diff --git a/.github/workflows/expand-terraform.yml b/.github/workflows/expand-terraform.yml
index aaded55..0fe06bd 100644
--- a/.github/workflows/expand-terraform.yml
+++ b/.github/workflows/expand-terraform.yml
@@ -49,6 +49,11 @@ jobs:
             scripts
             terraform/modules
 
+      - uses: hashicorp/setup-terraform@v4
+        with:
+          terraform_version: "1.7"
+          terraform_wrapper: false
+
       - name: Expand modules from app.yaml
         env:
           APP_SERVICE: ${{ github.event.repository.name }}
diff --git a/.github/workflows/tf-plan.yml b/.github/workflows/tf-plan.yml
index 1d05fd0..d663d8b 100644
--- a/.github/workflows/tf-plan.yml
+++ b/.github/workflows/tf-plan.yml
@@ -42,6 +42,8 @@ jobs:
       PLAN_BUCKET: javabin-ci-plan-artifacts-${{ inputs.aws_account_id }}
     steps:
       - uses: actions/checkout@v5
+        with:
+          ref: ${{ github.ref }}
 
       - uses: hashicorp/setup-terraform@v4
         with:
diff --git a/scripts/expand-modules.py b/scripts/expand-modules.py
index a8d015c..a9550de 100644
--- a/scripts/expand-modules.py
+++ b/scripts/expand-modules.py
@@ -695,6 +695,20 @@ def main():
                     f.write(f'  {ds["body"]}\n')
                     f.write("}\n")
 
+    # -- Clean up stale generated files --
+    generated_filenames = {"backend.tf", "providers.tf", "outputs.tf"}
+    generated_filenames.update(file_contents.keys())
+
+    for f in os.listdir(tf_root):
+        if not f.endswith(".tf") or f in generated_filenames:
+            continue
+        filepath = os.path.join(tf_root, f)
+        with open(filepath) as fh:
+            first_line = fh.readline()
+        if GENERATED_MARKER in first_line:
+            os.remove(filepath)
+            print(f"  removed stale {f}")
+
     # -- Fingerprint --
     import hashlib
     with open(app_yaml_path, "rb") as f: