/destroy.yml): Destroy a configuration.
+- [`delete-state`](templates/delete-state.yml): Delete the GitLab-managed Terraform state.
+- [`custom-command`](templates/custom-command.yml): Run a custom OpenTofu command.
+- [`module-release`](templates/module-release.yml): Release an OpenTofu module to the GitLab Terraform Module Registry.
 
 Have a look at the individual template spec to learn about the available inputs.
 
@@ -218,6 +219,7 @@ beautifully renders the inputs for each templates - check it out!
 
 The following OpenTofu versions are available with this component via the `opentofu_version` input:
 
+- [`1.8.4`](https://github.com/opentofu/opentofu/releases/tag/v1.8.4)
 - [`1.8.3`](https://github.com/opentofu/opentofu/releases/tag/v1.8.3)
 - [`1.8.2`](https://github.com/opentofu/opentofu/releases/tag/v1.8.2)
 - [`1.8.1`](https://github.com/opentofu/opentofu/releases/tag/v1.8.1)
@@ -303,6 +305,14 @@ or `TF_CLI_ARGS_init` (handled by OpenTofu directly) to `-lockfile=readonly`
 to prevent any changes to the lockfile during the pipeline job and with
 that ensuring that OpenTofu really uses the locked dependencies.
 
+### Examples
+
+Here are some example repositories to demonstrate how this component maybe used:
+
+- [timofurrer/opentofu-test](https://gitlab.com/timofurrer/opentofu-test): uses multiple environments configured for different kinds of pipelines with a single branch.
+
+Please contribute your own examples!
+
 ## Releases & Versioning
 
 This project currently releases tagged commits.
@@ -345,6 +355,29 @@ However, we cannot use the alternative `+` which would indicate build metadata
 as we'd like.
 See https://github.com/distribution/distribution/issues/1201*
 
+### Image Signing
+
+Every released image is [signed](https://docs.gitlab.com/ee/ci/yaml/signing_examples.html)
+using [`sigstore/cosign`](https://github.com/sigstore/cosign).
+
+You can use the following command to verify the signatures:
+
+```shell
+VERSION=X.Y.Z # put a released components/opentofu version here
+IMAGE_REF=... # put a released components/opentofu image reference here
+cosign verify "${IMAGE_REF}" --certificate-identity="https://gitlab.com/components/opentofu//.gitlab-ci.yml@refs/tags/${VERSION}" --certificate-oidc-issuer="https://gitlab.com"
+```
+
+For example, for image ref `registry.gitlab.com/components/opentofu/gitlab-opentofu:0.34.0-opentofu1.6.0-alpine` and version `0.34.0`:
+
+```shell
+cosign verify "registry.gitlab.com/components/opentofu/gitlab-opentofu:0.34.0-opentofu1.6.0-alpine" \
+    --certificate-identity "https://gitlab.com/components/opentofu//.gitlab-ci.yml@refs/tags/0.34.0" \
+    --certificate-oidc-issuer "https://gitlab.com"
+```
+
+For self-managed mirrors the OIDC issuer must be changed, too.
+
 ### Using with Renovate
 
 To keep the component versions up to date you could use [Renovate](https://docs.renovatebot.com/).
@@ -359,6 +392,23 @@ so that the OpenTofu version is raised to a maximum of the version suitable for
   ...
 }
 ```
+
+The above renovate config allows to update the `version` input together with the component include
+version if the `version` input has a `# component version` comment suffix, like so:
+
+```yaml
+include:
+  - component: $CI_SERVER_FQDN/components/opentofu/validate-plan-apply@<VERSION>
+    inputs:
+      # The version must currently be specified explicitly as an input,
+      # to find the correctly associated images. # This can be removed
+      # once https://gitlab.com/gitlab-org/gitlab/-/issues/438275 is solved.
+      version: <VERSION> # component version
+      opentofu_version: <OPENTOFU_VERSION>
+
+stages: [validate, test, build, deploy, cleanup]
+```
+
 (You may need to adjust the path to the `components/opentofu` to match your mirror.)
 Fore more details refer to the [Renovate documentation](https://docs.renovatebot.com/config-presets/).
 
@@ -393,6 +443,10 @@ Some more example configurations for your `renovate.json`:
   },
   ```
 
+**Example Repositories**:
+
+- [timofurrer/opentofu-test](https://gitlab.com/timofurrer/opentofu-test)
+
 ## Usage on self-managed
 
 GitLab CI/CD components are not yet distributed and available on self-managed GitLab instances.
@@ -413,6 +467,11 @@ See also the official GitLab documentation for it
 If you want to save runner resources you may disable the unit and integration tests
 by setting the `SKIP_TESTS` CI/CD variable to `true`.
 
