fix: load static token id and validate token secret

- Store non-sensitive Proxmox token id in terraform.tfvars
- Inject only token secret via workflow-generated secrets.auto.tfvars
- Add variable validations for token id format and non-empty token secret
- Add workflow debug output for token secret length and selected token id

.gitea/workflows/terraform-plan.yml

@@ -18,16 +18,16 @@ jobs:
       - name: Create secrets.tfvars
         working-directory: terraform
         run: |
-          echo "PM_API_TOKEN_ID length: $(echo -n '${{ secrets.PM_API_TOKEN_ID }}' | wc -c)"
           echo "PM_API_TOKEN_SECRET length: $(echo -n '${{ secrets.PM_API_TOKEN_SECRET }}' | wc -c)"
           cat > secrets.auto.tfvars << EOF
-          pm_api_token_id     = "${{ secrets.PM_API_TOKEN_ID }}"
           pm_api_token_secret = "${{ secrets.PM_API_TOKEN_SECRET }}"
           SSH_KEY_PUBLIC      = "${{ secrets.SSH_KEY_PUBLIC }}"
           TS_AUTHKEY          = "${{ secrets.TS_AUTHKEY }}"
           EOF
           echo "Created secrets.auto.tfvars:"
           cat secrets.auto.tfvars | sed 's/=.*/=***/'
+          echo "Using token ID from terraform.tfvars:"
+          grep '^pm_api_token_id' terraform.tfvars
 
       - name: Set up Terraform
         uses: hashicorp/setup-terraform@v2