From e317401e6b3d8cb1b3b7f8f341eb6d3ab046961a Mon Sep 17 00:00:00 2001
From: Timo Furrer <tfurrer@gitlab.com>
Date: Tue, 14 May 2024 07:25:24 +0200
Subject: [PATCH] Document best practice for lockfile handling

This change set documents a best practice for how to configure the
component when a lockfile is being used.

Closes https://gitlab.com/components/opentofu/-/issues/38

Changelog: added
---
 .gitlab/README.md.template | 15 +++++++++++++++
 README.md                  | 15 +++++++++++++++
 2 files changed, 30 insertions(+)

diff --git a/.gitlab/README.md.template b/.gitlab/README.md.template
index 7ad5f58..f090138 100644
--- a/.gitlab/README.md.template
+++ b/.gitlab/README.md.template
@@ -205,6 +205,21 @@ plan:
     - apk add jq
 ```
 
+### Best Practices
+
+This section is a collection of *some* best practices.
+Feel free to contribute more that generally apply.
+If a best practice really becomes the de-facto standard
+we may make it the default behavior if possible.
+
+#### Lockfile Handling
+
+If you commit the Lockfile (`.terraform.lock.hcl`) to your repository
+we recommend setting either the `TF_INIT_FLAGS` (handled by this component)
+or `TF_CLI_ARGS_init` (handled by OpenTofu directly) to `-lockfile=readonly`
+to prevent any changes to the lockfile during the pipeline job and with
+that ensuring that OpenTofu really uses the locked dependencies.
+
 ## Releases & Versioning
 
 This project currently releases tagged commits.
diff --git a/README.md b/README.md
index acb6fdb..7255c01 100644
--- a/README.md
+++ b/README.md
@@ -230,6 +230,21 @@ plan:
     - apk add jq
 ```
 
+### Best Practices
+
+This section is a collection of *some* best practices.
+Feel free to contribute more that generally apply.
+If a best practice really becomes the de-facto standard
+we may make it the default behavior if possible.
+
+#### Lockfile Handling
+
+If you commit the Lockfile (`.terraform.lock.hcl`) to your repository
+we recommend setting either the `TF_INIT_FLAGS` (handled by this component)
+or `TF_CLI_ARGS_init` (handled by OpenTofu directly) to `-lockfile=readonly`
+to prevent any changes to the lockfile during the pipeline job and with
+that ensuring that OpenTofu really uses the locked dependencies.
+
 ## Releases & Versioning
 
 This project currently releases tagged commits.
-- 
GitLab