fix: load static token id and validate token secret

- Store non-sensitive Proxmox token id in terraform.tfvars
- Inject only token secret via workflow-generated secrets.auto.tfvars
- Add variable validations for token id format and non-empty token secret
- Add workflow debug output for token secret length and selected token id

terraform/variables.tf

@@ -1,12 +1,22 @@
 variable "pm_api_token_id" {
   type        = string
   description = "Proxmox API token ID (format: user@realm!tokenid)"
+
+  validation {
+    condition     = can(regex(".+!.+", trimspace(var.pm_api_token_id)))
+    error_message = "pm_api_token_id must be in format user@realm!tokenid."
+  }
 }
 
 variable "pm_api_token_secret" {
   type        = string
   sensitive   = true
   description = "Proxmox API token secret"
+
+  validation {
+    condition     = length(trimspace(var.pm_api_token_secret)) > 0
+    error_message = "pm_api_token_secret cannot be empty. Check your Gitea secret PM_API_TOKEN_SECRET."
+  }
 }
 
 variable "target_node" {