+The pipeline of this component respects the
+[GitLab Dependency Proxy](https://docs.gitlab.com/ee/user/packages/dependency_proxy/) configuration
+by detecting the `CI_DEPENDENCY_PROXY_DIRECT_GROUP_IMAGE_PREFIX` environment variable
+and configuring `buildah` to use it when building the container images.
+
 ## Migrating from the Terraform CI/CD templates
 
 When migrating from the GitLab Terraform CI/CD templates you can use the following migration rules:

default.json

@@ -12,7 +12,7 @@
                 "templates/**/*.yml",
                 "templates/**/*.yaml"
             ],
-            "allowedVersions": "<=1.8.3"
+            "allowedVersions": "<=1.8.4"
         }
     ],
     "customManagers": [
@@ -23,12 +23,26 @@
                 "templates/.*\\.ya?ml"
             ],
             "matchStrings": [
-                "opentofu_version:\\s*['\"](?<currentValue>[^'\"]+)['\"]"
+                "opentofu_version:\\s*['\"]?(?<currentValue>[^'\"\n]+)['\"]?\n"
             ],
             "datasourceTemplate": "github-releases",
             "depNameTemplate": "opentofu/opentofu",
             "versioningTemplate": "semver",
             "extractVersionTemplate": "^v(?<version>.*)$"
+        },
+        {
+            "customType": "regex",
+            "fileMatch": [
+                "\\.gitlab-ci\\.ya?ml",
+                "templates/.*\\.ya?ml"
+            ],
+            "matchStrings": [
+                "version:\\s*['\"]?(?<currentValue>[^'\"\n\\s]+)['\"]?\\s*# component version\n"
+            ],
+            "datasourceTemplate": "gitlab-releases",
+            "depNameTemplate": "components/opentofu",
+            "versioningTemplate": "semver",
+            "extractVersionTemplate": "^(?<version>.*)$"
         }
     ]
 }

opentofu_versions.yaml

 .data:
-  latest_version: '1.8.3'
+  latest_version: '1.8.4'
   supported_versions: &supported_versions
+    - '1.8.4'
     - '1.8.3'
     - '1.8.2'
     - '1.8.1'

src/gitlab-tofu.sh

-#!/bin/sh -e
-
-# ATTENTION: this script is yet JUST A COPY of https://gitlab.com/gitlab-org/terraform-images/-/blob/master/src/bin/gitlab-terraform.sh
-#            with some VERY MINIMAL MODIFICATIONS.
-#            It definitely needs cleanup in the future.
+#!/usr/bin/env sh
 
+# set some shell options
+set -o errexit
+ 
 if [ "${DEBUG_OUTPUT}" = "true" ]; then
-    set -x
+    set -o xtrace
 fi
 
 # Feature Flags
@@ -37,6 +36,29 @@ else # All other shells: examine $0 for known shell binary filenames.
   case ${0##*/} in sh|-sh|dash|-dash) sourced=1;; esac
 fi
 
+# Dependencies
+# ============
+# Defines all the external dependencies and checks if they exist, if not, abort with an error.
+dependencies="dirname basename pwd sed idn2 jq tofu"
+
+if [ -n "$ZSH_VERSION" ]; then
+  # ZSH is the only supported SHELL that does not split by word by default,
+  # so we set this option to actually do it.
+  setopt sh_word_split
+fi
+
+for dep in $dependencies; do
+  if ! command -v "$dep" >/dev/null 2>&1; then
+    echo "Error: gitlab-tofu is missing dependency: '$dep'" >&2
+    exit 1
+  fi
+done
+
+if [ -n "$ZSH_VERSION" ]; then
+  # see comment above when setting sh_word_split.
+  unsetopt sh_word_split
+fi
+
 JQ_PLAN='
   (
     [.resource_changes[]?.change.actions?] | flatten
@@ -182,6 +204,11 @@ if [ $sourced -eq 0 ]; then
   # Authenticate to private registry
   terraform_authenticate_private_registry
 
+  var_file_args=""
+  if [ -n "${OPENTOFU_COMPONENT_VAR_FILE}" ]; then
+    var_file_args="--var-file=${OPENTOFU_COMPONENT_VAR_FILE}"
+  fi
+
   case "${1}" in
     "apply")
       auto_approve_args=""
@@ -193,7 +220,8 @@ if [ $sourced -eq 0 ]; then
       if [ "$TF_APPLY_NO_PLAN" = false ]; then
         tofu "${TF_CHDIR_OPT}" "${@}" -input=false "${auto_approve_args}" "${TF_PLAN_CACHE}"
       else
-        tofu "${TF_CHDIR_OPT}" "${@}" -input=false "${auto_approve_args}"
+        # shellcheck disable=SC2086
+        tofu "${TF_CHDIR_OPT}" "${@}" -input=false "${auto_approve_args}" ${var_file_args}
       fi
     ;;
     "destroy")
@@ -210,7 +238,8 @@ if [ $sourced -eq 0 ]; then
     ;;
     "plan")
       $TF_IMPLICIT_INIT && terraform_init
-      tofu "${TF_CHDIR_OPT}" "${@}" -input=false -out="${TF_PLAN_CACHE}"
+      # shellcheck disable=SC2086
+      tofu "${TF_CHDIR_OPT}" "${@}" -input=false -out="${TF_PLAN_CACHE}" ${var_file_args}
     ;;
     "plan-json")
       tofu "${TF_CHDIR_OPT}" show -json "${TF_PLAN_CACHE}" | \
@@ -219,15 +248,18 @@ if [ $sourced -eq 0 ]; then
     ;;
     "validate")
       $TF_IMPLICIT_INIT && terraform_init -backend=false
-      tofu "${TF_CHDIR_OPT}" "${@}"
+      # shellcheck disable=SC2086
+      tofu "${TF_CHDIR_OPT}" "${@}" ${var_file_args}
     ;;
     "test")
       $TF_IMPLICIT_INIT && terraform_init -backend=false
-      tofu "${TF_CHDIR_OPT}" "${@}"
+      # shellcheck disable=SC2086
+      tofu "${TF_CHDIR_OPT}" "${@}" ${var_file_args}
     ;;
     "graph")
       $TF_IMPLICIT_INIT && terraform_init
-      tofu "${TF_CHDIR_OPT}" "${@}"
+      # shellcheck disable=SC2086
+      tofu "${TF_CHDIR_OPT}" "${@}" ${var_file_args}
     ;;
     --)
       shift

templates/apply.yml

@@ -24,8 +24,9 @@ spec:
       description: 'Base OS of GitLab OpenTofu image.'
 
     opentofu_version:
-      default: '1.8.3'
+      default: '1.8.4'
       options:
+        - '1.8.4'
         - '1.8.3'
         - '1.8.2'
         - '1.8.1'
@@ -57,6 +58,14 @@ spec:
       default: 'gitlab-opentofu'
       description: 'Image name for the job images. Hosted under `image_registry_base`.'
 
+    image_digest:
+      default: ''
+      # FIXME: we cannot use regex yet because of a bug that rejects
+      # empty strings from ever being checked against the regex.
+      # see https://gitlab.com/gitlab-org/gitlab/-/issues/477707
+      # regex: '^(@sha256:[a-z0-9]{64})?$'
+      description: 'Image digest of the image you want to use. The format must be `@<image_digest>`, e.g. `@sha256:abc..`, see regex of this input. Please consult the release page at https://gitlab.com/components/opentofu/-/releases to obtain the image digests.'
+
     # Configuration
     root_dir:
       default: ${CI_PROJECT_DIR}
@@ -75,6 +84,10 @@ spec:
       default: false
       type: boolean
       description: 'Whether the apply job is manual or automatically run.'
+    var_file:
+      default: ''
+      type: string
+      description: 'Path to a variables files relative to root_dir. Only used if no_plan is true otherwise the variables are coming from the plan.'
 
