Ghoten is an OpenTofu fork that adds one thing: an oras backend that stores state, locks, and version history as OCI artifacts in container registries like GHCR.

The motivation was wanting fewer moving parts. If you already run a container registry with auth and permissions, you don't need a separate backend service (or S3 + DynamoDB) just for a JSON state file.

Minimal config:

  terraform {
    backend "oras" {
      repository = "ghcr.io/myorg/infra-state"
    }
  }

What you get: locking, retries, gzip compression, stale lock cleanup via TTL, and version retention. Auth resolves from Docker credential helpers.

There's also a GitHub Action (vmvarela/ghoten@v1) that handles install, GHCR auth, init, PR comments, and job summaries out of the box.

Validated against GHCR and Zot. Other OCI-compliant registries should work but haven't been tested yet.

Tracks upstream OpenTofu — changes are scoped to the ORAS backend and related automation.

Happy to answer questions about the wire format, locking semantics, or tradeoffs vs. dedicated backends.