Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package digger-cli for openSUSE:Factory checked in at 2026-05-06 19:18:33 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/digger-cli (Old) and /work/SRC/openSUSE:Factory/.digger-cli.new.30200 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "digger-cli" Wed May 6 19:18:33 2026 rev:50 rq:1351101 version:0.6.145 Changes: -------- --- /work/SRC/openSUSE:Factory/digger-cli/digger-cli.changes 2026-03-27 06:38:10.921972642 +0100 +++ /work/SRC/openSUSE:Factory/.digger-cli.new.30200/digger-cli.changes 2026-05-06 19:20:49.300313420 +0200 @@ -1,0 +2,18 @@ +Wed May 06 05:34:20 UTC 2026 - Johannes Kastl <[email protected]> + +- Update to version 0.6.145: + * Feat/exclude drift (#2650) + * conditionally enable summary (#2619) + * Fix default image repos (backend ee -> ce), add podAnnotations + (#2598) + * fix: add target url to link to workflow run (#2606) + * docs: secuirty page (#2605) + * docs: recommend docker-compose guide (#2604) + * fix: upgrade azure/login to v2.2.0 to prevent cleanup warnings + (#2584) + * Update Slack invitation links in CONTRIBUTING.md (#2646) + * ui github setup link fix (#2642) + * add timeout to generate service client so it does not fail + (#2622) + +------------------------------------------------------------------- Old: ---- digger-cli-0.6.144.obscpio New: ---- digger-cli-0.6.145.obscpio ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ digger-cli.spec ++++++ --- /var/tmp/diff_new_pack.ZsThQJ/_old 2026-05-06 19:20:50.476361855 +0200 +++ /var/tmp/diff_new_pack.ZsThQJ/_new 2026-05-06 19:20:50.476361855 +0200 @@ -19,7 +19,7 @@ %define executable_name digger Name: digger-cli -Version: 0.6.144 +Version: 0.6.145 Release: 0 Summary: CLI for the digger open source IaC orchestration tool License: Apache-2.0 ++++++ _service ++++++ --- /var/tmp/diff_new_pack.ZsThQJ/_old 2026-05-06 19:20:50.532364162 +0200 +++ /var/tmp/diff_new_pack.ZsThQJ/_new 2026-05-06 19:20:50.536364327 +0200 @@ -6,8 +6,8 @@ <param name="exclude">go.mod</param> <param name="exclude">go.work</param> <param name="exclude">go.work.sum</param> - <param name="revision">v0.6.144</param> - <param name="match-tag">v0.6.144</param> + <param name="revision">v0.6.145</param> + <param name="match-tag">v0.6.145</param> <param name="versionformat">@PARENT_TAG@</param> <param name="versionrewrite-pattern">v(.*)</param> <param name="changesgenerate">enable</param> ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.ZsThQJ/_old 2026-05-06 19:20:50.564365480 +0200 +++ /var/tmp/diff_new_pack.ZsThQJ/_new 2026-05-06 19:20:50.572365809 +0200 @@ -1,7 +1,7 @@ <servicedata> <service name="tar_scm"> <param name="url">https://github.com/diggerhq/digger</param> - <param name="changesrevision">fd5d38526e54518714a137b9e0dbc5dad9bee2dc</param></service><service name="tar_scm"> + <param name="changesrevision">5adb2843ebfde0c53d2d8c1295e4d90e4df38536</param></service><service name="tar_scm"> <param name="url">https://github.com/johanneskastl/digger</param> <param name="changesrevision">8fe377068e53e2050ff4c745388d8428d2b13bb0</param></service></servicedata> (No newline at EOF) ++++++ digger-cli-0.6.144.obscpio -> digger-cli-0.6.145.obscpio ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/digger-cli-0.6.144/CONTRIBUTING.md new/digger-cli-0.6.145/CONTRIBUTING.md --- old/digger-cli-0.6.144/CONTRIBUTING.md 2026-03-24 02:40:13.000000000 +0100 +++ new/digger-cli-0.6.145/CONTRIBUTING.md 2026-05-05 00:47:58.000000000 +0200 @@ -4,7 +4,7 @@ **FEEDBACK:** The best way to contribute to Digger today is by using it within your organisation and providing feedback. If you are considering -using Digger please [drop us a line](https://join.slack.com/t/diggertalk/shared_invite/zt-1q6npg7ib-9dwRbJp8sQpSr2fvWzt9aA), +using Digger please [drop us a line](https://diggertalk.slack.com/join/shared_invite/zt-2p8l9npwx-VABojXOtSCeM7EWkgKB1Mw#/shared-invite/email), and we would be happy to set you up. ## Table of Contents @@ -68,7 +68,7 @@ ## How to contribute **If you are considering using digger within your organisation -please [reach out to us](https://join.slack.com/t/diggertalk/shared_invite/zt-1q6npg7ib-9dwRbJp8sQpSr2fvWzt9aA) +please [reach out to us](https://diggertalk.slack.com/join/shared_invite/zt-2p8l9npwx-VABojXOtSCeM7EWkgKB1Mw#/shared-invite/email) we would be happy to help onboard you to use it**. There are many ways to contribute to Digger, including: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/digger-cli-0.6.144/action.yml new/digger-cli-0.6.145/action.yml --- old/digger-cli-0.6.144/action.yml 2026-03-24 02:40:13.000000000 +0100 +++ new/digger-cli-0.6.145/action.yml 2026-05-05 00:47:58.000000000 +0200 @@ -362,11 +362,15 @@ if: ${{ inputs.setup-aws == 'true' && inputs.aws-role-to-assume != '' }} - name: Configure OIDC Azure credentials - uses: azure/login@6c251865b4e6290e7b78be643ea2d005bc51f69a # v2.1.1 + uses: azure/login@a65d910e8af852a8061c627c456678983e180302 # v2.2.0 with: client-id: ${{ inputs.azure-client-id }} tenant-id: ${{ inputs.azure-tenant-id }} subscription-id: ${{ inputs.azure-subscription-id }} + env: + # Disable post-cleanup when Azure is not being used (v2.2.0+ feature) + # See: https://github.com/Azure/login/pull/484 + AZURE_LOGIN_POST_CLEANUP: ${{ inputs.setup-azure == 'true' && 'true' || 'false' }} if: ${{ inputs.setup-azure == 'true' && inputs.azure-client-id != '' }} # if terraform-cache-dir is set then we set it to that otherwise set it to '${{github.workspace}}/cache' diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/digger-cli-0.6.144/backend/controllers/projects.go new/digger-cli-0.6.145/backend/controllers/projects.go --- old/digger-cli-0.6.144/backend/controllers/projects.go 2026-03-24 02:40:13.000000000 +0100 +++ new/digger-cli-0.6.145/backend/controllers/projects.go 2026-05-05 00:47:58.000000000 +0200 @@ -1031,6 +1031,13 @@ // if so, perform merge of PR (if configured to do so) batch := job.Batch + aiSummaryEnabled := false + if diggerConfigYml, err := digger_config.LoadDiggerConfigYamlFromString(batch.DiggerConfig); err != nil { + slog.Warn("Could not load digger config to check AI summary setting, defaulting to disabled", "batchId", batch.ID, "error", err) + } else { + aiSummaryEnabled = diggerConfigYml.Reporting != nil && diggerConfigYml.Reporting.AiSummary + } + slog.Info("Updating batch status after job update", "batchId", batch.ID, "jobId", jobId, @@ -1067,7 +1074,7 @@ // performing this in a goroutine to avoid huge latencies (added by ai summary gen) go func() { - err = UpdateCheckRunForBatch(d.GithubClientProvider, refreshedBatch) + err = UpdateCheckRunForBatch(d.GithubClientProvider, refreshedBatch, aiSummaryEnabled) if err != nil { slog.Warn("DIAGNOSTIC #7: Failed to update GitHub Check Run for batch (non-fatal)", "batchId", batch.ID, @@ -1100,7 +1107,7 @@ // performing this in a goroutine to avoid huge latencies (added by ai summary gen) go func() { - err = UpdateCheckRunForJob(d.GithubClientProvider, refreshedJob) + err = UpdateCheckRunForJob(d.GithubClientProvider, refreshedJob, aiSummaryEnabled) if err != nil { slog.Warn("DIAGNOSTIC #9: Failed to update GitHub Check Run for job (non-fatal)", "jobId", jobId, diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/digger-cli-0.6.144/backend/controllers/projects_helpers.go new/digger-cli-0.6.145/backend/controllers/projects_helpers.go --- old/digger-cli-0.6.144/backend/controllers/projects_helpers.go 2026-03-24 02:40:13.000000000 +0100 +++ new/digger-cli-0.6.145/backend/controllers/projects_helpers.go 2026-05-05 00:47:58.000000000 +0200 @@ -128,8 +128,8 @@ batch := job.Batch summaryEndpoint := os.Getenv("DIGGER_AI_SUMMARY_ENDPOINT") if summaryEndpoint == "" { - slog.Error("AI summary endpoint not configured", "batch", batch.ID, "jobId", job.ID, "DiggerJobId", job.DiggerJobID) - return "", fmt.Errorf("could not generate AI summary, ai summary endpoint missing") + slog.Info("AI summary endpoint not configured, skipping", "batch", batch.ID, "jobId", job.ID, "DiggerJobId", job.DiggerJobID) + return "", nil } apiToken := os.Getenv("DIGGER_AI_SUMMARY_API_TOKEN") @@ -161,7 +161,7 @@ return summary, nil } -func UpdateCheckRunForBatch(gh utils.GithubClientProvider, batch *models.DiggerBatch) error { +func UpdateCheckRunForBatch(gh utils.GithubClientProvider, batch *models.DiggerBatch, aiSummaryEnabled bool) error { slog.Info("Updating PR status for batch", "batchId", batch.ID, "prNumber", batch.PrNumber, @@ -261,7 +261,7 @@ } var summary = "" - if batch.Status == orchestrator_scheduler.BatchJobSucceeded || batch.Status == orchestrator_scheduler.BatchJobFailed { + if aiSummaryEnabled && (batch.Status == orchestrator_scheduler.BatchJobSucceeded || batch.Status == orchestrator_scheduler.BatchJobFailed) { summary, err = GenerateChecksSummaryForBatch(batch) if err != nil { slog.Warn("Error generating checks summary for batch", "batchId", batch.ID, "error", err) @@ -304,8 +304,8 @@ allJobsHaveZeroChanges := true for _, job := range jobs { if job.DiggerJobSummary.ResourcesCreated > 0 || - job.DiggerJobSummary.ResourcesUpdated > 0 || - job.DiggerJobSummary.ResourcesDeleted > 0 { + job.DiggerJobSummary.ResourcesUpdated > 0 || + job.DiggerJobSummary.ResourcesDeleted > 0 { allJobsHaveZeroChanges = false break } @@ -401,7 +401,7 @@ } // more modern check runs on github have their own page -func UpdateCheckRunForJob(gh utils.GithubClientProvider, job *models.DiggerJob) error { +func UpdateCheckRunForJob(gh utils.GithubClientProvider, job *models.DiggerJob, aiSummaryEnabled bool) error { batch := job.Batch slog.Info("Updating PR Check run for job", "jobId", job.DiggerJobID, @@ -524,10 +524,10 @@ "```\n" var summary = "" - if job.Status == orchestrator_scheduler.DiggerJobSucceeded || job.Status == orchestrator_scheduler.DiggerJobFailed { + if aiSummaryEnabled && (job.Status == orchestrator_scheduler.DiggerJobSucceeded || job.Status == orchestrator_scheduler.DiggerJobFailed) { summary, err = GenerateChecksSummaryForJob(job) if err != nil { - slog.Warn("Error generating checks summary for batch", "batchId", batch.ID, "error", err) + slog.Warn("Error generating checks summary for job", "jobId", job.DiggerJobID, "batchId", batch.ID, "error", err) } } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/digger-cli-0.6.144/backend/go.sum new/digger-cli-0.6.145/backend/go.sum --- old/digger-cli-0.6.144/backend/go.sum 2026-03-24 02:40:13.000000000 +0100 +++ new/digger-cli-0.6.145/backend/go.sum 2026-05-05 00:47:58.000000000 +0200 @@ -1,7 +1,5 @@ ariga.io/atlas-go-sdk v0.7.2 h1:pvS8tKVeRQuqdETBqj5qAQtVbQE88Gya6bOfY8YF3vU= ariga.io/atlas-go-sdk v0.7.2/go.mod h1:cFq7bnvHgKTWHCsU46mtkGxdl41rx2o7SjaLoh6cO8M= -ariga.io/atlas-provider-gorm v0.5.0 h1:DqYNWroKUiXmx2N6nf/I9lIWu6fpgB6OQx/JoelCTes= -ariga.io/atlas-provider-gorm v0.5.0/go.mod h1:8m6+N6+IgWMzPcR63c9sNOBoxfNk6yV6txBZBrgLg1o= ariga.io/atlas-provider-gorm v0.5.4 h1:64xboUDrP+JHdZOy4juPydHT5UP1kY152b5Gh/xNzmM= ariga.io/atlas-provider-gorm v0.5.4/go.mod h1:cXt4kxq8KIldPXHoWXC0HvSr8dVI0dIykZt3MZ4AmqE= c2sp.org/CCTV/age v0.0.0-20240306222714-3ec4d716e805 h1:u2qwJeEvnypw+OCPUHmoZE3IqwfuN5kgDfo5MLzpNM0= @@ -759,10 +757,6 @@ github.com/ajstarks/deck/generate v0.0.0-20210309230005-c3f852c02e19/go.mod h1:T13YZdzov6OU0A1+RfKZiZN9ca6VeKdBdyDV+BY97Tk= github.com/ajstarks/svgo v0.0.0-20180226025133-644b8db467af/go.mod h1:K08gAheRH3/J6wwsYMMT4xOr94bZjxIelGM0+d/wbFw= github.com/ajstarks/svgo v0.0.0-20211024235047-1546f124cd8b/go.mod h1:1KcenG0jGWcpt8ov532z81sp/kMMUG485J2InIOyADM= -github.com/alecthomas/kong v0.7.1 h1:azoTh0IOfwlAX3qN9sHWTxACE2oV8Bg2gAwBsMwDQY4= -github.com/alecthomas/kong v0.7.1/go.mod h1:n1iCIO2xS46oE8ZfYCNDqdR0b0wZNrXAIAqro/2132U= -github.com/alecthomas/kong v1.9.0 h1:Wgg0ll5Ys7xDnpgYBuBn/wPeLGAuK0NvYmEcisJgrIs= -github.com/alecthomas/kong v1.9.0/go.mod h1:p2vqieVMeTAnaC83txKtXe8FLke2X07aruPWXyMPQrU= github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc= github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc= github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0= @@ -2847,7 +2841,6 @@ gorm.io/gorm v1.23.8/go.mod h1:l2lP/RyAtc1ynaTjFksBde/O8v9oOGIApu2/xRitmZk= gorm.io/gorm v1.23.10/go.mod h1:DVrVomtaYTbqs7gB/x2uVvqnXzv0nqjB396B8cG4dBA= gorm.io/gorm v1.24.0/go.mod h1:DVrVomtaYTbqs7gB/x2uVvqnXzv0nqjB396B8cG4dBA= -gorm.io/gorm v1.30.0 h1:qbT5aPv1UH8gI99OsRlvDToLxW5zR7FzS9acZDOZcgs= gorm.io/gorm v1.30.0/go.mod h1:8Z33v652h4//uMA76KjeDH8mJXPm1QNCYrMeatR0DOE= gorm.io/gorm v1.30.1 h1:lSHg33jJTBxs2mgJRfRZeLDG+WZaHYCk3Wtfl6Ngzo4= gorm.io/gorm