diff --git a/.gitlab/README.md.template b/.gitlab/README.md.template
index 7ad5f586c841b512303ca449aa93408cb3a5d9e9..f090138930f7c339d4d73a34478cf7752c21b502 100644
--- a/.gitlab/README.md.template
+++ b/.gitlab/README.md.template
@@ -205,6 +205,21 @@ plan:
     - apk add jq
 ```
 
+### Best Practices
+
+This section is a collection of *some* best practices.
+Feel free to contribute more that generally apply.
+If a best practice really becomes the de-facto standard
+we may make it the default behavior if possible.
+
+#### Lockfile Handling
+
+If you commit the Lockfile (`.terraform.lock.hcl`) to your repository
+we recommend setting either the `TF_INIT_FLAGS` (handled by this component)
+or `TF_CLI_ARGS_init` (handled by OpenTofu directly) to `-lockfile=readonly`
+to prevent any changes to the lockfile during the pipeline job and with
+that ensuring that OpenTofu really uses the locked dependencies.
+
 ## Releases & Versioning
 
 This project currently releases tagged commits.
diff --git a/README.md b/README.md
index acb6fdb184cddf00300164594bf19f5dfaee35b0..7255c01a980e14cc64f23c18415199ed51a227e6 100644
--- a/README.md
+++ b/README.md
@@ -230,6 +230,21 @@ plan:
     - apk add jq
 ```
 
+### Best Practices
+
+This section is a collection of *some* best practices.
+Feel free to contribute more that generally apply.
+If a best practice really becomes the de-facto standard
+we may make it the default behavior if possible.
+
+#### Lockfile Handling
+
+If you commit the Lockfile (`.terraform.lock.hcl`) to your repository
+we recommend setting either the `TF_INIT_FLAGS` (handled by this component)
+or `TF_CLI_ARGS_init` (handled by OpenTofu directly) to `-lockfile=readonly`
+to prevent any changes to the lockfile during the pipeline job and with
+that ensuring that OpenTofu really uses the locked dependencies.
+
 ## Releases & Versioning
 
 This project currently releases tagged commits.