 ---
 
@@ -99,7 +112,8 @@ spec:
     TF_STATE_NAME: $[[ inputs.state_name ]]
     TF_APPLY_NO_PLAN: $[[ inputs.no_plan ]]
     TF_PLAN_NAME: $[[ inputs.plan_name ]]
+    OPENTOFU_COMPONENT_VAR_FILE: '$[[ inputs.var_file ]]'
   image:
-    name: '$[[ inputs.image_registry_base ]]/$[[ inputs.image_name ]]:$[[ inputs.version ]]-opentofu$[[ inputs.opentofu_version ]]-$[[ inputs.base_os ]]'
+    name: '$[[ inputs.image_registry_base ]]/$[[ inputs.image_name ]]:$[[ inputs.version ]]-opentofu$[[ inputs.opentofu_version ]]-$[[ inputs.base_os ]]$[[ inputs.image_digest ]]$[[ inputs.image_digest ]]'
   script:
     - gitlab-tofu apply

templates/custom-command.yml

@@ -24,8 +24,9 @@ spec:
       description: 'Base OS of GitLab OpenTofu image.'
 
     opentofu_version:
-      default: '1.8.3'
+      default: '1.8.4'
       options:
+        - '1.8.4'
         - '1.8.3'
         - '1.8.2'
         - '1.8.1'
@@ -57,6 +58,14 @@ spec:
       default: 'gitlab-opentofu'
       description: 'Image name for the job images. Hosted under `image_registry_base`.'
 
+    image_digest:
+      default: ''
+      # FIXME: we cannot use regex yet because of a bug that rejects
+      # empty strings from ever being checked against the regex.
+      # see https://gitlab.com/gitlab-org/gitlab/-/issues/477707
+      # regex: '^(@sha256:[a-z0-9]{64})?$'
+      description: 'Image digest of the image you want to use. The format must be `@<image_digest>`, e.g. `@sha256:abc..`, see regex of this input. Please consult the release page at https://gitlab.com/components/opentofu/-/releases to obtain the image digests.'
+
     # Configuration
     root_dir:
       default: ${CI_PROJECT_DIR}
@@ -79,7 +88,7 @@ spec:
     __CACHE_KEY_HACK: "$[[ inputs.root_dir ]]"
     TF_ROOT: $[[ inputs.root_dir ]]
   image:
-    name: '$[[ inputs.image_registry_base ]]/$[[ inputs.image_name ]]:$[[ inputs.version ]]-opentofu$[[ inputs.opentofu_version ]]-$[[ inputs.base_os ]]'
+    name: '$[[ inputs.image_registry_base ]]/$[[ inputs.image_name ]]:$[[ inputs.version ]]-opentofu$[[ inputs.opentofu_version ]]-$[[ inputs.base_os ]]$[[ inputs.image_digest ]]'
   script:
     - gitlab-tofu $[[ inputs.command ]]
 

templates/destroy.yml

@@ -24,8 +24,9 @@ spec:
       description: 'Base OS of GitLab OpenTofu image.'
 
     opentofu_version:
-      default: '1.8.3'
+      default: '1.8.4'
       options:
+        - '1.8.4'
         - '1.8.3'
         - '1.8.2'
         - '1.8.1'
@@ -57,6 +58,14 @@ spec:
       default: 'gitlab-opentofu'
       description: 'Image name for the job images. Hosted under `image_registry_base`.'
 
+    image_digest:
+      default: ''
+      # FIXME: we cannot use regex yet because of a bug that rejects
+      # empty strings from ever being checked against the regex.
+      # see https://gitlab.com/gitlab-org/gitlab/-/issues/477707
+      # regex: '^(@sha256:[a-z0-9]{64})?$'
+      description: 'Image digest of the image you want to use. The format must be `@<image_digest>`, e.g. `@sha256:abc..`, see regex of this input. Please consult the release page at https://gitlab.com/components/opentofu/-/releases to obtain the image digests.'
+
     # Configuration
     root_dir:
       default: ${CI_PROJECT_DIR}
@@ -75,6 +84,10 @@ spec:
       default: false
       type: boolean
       description: 'Whether the destroy job is manual or automatically run.'
+    var_file:
+      default: ''
+      type: string
+      description: 'Path to a variables files relative to root_dir. Only used if no_plan is true otherwise the variables are coming from the plan.'
 
 ---
 
@@ -98,7 +111,8 @@ spec:
     TF_STATE_NAME: $[[ inputs.state_name ]]
     TF_APPLY_NO_PLAN: $[[ inputs.no_plan ]]
     TF_PLAN_NAME: $[[ inputs.plan_name ]]
+    OPENTOFU_COMPONENT_VAR_FILE: '$[[ inputs.var_file ]]'
   image:
-    name: '$[[ inputs.image_registry_base ]]/$[[ inputs.image_name ]]:$[[ inputs.version ]]-opentofu$[[ inputs.opentofu_version ]]-$[[ inputs.base_os ]]'
+    name: '$[[ inputs.image_registry_base ]]/$[[ inputs.image_name ]]:$[[ inputs.version ]]-opentofu$[[ inputs.opentofu_version ]]-$[[ inputs.base_os ]]$[[ inputs.image_digest ]]'
   script:
     - gitlab-tofu apply -destroy

templates/fmt.yml

@@ -24,8 +24,9 @@ spec:
       description: 'Base OS of GitLab OpenTofu image.'
 
     opentofu_version:
-      default: '1.8.3'
+      default: '1.8.4'
       options:
+        - '1.8.4'
         - '1.8.3'
         - '1.8.2'
         - '1.8.1'
@@ -57,6 +58,14 @@ spec:
       default: 'gitlab-opentofu'
       description: 'Image name for the job images. Hosted under `image_registry_base`.'
 
+    image_digest:
+      default: ''
+      # FIXME: we cannot use regex yet because of a bug that rejects
+      # empty strings from ever being checked against the regex.
+      # see https://gitlab.com/gitlab-org/gitlab/-/issues/477707
+      # regex: '^(@sha256:[a-z0-9]{64})?$'
+      description: 'Image digest of the image you want to use. The format must be `@<image_digest>`, e.g. `@sha256:abc..`, see regex of this input. Please consult the release page at https://gitlab.com/components/opentofu/-/releases to obtain the image digests.'
+
     # Configuration
     root_dir:
       default: ${CI_PROJECT_DIR}
@@ -87,6 +96,6 @@ spec:
     __CACHE_KEY_HACK: "$[[ inputs.root_dir ]]"
     TF_ROOT: $[[ inputs.root_dir ]]
   image:
-    name: '$[[ inputs.image_registry_base ]]/$[[ inputs.image_name ]]:$[[ inputs.version ]]-opentofu$[[ inputs.opentofu_version ]]-$[[ inputs.base_os ]]'
+    name: '$[[ inputs.image_registry_base ]]/$[[ inputs.image_name ]]:$[[ inputs.version ]]-opentofu$[[ inputs.opentofu_version ]]-$[[ inputs.base_os ]]$[[ inputs.image_digest ]]'
   script:
     - gitlab-tofu fmt

templates/full-pipeline.yml

@@ -33,8 +33,9 @@ spec:
       description: 'Base OS of GitLab OpenTofu image.'
 
     opentofu_version:
-      default: '1.8.3'
+      default: '1.8.4'
       options:
+        - '1.8.4'
         - '1.8.3'
         - '1.8.2'
         - '1.8.1'
@@ -66,7 +67,18 @@ spec:
       default: 'gitlab-opentofu'
       description: 'Image name for the job images. Hosted under `image_registry_base`.'
 