v1.30.1/go.mod h1:8Z33v652h4//uMA76KjeDH8mJXPm1QNCYrMeatR0DOE= diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/digger-cli-0.6.144/backend/utils/ai.go new/digger-cli-0.6.145/backend/utils/ai.go --- old/digger-cli-0.6.144/backend/utils/ai.go 2026-03-24 02:40:13.000000000 +0100 +++ new/digger-cli-0.6.145/backend/utils/ai.go 2026-05-05 00:47:58.000000000 +0200 @@ -7,6 +7,7 @@ "io" "log/slog" "net/http" + "time" ) func GenerateTerraformCode(appCode string, generationEndpoint string, apiToken string) (string, error) { @@ -38,7 +39,7 @@ req.Header.Set("Authorization", "Bearer "+apiToken) // Make the request - client := &http.Client{} + client := &http.Client{Timeout: 30 * time.Second} resp, err := client.Do(req) if err != nil { slog.Error("Error making request to code generation API", "endpoint", generationEndpoint, "error", err) @@ -118,7 +119,7 @@ req.Header.Set("Authorization", "Bearer "+apiToken) // Make the request - client := &http.Client{} + client := &http.Client{Timeout: 30 * time.Second} resp, err := client.Do(req) if err != nil { slog.Error("Error making request to summary API", "endpoint", summaryEndpoint, "error", err) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/digger-cli-0.6.144/cli/pkg/drift/github_issue.go new/digger-cli-0.6.145/cli/pkg/drift/github_issue.go --- old/digger-cli-0.6.144/cli/pkg/drift/github_issue.go 2026-03-24 02:40:13.000000000 +0100 +++ new/digger-cli-0.6.145/cli/pkg/drift/github_issue.go 2026-05-05 00:47:58.000000000 +0200 @@ -16,6 +16,11 @@ log.Printf("Info: Sending drift notification regarding project: %v", projectName) title := fmt.Sprintf("Drift detected in project: %v", projectName) message := fmt.Sprintf(":bangbang: Drift detected in digger project %v details below: \n\n```\n%v\n```", projectName, plan) + const maxLen = 65536 + const truncMsg = "\n\n> ⚠️ Output truncated: plan exceeds GitHub's 65536 character limit. See job logs for full output." + if len(message) > maxLen { + message = message[:maxLen-len(truncMsg)] + truncMsg + } existingIssues, err := (*ghi.GithubService).ListIssues() if err != nil { log.Printf("failed to retrieve issues: %v", err) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/digger-cli-0.6.144/cli/pkg/github/github.go new/digger-cli-0.6.145/cli/pkg/github/github.go --- old/digger-cli-0.6.144/cli/pkg/github/github.go 2026-03-24 02:40:13.000000000 +0100 +++ new/digger-cli-0.6.145/cli/pkg/github/github.go 2026-05-05 00:47:58.000000000 +0200 @@ -215,6 +215,12 @@ continue } } + if len(diggerConfig.DriftIncludePatterns) > 0 || len(diggerConfig.DriftExcludePatterns) > 0 { + if !digger_config.MatchIncludeExcludePatternsToFile(projectConfig.Dir, diggerConfig.DriftIncludePatterns, diggerConfig.DriftExcludePatterns) { + slog.Info("Project excluded by drift patterns, skipping", "project", projectConfig.Name, "dir", projectConfig.Dir) + continue + } + } workflow := diggerConfig.Workflows[projectConfig.Workflow] stateEnvVars, commandEnvVars := digger_config.CollectTerraformEnvConfig(workflow.EnvVars, true) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/digger-cli-0.6.144/docs/ce/drift/backendless-scoping-projects.mdx new/digger-cli-0.6.145/docs/ce/drift/backendless-scoping-projects.mdx --- old/digger-cli-0.6.144/docs/ce/drift/backendless-scoping-projects.mdx 2026-03-24 02:40:13.000000000 +0100 +++ new/digger-cli-0.6.145/docs/ce/drift/backendless-scoping-projects.mdx 2026-05-05 00:47:58.000000000 +0200 @@ -1,11 +1,16 @@ --- title: "Backendless: Scope Drift to Specific Projects" -description: "Scope backendless drift checks to selected projects using dedicated config files" +description: "Scope backendless drift checks to selected projects using dedicated config file or patterns" --- -In Backendless mode, scope drift by pointing your scheduled workflow at a dedicated config file. -## Approach + + +In Backendless mode, digger provides two means scoping drift detection. + + + +## Using dedicated config - Create a dedicated `digger.yml` that lists only the projects or blocks you want scanned. - Point your drift workflow to that file using the `digger-filename` input. @@ -57,7 +62,31 @@ digger-filename: digger-drift-dev.yml ``` +## Using drift patterns + +Add `drift_include_patterns` and `drift_exclude_patterns` under `generate_projects` in your main `digger.yml`: + +```yaml +generate_projects: + blocks: + - block_name: infra + root_dir: "infra/" + workflow: default + include: "**" + drift_include_patterns: + - "infra/prod/**" + - "infra/staging/**" + drift_exclude_patterns: + - "infra/_global/**" +``` + +Only projects whose `dir` matches an include pattern and does not match an exclude pattern will run drift detection. Exclude patterns are evaluated after include patterns. + ## Notes -- There is no per-project drift filter in the action; scoping via a dedicated config file is the recommended approach. -- You can also mark projects with `drift_detection: false` in your main config to disable drift checks for them. +- Patterns use [doublestar](https://github.com/bmatcuk/doublestar) glob matching against the project directory path. +- Both fields default to `[]`. If `drift_include_patterns` is empty, all projects are included. + +## Related + +- [Backendless Drift via GitHub Actions](/ce/drift/backendless-github-actions) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/digger-cli-0.6.144/docs/ce/local-development/overview.mdx new/digger-cli-0.6.145/docs/ce/local-development/overview.mdx --- old/digger-cli-0.6.144/docs/ce/local-development/overview.mdx 2026-03-24 02:40:13.000000000 +0100 +++ new/digger-cli-0.6.145/docs/ce/local-development/overview.mdx 2026-05-05 00:47:58.000000000 +0200 @@ -5,6 +5,10 @@ This section describes the recommended development workflow now that the full stack is available in `self-hosting/docker-compose`. +<Tip> + If you don't need to run services locally, use the [Docker Compose self-hosting guide](/self-hosting/docker-compose) instead. To run only selected services locally, skip to [Core services](#core-services) below. +</Tip> + ## Recommended baseline Start with Docker Compose for everything, then move a single service to host runtime when you need faster iteration. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/digger-cli-0.6.144/docs/ce/reference/digger.yml.mdx new/digger-cli-0.6.145/docs/ce/reference/digger.yml.mdx --- old/digger-cli-0.6.144/docs/ce/reference/digger.yml.mdx 2026-03-24 02:40:13.000000000 +0100 +++ new/digger-cli-0.6.145/docs/ce/reference/digger.yml.mdx 2026-05-05 00:47:58.000000000 +0200 @@ -227,29 +227,17 @@ Workflows and configurations to run on events. See [Workflow Configuration](#workflow-configuration). </ParamField> -<AccordionGroup> - <Accordion title="Reporting Configuration"> - Configure reporting options using the `reporting` key. - - <ParamField path="reporting.ai_summary" type="boolean" default="false"> - Enable AI-generated summaries of plan output. See [AI Summaries](/ce/features/ai-summaries). - </ParamField> - - <ParamField path="reporting.comments_enabled" type="boolean" default="true"> - Enable posting plan/apply results as PR comments. - </ParamField> - </Accordion> +<ParamField path="reporting.ai_summary" type="boolean" default="false"> + Enable AI-generated summaries of plan output. See [AI Summaries](/ce/features/ai-summaries). +</ParamField> - <Accordion title="Dependency Configuration"> - Configure dependency handling using the `dependency_configuration` key. +<ParamField path="reporting.comments_enabled" type="boolean" default="true"> + Enable posting plan/apply results as PR comments. +</ParamField> - <ParamField path="dependency_configuration.mode" type="string" default="hard"> - Dependency execution mode: - - `hard` - Execute dependency projects even if they weren't changed - - `soft` - Skip dependency projects if they weren't changed - </ParamField> - </Accordion> -</AccordionGroup> +<ParamField path="dependency_configuration.mode" type="string" default="hard"> + Dependency execution mode: `hard` executes dependency projects even if unchanged, `soft` skips them if unchanged. +</ParamField> --- @@ -389,6 +377,14 @@ Terragrunt-specific parsing configuration. See [Terragrunt Parsing](/ce/reference/terragrunt-parsing) for all options. </ParamField> +<ParamField path="drift_include_patterns" type="array" default="[]"> + Glob patterns