Name origin: Ghoten blends GitHub and OpenTofu, with a nod to Goten from Dragon Ball Z.
Ghoten is an OpenTofu fork that adds one opinionated thing: a native oras backend for storing state in OCI registries (like GHCR), without extra services.
We built it for teams that already trust container registries and want fewer moving parts in Terraform/OpenTofu state management. Instead of running a custom HTTP backend, you can reuse registry auth, permissions, and auditing you already have.
Upstream policy: Ghoten tracks OpenTofu and keeps changes focused on the ORAS backend and related automation.
Build and run ghoten locally:
git clone https://github.com/vmvarela/ghoten.git
cd ghoten
make build
./ghoten versionUse ORAS backend in your HCL:
terraform {
backend "oras" {
repository = "ghcr.io/acme/infra-state"
}
}Authenticate and initialize with GHCR:
echo "$GITHUB_TOKEN" | docker login ghcr.io -u YOUR_GITHUB_USER --password-stdin
./ghoten init
./ghoten plan- Registry-first state: state, locks, and versions are OCI artifacts.
- Operationally simple: no separate backend service to deploy and maintain.
- Safe by default: locking, retries, and optional compression are built in.
- Works in GitHub Actions: action handles install, auth, init, PR comments, and summaries.
- Quickstart & installation
- GitHub Action guide
- ORAS backend guide
- Testing guide
- Contributing
- Security policy
- Validated against GHCR and Zot; other OCI registries are expected to work but have not been tested yet. See the compatibility matrix.
- If you need advanced backend workflows (multi-region replication policies, custom APIs), dedicated backend platforms may be a better fit.
![@dependabot[bot]](https://avatars.githubusercontent.com/in/29110?s=64&v=4){kind=small}