+    image_digest:
+      default: ''
+      # FIXME: we cannot use regex yet because of a bug that rejects
+      # empty strings from ever being checked against the regex.
+      # see https://gitlab.com/gitlab-org/gitlab/-/issues/477707
+      # regex: '^(@sha256:[a-z0-9]{64})?$'
+      description: 'Image digest of the image you want to use. The format must be `@<image_digest>`, e.g. `@sha256:abc..`, see regex of this input. Please consult the release page at https://gitlab.com/components/opentofu/-/releases to obtain the image digests.'
+
     # Configuration
+    job_name_prefix:
+      default: ''
+      description: 'Prefix for all job names. Jobs will be hidden if leading with a dot `.`.'
     root_dir:
       default: ${CI_PROJECT_DIR}
       description: 'Root directory for the OpenTofu project.'
@@ -84,87 +96,102 @@ spec:
     plan_artifacts_access:
       default: 'none'
       description: 'Access level for the plan artifact. See https://docs.gitlab.com/ee/ci/yaml/#artifactsaccess for possible values.'
+    var_file:
+      default: ''
+      type: string
+      description: 'Path to a variables files relative to root_dir.'
 
 ---
 
 include:
   - local: '/templates/fmt.yml'
     inputs:
-      as: 'fmt'
+      as: '$[[ inputs.job_name_prefix ]]fmt'
       stage: $[[ inputs.stage_validate ]]
       version: $[[ inputs.version ]]
       base_os: $[[ inputs.base_os ]]
       opentofu_version: $[[ inputs.opentofu_version ]]
       image_registry_base: $[[ inputs.image_registry_base ]]
       image_name: $[[ inputs.image_name ]]
+      image_digest: $[[ inputs.image_digest ]]
       root_dir: $[[ inputs.root_dir ]]
   - local: '/templates/validate.yml'
     inputs:
-      as: 'validate'
+      as: '$[[ inputs.job_name_prefix ]]validate'
       stage: $[[ inputs.stage_validate ]]
       version: $[[ inputs.version ]]
       base_os: $[[ inputs.base_os ]]
       opentofu_version: $[[ inputs.opentofu_version ]]
       image_registry_base: $[[ inputs.image_registry_base ]]
       image_name: $[[ inputs.image_name ]]
+      image_digest: $[[ inputs.image_digest ]]
       root_dir: $[[ inputs.root_dir ]]
       state_name: $[[ inputs.state_name ]]
+      var_file: $[[ inputs.var_file ]]
   - local: '/templates/test.yml'
     inputs:
-      as: 'test'
+      as: '$[[ inputs.job_name_prefix ]]test'
       stage: $[[ inputs.stage_test ]]
       version: $[[ inputs.version ]]
       base_os: $[[ inputs.base_os ]]
       opentofu_version: $[[ inputs.opentofu_version ]]
       image_registry_base: $[[ inputs.image_registry_base ]]
       image_name: $[[ inputs.image_name ]]
+      image_digest: $[[ inputs.image_digest ]]
       root_dir: $[[ inputs.root_dir ]]
       state_name: $[[ inputs.state_name ]]
+      var_file: $[[ inputs.var_file ]]
     rules:
       - exists:
           - $[[ inputs.root_dir ]]/**/*.tftest.hcl
   - local: '/templates/plan.yml'
     inputs:
-      as: 'plan'
+      as: '$[[ inputs.job_name_prefix ]]plan'
       stage: $[[ inputs.stage_build ]]
       version: $[[ inputs.version ]]
       base_os: $[[ inputs.base_os ]]
       opentofu_version: $[[ inputs.opentofu_version ]]
       image_registry_base: $[[ inputs.image_registry_base ]]
       image_name: $[[ inputs.image_name ]]
+      image_digest: $[[ inputs.image_digest ]]
       root_dir: $[[ inputs.root_dir ]]
       state_name: $[[ inputs.state_name ]]
       artifacts_access: $[[ inputs.plan_artifacts_access ]]
+      var_file: $[[ inputs.var_file ]]
   - local: '/templates/apply.yml'
     inputs:
-      as: 'apply'
+      as: '$[[ inputs.job_name_prefix ]]apply'
       stage: $[[ inputs.stage_deploy ]]
       version: $[[ inputs.version ]]
       base_os: $[[ inputs.base_os ]]
       opentofu_version: $[[ inputs.opentofu_version ]]
       image_registry_base: $[[ inputs.image_registry_base ]]
       image_name: $[[ inputs.image_name ]]
+      image_digest: $[[ inputs.image_digest ]]
       root_dir: $[[ inputs.root_dir ]]
       state_name: $[[ inputs.state_name ]]
       auto_apply: $[[ inputs.auto_apply ]]
+      var_file: $[[ inputs.var_file ]]
   - local: '/templates/destroy.yml'
     inputs:
-      as: 'destroy'
+      as: '$[[ inputs.job_name_prefix ]]destroy'
       stage: $[[ inputs.stage_cleanup ]]
       version: $[[ inputs.version ]]
       base_os: $[[ inputs.base_os ]]
       opentofu_version: $[[ inputs.opentofu_version ]]
       image_registry_base: $[[ inputs.image_registry_base ]]
       image_name: $[[ inputs.image_name ]]
+      image_digest: $[[ inputs.image_digest ]]
       root_dir: $[[ inputs.root_dir ]]
       state_name: $[[ inputs.state_name ]]
       auto_destroy: $[[ inputs.auto_destroy ]]
+      var_file: $[[ inputs.var_file ]]
   - local: '/templates/delete-state.yml'
     inputs:
-      as: 'delete-state'
+      as: '$[[ inputs.job_name_prefix ]]delete-state'
       stage: $[[ inputs.stage_cleanup ]]
       state_name: $[[ inputs.state_name ]]
 