matched against each project's `dir`. Only matching projects run drift detection. If empty, all projects are included. See [Backendless: Scope Drift to Specific Projects](/ce/drift/backendless-scoping-projects). +</ParamField> + +<ParamField path="drift_exclude_patterns" type="array" default="[]"> + Glob patterns matched against each project's `dir`. Matching projects are skipped during drift detection. Evaluated after `drift_include_patterns`. +</ParamField> + <ParamField path="aws_role_to_assume" type="object"> Default AWS role configuration for all generated projects. See [AWS Role Configuration](#aws-role-configuration). </ParamField> @@ -512,7 +508,7 @@ Configure plan and apply stages. <ParamField path="filter_regex" type="string"> - Regular expression to filter which files trigger this stage. + Regular expression to mask sensitive values from plan output and PR comments. Matches are replaced with `<REDACTED>`. See [Masking sensitive values](/ce/howto/masking-sensitive-values). </ParamField> <ParamField path="steps" type="array" default="[]"> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/digger-cli-0.6.144/docs/ce/securing-digger/external-provider.mdx new/digger-cli-0.6.145/docs/ce/securing-digger/external-provider.mdx --- old/digger-cli-0.6.144/docs/ce/securing-digger/external-provider.mdx 2026-03-24 02:40:13.000000000 +0100 +++ new/digger-cli-0.6.145/docs/ce/securing-digger/external-provider.mdx 1970-01-01 01:00:00.000000000 +0100 @@ -1,16 +0,0 @@ ---- -title: "External providers code execution" ---- - -Digger executes terraform in github actions within previlliged environments. Since terraform has the ability -to execute arbitrary code based on data blocks or external providers this can lead to a user with malicious -intent to expose the environment variables within the CI environment, potentially leaking cloud secrets. - -How to avoid this? ---- -Currently we are exploring solutions to avoid this security threat. The first thing you should do is to -not use long-lived credentials to connect to your cloud account. Instead rely on OIDC for short-lived -credentials to minimise the exposure from this threat. Secondly its important to ensure that only trusted -individuals are allowed to update the terraform code. We are also working on additional solutions to secure -against this threat. For more details and to engage in the discussion please take a look at this github issue: -https://github.com/diggerhq/digger/issues/1530 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/digger-cli-0.6.144/docs/ce/security/overview.mdx new/digger-cli-0.6.145/docs/ce/security/overview.mdx --- old/digger-cli-0.6.144/docs/ce/security/overview.mdx 1970-01-01 01:00:00.000000000 +0100 +++ new/digger-cli-0.6.145/docs/ce/security/overview.mdx 2026-05-05 00:47:58.000000000 +0200 @@ -0,0 +1,127 @@ +--- +title: "Security overview" +description: "Security considerations for self-hosted OpenTaco deployments." +--- + +If you run OpenTaco on a shared server, or within a network that hosts other services, those services may be vulnerable to exploitation by proxy or other means. + +This is a non-exhaustive list of security considerations when running the self-hosted version of OpenTaco. For deployment options, see [Self-hosting with Docker Compose](/self-hosting/docker-compose). + +## Credential security + +Prefer short-lived credentials over static keys. Digger supports OIDC-based authentication for both AWS and GCP, which eliminates the need to store long-lived access keys as CI secrets. + +<Tabs> + <Tab title="AWS"> + Use `aws-role-to-assume` with `id-token: write` permissions instead of `AWS_ACCESS_KEY_ID` / `AWS_SECRET_ACCESS_KEY`. + + See [AWS: Authenticate with OIDC](/ce/cloud-providers/authenticating-with-oidc-on-aws) for setup. + </Tab> + <Tab title="GCP"> + Use Workload Identity Federation with a service account binding instead of a service account key file. + + See [GCP: Federated OIDC access](/ce/gcp/federated-oidc-access) for setup. + </Tab> +</Tabs> + +For multi-account setups, assign per-project IAM roles so each project only has access to its own infrastructure: + +```yaml +projects: + - name: