fix: load static token id and validate token secret

- Store non-sensitive Proxmox token id in terraform.tfvars
- Inject only token secret via workflow-generated secrets.auto.tfvars
- Add variable validations for token id format and non-empty token secret
- Add workflow debug output for token secret length and selected token id

terraform/terraform.tfvars

@@ -1,9 +1,10 @@
-target_node    = "flex"
-clone_template = "ubuntu-cloudinit"
-cores          = 1
-memory         = 1024
-disk_size      = "15G"
-sockets        = 1
-bridge         = "vmbr0"
-storage        = "Flash"
-pm_api_url     = "https://100.105.0.115:8006/api2/json"
+target_node     = "flex"
+clone_template  = "ubuntu-cloudinit"
+cores           = 1
+memory          = 1024
+disk_size       = "15G"
+sockets         = 1
+bridge          = "vmbr0"
+storage         = "Flash"
+pm_api_url      = "https://100.105.0.115:8006/api2/json"
+pm_api_token_id = "terraform-prov@pve!mytoken"

terraform/variables.tf

@@ -1,12 +1,22 @@
 variable "pm_api_token_id" {
   type        = string
   description = "Proxmox API token ID (format: user@realm!tokenid)"
+
+  validation {
+    condition     = can(regex(".+!.+", trimspace(var.pm_api_token_id)))
+    error_message = "pm_api_token_id must be in format user@realm!tokenid."
+  }
 }
 
 variable "pm_api_token_secret" {
   type        = string
   sensitive   = true
   description = "Proxmox API token secret"
+
+  validation {
+    condition     = length(trimspace(var.pm_api_token_secret)) > 0
+    error_message = "pm_api_token_secret cannot be empty. Check your Gitea secret PM_API_TOKEN_SECRET."
+  }
 }
 
 variable "target_node" {