diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml
index c58d4e9..9060fb9 100644
--- a/.github/workflows/pre-commit.yml
+++ b/.github/workflows/pre-commit.yml
@@ -37,6 +37,8 @@ jobs:
           cache: pip
           cache-dependency-path: |
             requirements*.txt
-      - name: install ansible collections
-        run: ansible-galaxy collection install --requirements-file ansible-requirements.yaml
+      - name: install dependencies
+        run: |
+          pip install -r requirements-dev.txt
+          ansible-galaxy collection install --requirements-file ansible-requirements.yaml
       - uses: pre-commit/action@v3.0.1
diff --git a/foundations/README.md b/foundations/README.md
index 0d0a56a..f8b9d94 100644
--- a/foundations/README.md
+++ b/foundations/README.md
@@ -15,7 +15,7 @@ Accelerated GCP Lab. These resources will be created:
     drive)
 
 <!-- markdownlint-disable MD033 MD034 -->
-<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+<!-- BEGIN_TF_DOCS -->
 ## Requirements
 
 | Name | Version |
@@ -68,5 +68,5 @@ No modules.
 | <a name="output_vault_bucket"></a> [vault\_bucket](#output\_vault\_bucket) | The randomly named GCS bucket that will be used for Vault storage. |
 | <a name="output_vault_key"></a> [vault\_key](#output\_vault\_key) | The GCP service account JSON key file, base64 encoded, that must be used to authenticate as the Vault service account. |
 | <a name="output_vault_sa"></a> [vault\_sa](#output\_vault\_sa) | The GCP service account that has access to Vault GCS storage bucket. The Vault service will have to use this account for all GCS operations. |
-<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+<!-- END_TF_DOCS -->
 <!-- markdownlint-enable MD033 MD034 -->
diff --git a/vault/README.md b/vault/README.md
index 4fc82ae..0a7f445 100644
--- a/vault/README.md
+++ b/vault/README.md
@@ -134,7 +134,7 @@ Unseal token (leave empty when done):
    Vault should now be running with TLS certs generated by Vault itself; at this point it can be unsealed, and used with OIDC tokens.
 
 <!-- markdownlint-disable MD033 MD034 -->
-<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+<!-- BEGIN_TF_DOCS -->
 ## Requirements
 
 | Name | Version |
@@ -197,5 +197,5 @@ No modules.
 ## Outputs
 
 No outputs.
-<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+<!-- END_TF_DOCS -->
 <!-- markdownlint-enable MD033 MD034 -->
diff --git a/vault/root-otp-login.sh b/vault/root-otp-login.sh
index 51deb64..f9f4632 100755
--- a/vault/root-otp-login.sh
+++ b/vault/root-otp-login.sh
@@ -12,13 +12,14 @@ JSON="$(vault operator generate-root -init -format=json)"
 NONCE="$(echo "${JSON}" | jq -r '.nonce')"
 OTP="$(echo "${JSON}" | jq -r '.otp')"
 while true; do
-    read -s -p "Unseal token (leave empty when done): " token
+    # shellcheck disable=SC3045
+    read -r -s -p "Unseal token (leave empty when done): " token
     echo
     test -z "${token}" && break
-    set -- "$@" ${token}
+    set -- "$@" "${token}"
 done
 for KEY in "$@"; do
-    ENC_TOKEN="$(vault operator generate-root -format=json -nonce ${NONCE} ${KEY} | jq -r '.encoded_token')"
+    ENC_TOKEN="$(vault operator generate-root -format=json -nonce "${NONCE}" "${KEY}" | jq -r '.encoded_token')"
 done
 vault login "$(vault operator generate-root -decode "${ENC_TOKEN}" -otp "${OTP}")"
 unset JSON NONCE OTP ENC_TOKEN KEY