prod + dir: prod + aws_role_to_assume: + state: "arn:aws:iam::ACCOUNT_ID:role/digger-state-prod" + command: "arn:aws:iam::ACCOUNT_ID:role/digger-apply-prod" + aws_role_region: us-east-1 +``` + +See [Project-level roles](/ce/howto/project-level-roles) and [Segregate cloud accounts](/ce/howto/segregate-cloud-accounts). + +<Warning> + Terraform supports `data` blocks and external providers that can execute arbitrary code inside your CI runner. A contributor with write access to your Terraform code could use this to exfiltrate CI environment variables, including cloud credentials. Mitigate by enforcing OIDC (short-lived credentials) and restricting who can merge Terraform changes. +</Warning> + +## Access control + +Control who can trigger applies and under what conditions. + +**Apply requirements** gate applies on PR state. For production projects, require both approval and an up-to-date branch: + +```yaml +projects: + - name: prod + dir: prod + apply_requirements: [mergeable, approved, undiverged] +``` + +See [Apply requirements](/ce/howto/apply-requirements) for all options. + +**CODEOWNERS** ensures the right team reviews changes before Digger allows an apply. Since Digger checks GitHub's mergeability status before applying, CODEOWNERS enforcement requires no additional Digger configuration — only a branch protection rule on your default branch with "Require review from Code Owners" enabled. + +See [Codeowners integration](/ce/howto/codeowners). + +**Auth methods** for the self-hosted orchestrator backend — use JWT auth (via Frontegg) for production. Basic auth is convenient for testing but not recommended for production workloads. + +See [Auth methods](/ce/self-host/auth-methods). + +**RBAC** for Terraform state access is available in the state management backend when using S3 storage. Scope permissions to specific directories using resource paths like `dev/*` or `myapp/prod`. + +See [RBAC](/ce/state-management/rbac). + +## Secret handling + +Prevent sensitive values from appearing in Terraform plan output and PR comments using `filter_regex`: + +```yaml +workflows: + default: + plan: + filter_regex: "((?i)secret:\\s\"?)[^\"]+" + steps: + - init + - plan +``` + +Any match is replaced with `<REDACTED>` in logs and PR comments. See [Masking sensitive values](/ce/howto/masking-sensitive-values). + +## Kubernetes + +When deploying with Helm, do not set secret values inline in your chart values file for production deployments. Pre-create Kubernetes secrets and reference them: + +```yaml +# values-opentaco.yaml +ui: + useExistingSecret: true + existingSecretName: ui-secrets +``` + +Create the secrets from your env files: + +```bash +kubectl create secret generic ui-secrets \ + --from-env-file=helm-charts/secrets-example/ui.env \ + -n opentaco --dry-run=client -o yaml | kubectl apply -f - +``` + +Use the [External Secrets Operator](https://external-secrets.io/) or your organization's preferred secret lifecycle tool (Vault, AWS Secrets Manager, etc.) to manage rotation. + +Keep the `opentaco` and `traefik` namespaces isolated. The platform reference chart is a quickstart baseline — it is not a production-hardening blueprint. + +<Note> + To run Digger jobs inside your cluster's VPC, use the [Actions Runner Controller (ARC)](https://github.com/actions/actions-runner-controller) to provision GitHub Actions self-hosted runners directly in Kubernetes. See [Private runners](/ce/features/private-runners). +</Note> + +## Related + +- [AWS: Authenticate with OIDC](/ce/cloud-providers/authenticating-with-oidc-on-aws) +- [GCP: Federated OIDC access](/ce/gcp/federated-oidc-access) +- [Project-level roles](/ce/howto/project-level-roles) +- [Segregate cloud accounts](/ce/howto/segregate-cloud-accounts) +- [Apply requirements](/ce/howto/apply-requirements) +- [Codeowners integration](/ce/howto/codeowners) +- [Auth methods](/ce/self-host/auth-methods) +- [RBAC](/ce/state-management/rbac) +- [Masking sensitive values](/ce/howto/masking-sensitive-values) +- [Private runners](/ce/features/private-runners) +- [Self-hosting on Kubernetes](/self-hosting/kubernetes) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/digger-cli-0.6.144/docs/docs.json