diff --git a/.github/workflows/tfvalidate.yml b/.github/workflows/tfvalidate.yml
index 76d1762a..d828c8b8 100644
--- a/.github/workflows/tfvalidate.yml
+++ b/.github/workflows/tfvalidate.yml
@@ -23,7 +23,9 @@ defaults:
 
 permissions:
   contents: read
+  pull-requests: write
 
+# Set repository variable TFVALIDATE_USE_HARDEN_RUNNER = 'true' to enable step-security/harden-runner; unset or other = skip (forks work without it).
 jobs:
   listaddons:
     name: list terraform addon directories
@@ -32,11 +34,13 @@ jobs:
       matrix: ${{ steps.matrix.outputs.value }}
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        if: vars.TFVALIDATE_USE_HARDEN_RUNNER == 'true'
+        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
         with:
           egress-policy: audit
+
       - name: Clone repo 
-        uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
       - id: matrix
@@ -61,20 +65,83 @@ jobs:
         terraform_dir: ${{ fromJson(needs.listaddons.outputs.matrix) }}
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        if: vars.TFVALIDATE_USE_HARDEN_RUNNER == 'true'
+        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
         with:
           egress-policy: audit
 
       - name: Clone repo
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Install terraform
-        uses: hashicorp/setup-terraform@633666f66e0061ca3b725c73b2ec20cd13a8fdd1 # v2.0.3
+        uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
         with:
-          terraform_version: 1.11.2
+          terraform_version: 1.14.5
       # If we want to test more of these, consider using a matrix.  With a matrix of directories, all terraform modules could be fully tested and potentially in parallel.
       - name: Validate ${{ matrix.terraform_dir }}  module (covers all submodules)
         working-directory: ${{ matrix.terraform_dir }}
         run: |
           terraform init -backend=false
           terraform validate
+
+      - name: Build validation status comment
+        if: github.event_name == 'pull_request'
+        id: comment-body
+        run: |
+          run_url="https://github.com/${GITHUB_REPOSITORY}/actions/runs/${GITHUB_RUN_ID}"
+          jobs_json=$(gh run view "$GITHUB_RUN_ID" --json jobs)
+          listaddons_ok=$(echo "$jobs_json" | jq -r '[.jobs[] | select(.name == "list terraform addon directories")] | if length > 0 then (.[0].conclusion // "pending") else "skip" end')
+          tfvalidate_jobs=$(echo "$jobs_json" | jq -r '.jobs[] | select(.name | startswith("terraform validate")) | "\(.name)|\(.conclusion // "pending")"')
+          all_ok="true"
+          [[ "$listaddons_ok" != "success" && "$listaddons_ok" != "skip" ]] && all_ok="false"
+          while IFS= read -r line; do
+            [[ -z "$line" ]] && continue
+            concl="${line#*|}"
+            [[ "$concl" != "success" ]] && all_ok="false"
+          done <<< "$tfvalidate_jobs"
+          if [[ "$all_ok" == "true" && "$listaddons_ok" == "success" ]]; then
+            emoji="✅"
+            status="**Terraform validation: success**"
+          else
+            emoji="❌"
+            status="**Terraform validation: failed**"
+          fi
+          {
+            echo "<!-- tfvalidate-status -->"
+            echo "$emoji $status"
+            echo ""
+            echo "| Module / step | Status |"
+            echo "|---------------|--------|"
+            if [[ "$listaddons_ok" != "skip" ]]; then
+              lo_icon=$([[ "$listaddons_ok" == "success" ]] && echo "✅" || echo "❌")
+              echo "| list addon directories | $lo_icon $listaddons_ok |"
+            fi
+            while IFS= read -r line; do
+              [[ -z "$line" ]] && continue
+              name="${line%|*}"
+              dir=$(echo "$name" | sed -n 's/^terraform validate[[:space:]]*(\(.*\))$/\1/p')
+              [[ -z "$dir" ]] && dir="$name"
+              concl="${line#*|}"
+              icon=$([[ "$concl" == "success" ]] && echo "✅" || echo "❌")
+              echo "| $dir | $icon $concl |"
+            done <<< "$tfvalidate_jobs"
+            echo ""
+            echo "[View run]($run_url)"
+          } > comment.md
+
+      - name: Find existing validation comment
+        if: github.event_name == 'pull_request'
+        id: find-comment
+        uses: peter-evans/find-comment@b30e6a3c0ed37e7c023ccd3f1db5c6c0b0c23aad # v4.0.0
+        with:
+          issue-number: ${{ github.event.pull_request.number }}
+          body-includes: "<!-- tfvalidate-status -->"
+
+      - name: Comment validation status on PR
+        if: github.event_name == 'pull_request'
+        uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5.0.0
+        with:
+          comment-id: ${{ steps.find-comment.outputs.comment-id }}
+          issue-number: ${{ github.event.pull_request.number }}
+          body-path: comment.md
+          edit-mode: replace