 # NOTE: we have to define this `needs` here, because inputs don't support arrays, yet.
-delete-state:
-  needs: [destroy]
+$[[ inputs.job_name_prefix ]]delete-state:
+  needs: ['$[[ inputs.job_name_prefix ]]destroy']

templates/graph.yml

@@ -24,8 +24,9 @@ spec:
       description: 'Base OS of GitLab OpenTofu image.'
 
     opentofu_version:
-      default: '1.8.3'
+      default: '1.8.4'
       options:
+        - '1.8.4'
         - '1.8.3'
         - '1.8.2'
         - '1.8.1'
@@ -57,6 +58,14 @@ spec:
       default: 'gitlab-opentofu'
       description: 'Image name for the job images. Hosted under `image_registry_base`.'
 
+    image_digest:
+      default: ''
+      # FIXME: we cannot use regex yet because of a bug that rejects
+      # empty strings from ever being checked against the regex.
+      # see https://gitlab.com/gitlab-org/gitlab/-/issues/477707
+      # regex: '^(@sha256:[a-z0-9]{64})?$'
+      description: 'Image digest of the image you want to use. The format must be `@<image_digest>`, e.g. `@sha256:abc..`, see regex of this input. Please consult the release page at https://gitlab.com/components/opentofu/-/releases to obtain the image digests.'
+
     # Configuration
     root_dir:
       default: ${CI_PROJECT_DIR}
@@ -69,6 +78,10 @@ spec:
       description: |
         Name of the graph file that should be generated.
         It will be uploaded as an artifact.
+    var_file:
+      default: ''
+      type: string
+      description: 'Path to a variables files relative to root_dir.'
 
 ---
 
@@ -84,8 +97,9 @@ spec:
     __CACHE_KEY_HACK: "$[[ inputs.root_dir ]]"
     TF_ROOT: $[[ inputs.root_dir ]]
     TF_STATE_NAME: $[[ inputs.state_name ]]
+    OPENTOFU_COMPONENT_VAR_FILE: '$[[ inputs.var_file ]]'
   image:
-    name: '$[[ inputs.image_registry_base ]]/$[[ inputs.image_name ]]:$[[ inputs.version ]]-opentofu$[[ inputs.opentofu_version ]]-$[[ inputs.base_os ]]'
+    name: '$[[ inputs.image_registry_base ]]/$[[ inputs.image_name ]]:$[[ inputs.version ]]-opentofu$[[ inputs.opentofu_version ]]-$[[ inputs.base_os ]]$[[ inputs.image_digest ]]'
   script:
     - gitlab-tofu graph > "$[[ inputs.graph_file ]]"
   artifacts: