ci(dev-experience): run IaC checks in Terraform/OpenTofu matrix

Merge Terraform and OpenTofu validation into one matrix-based workflow job.
Keep Terraform PR comments scoped to Terraform entries while adding OpenTofu runs for ~1.11.0, ~1.10.0, and ~1.9.0.

Author: mrclrchtr

.github/workflows/dev-experience.yml

@@ -18,7 +18,7 @@ concurrency:
 
 jobs:
   terraform-check:
-    name: Terraform Check
+    name: IaC Check (${{ matrix.label }})
     runs-on: ubuntu-latest
     permissions:
       contents: read # for actions/checkout to fetch code
@@ -28,50 +28,89 @@ jobs:
       fail-fast: false
       matrix:
         include:
-          - version: ~1.9.0
-          - version: ~1.10.0
-          - version: ~1.11.0
-          - version: ~1.12.0
-          - version: ~1.13.0
-          - version: ~1.14.0
+          - engine: terraform
+            cli: terraform
+            version: "~1.9.0"
+            label: "Terraform ~1.9.0"
+          - engine: terraform
+            cli: terraform
+            version: "~1.10.0"
+            label: "Terraform ~1.10.0"
+          - engine: terraform
+            cli: terraform
+            version: "~1.11.0"
+            label: "Terraform ~1.11.0"
+          - engine: terraform
+            cli: terraform
+            version: "~1.12.0"
+            label: "Terraform ~1.12.0"
+          - engine: terraform
+            cli: terraform
+            version: "~1.13.0"
+            label: "Terraform ~1.13.0"
+          - engine: terraform
+            cli: terraform
+            version: "~1.14.0"
+            label: "Terraform ~1.14.0"
+          - engine: tofu
+            cli: tofu
+            version: "~1.11.0"
+            label: "OpenTofu ~1.11.0"
+          - engine: tofu
+            cli: tofu
+            version: "~1.10.0"
+            label: "OpenTofu ~1.10.0"
+          - engine: tofu
+            cli: tofu
+            version: "~1.9.0"
+            label: "OpenTofu ~1.9.0"
     steps:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           ref: refs/pull/${{ github.event.pull_request.number }}/merge
-      - name: Configure Terraform plugin cache
+      - name: Configure IaC plugin cache
         run: |
           echo 'plugin_cache_dir = "$HOME/.terraform.d/plugin-cache"' > ~/.terraformrc
           mkdir -p ~/.terraform.d/plugin-cache
-      - name: Cache Terraform
+      - name: Cache IaC
         uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
         with:
           path: ~/.terraform.d/plugin-cache
-          key: "${{ runner.os }}-terraform-${{ hashFiles(format('{0}/.terraform.lock.hcl', matrix.version)) }}"
-          restore-keys: "${{ runner.os }}-terraform-"
+          key: "${{ runner.os }}-${{ matrix.engine }}-${{ matrix.version }}-${{ hashFiles('.terraform.lock.hcl') }}"
+          restore-keys: "${{ runner.os }}-${{ matrix.engine }}-"
       - name: Setup Terraform
+        if: matrix.engine == 'terraform'
         uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
         with:
           cli_config_credentials_token: ${{ secrets.TF_API_TOKEN }}
           terraform_version: ${{ matrix.version }}
+      - name: Setup OpenTofu
+        if: matrix.engine == 'tofu'
+        uses: opentofu/setup-opentofu@9d84900f3238fab8cd84ce47d658d25dd008be2f # v1.0.8
+        with:
+          cli_config_credentials_token: ${{ secrets.TF_API_TOKEN }}
+          tofu_version: ${{ matrix.version }}
       - name: Save terraform version to output
+        if: matrix.engine == 'terraform'
         id: terraform-version
         run: |
           terraform version
           echo "TERRAFORM_VERSION=$(terraform version --json | jq -r '.terraform_version')" >> $GITHUB_OUTPUT
-      - name: Terraform Format
+      - name: IaC Format
         id: fmt
-        run: terraform fmt -recursive -check -diff
+        run: ${{ matrix.cli }} fmt -recursive -check -diff
         continue-on-error: true
-      - name: Terraform Init
+      - name: IaC Init
         id: init
-        run: terraform init -no-color
+        run: ${{ matrix.cli }} init -no-color
         continue-on-error: true
-      - name: Terraform Validate
+      - name: IaC Validate
         id: validate
-        run: terraform validate -no-color
+        run: ${{ matrix.cli }} validate -no-color
         continue-on-error: true
       - name: Find Comment
+        if: matrix.engine == 'terraform'
         uses: peter-evans/find-comment@b30e6a3c0ed37e7c023ccd3f1db5c6c0b0c23aad # v4
         id: find-comment
         with:
@@ -80,6 +119,7 @@ jobs:
           body-includes: |
             Terraform-Check (version: ${{ steps.terraform-version.outputs.TERRAFORM_VERSION }})
       - name: Create or update comment
+        if: matrix.engine == 'terraform'
         uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5
         with:
           comment-id: ${{ steps.find-comment.outputs.comment-id }}