new/digger-cli-0.6.145/docs/docs.json --- old/digger-cli-0.6.144/docs/docs.json 2026-03-24 02:40:13.000000000 +0100 +++ new/digger-cli-0.6.145/docs/docs.json 2026-05-05 00:47:58.000000000 +0200 @@ -146,6 +146,12 @@ ] }, { + "group": "Security", + "pages": [ + "ce/security/overview" + ] + }, + { "group": "PR Automation", "pages": [ "ce/features/overview", diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/digger-cli-0.6.144/docs/self-hosting/kubernetes.mdx new/digger-cli-0.6.145/docs/self-hosting/kubernetes.mdx --- old/digger-cli-0.6.144/docs/self-hosting/kubernetes.mdx 2026-03-24 02:40:13.000000000 +0100 +++ new/digger-cli-0.6.145/docs/self-hosting/kubernetes.mdx 2026-05-05 00:47:58.000000000 +0200 @@ -68,7 +68,7 @@ If you deployed the platform reference chart, you can also start from: ```bash - cp helm-charts/opentaco/helm.platform-reference.yaml values-opentaco.yaml + cp helm-charts/opentaco/values.platform-reference.yaml values-opentaco.yaml ``` Skeleton structure for `values-opentaco.yaml`: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/digger-cli-0.6.144/drift/controllers/drift.go new/digger-cli-0.6.145/drift/controllers/drift.go --- old/digger-cli-0.6.144/drift/controllers/drift.go 2026-03-24 02:40:13.000000000 +0100 +++ new/digger-cli-0.6.145/drift/controllers/drift.go 2026-05-05 00:47:58.000000000 +0200 @@ -82,6 +82,16 @@ c.JSON(http.StatusInternalServerError, gin.H{"error": fmt.Sprintf("could not find project %v in digger.yml", theProject)}) return } + + // Apply drift include/exclude patterns from generate_projects config + if len(config.DriftIncludePatterns) > 0 || len(config.DriftExcludePatterns) > 0 { + if !dg_configuration.MatchIncludeExcludePatternsToFile(theProject.Dir, config.DriftIncludePatterns, config.DriftExcludePatterns) { + log.Printf("Project %v dir %v excluded by drift patterns, skipping", project.Name, theProject.Dir) + c.String(http.StatusOK, "project excluded by drift patterns") + return + } + } + projects := []dg_configuration.Project{*theProject} jobsForImpactedProjects, err := generic.CreateJobsForProjects(projects, command, "drift", repoFullName, "digger", config.Workflows, &issueNumber, nil, branch, branch, false) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/digger-cli-0.6.144/libs/ci/github/github.go new/digger-cli-0.6.145/libs/ci/github/github.go --- old/digger-cli-0.6.144/libs/ci/github/github.go 2026-03-24 02:40:13.000000000 +0100 +++ new/digger-cli-0.6.145/libs/ci/github/github.go 2026-05-05 00:47:58.000000000 +0200 @@ -10,6 +10,7 @@ "github.com/diggerhq/digger/libs/ci" "github.com/diggerhq/digger/libs/ci/generic" + "github.com/diggerhq/digger/libs/comment_utils" "github.com/diggerhq/digger/libs/scheduler" "github.com/diggerhq/digger/libs/digger_config" @@ -349,11 +350,13 @@ // 422 Validation Failed [{Resource:Status Field:description Code:custom Message:description is too long (maximum is 140 characters)}] // since description isn't shown in ui setting to blank for now description := "" + targetURl := comment_utils.GetWorkflowUrl() _, _, err = svc.Client.Repositories.CreateStatus(context.Background(), svc.Owner, svc.RepoName, *pr.Head.SHA, &github.RepoStatus{ State: &status, Context: &statusContext, Description: &description, + TargetURL: &targetURl, }) return err } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/digger-cli-0.6.144/libs/digger_config/config.go new/digger-cli-0.6.145/libs/digger_config/config.go --- old/digger-cli-0.6.144/libs/digger_config/config.go 2026-03-24 02:40:13.000000000 +0100 +++ new/digger-cli-0.6.145/libs/digger_config/config.go 2026-05-05 00:47:58.000000000 +0200 @@ -31,6 +31,8 @@ TraverseToNestedProjects bool Reporting ReporterConfig ReportTerraformOutputs bool + DriftExcludePatterns []string + DriftIncludePatterns []string } type ReporterConfig struct { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/digger-cli-0.6.144/libs/digger_config/converters.go new/digger-cli-0.6.145/libs/digger_config/converters.go --- old/digger-cli-0.6.144/libs/digger_config/converters.go 2026-03-24 02:40:13.000000000 +0100 +++ new/digger-cli-0.6.145/libs/digger_config/converters.go 2026-05-05 00:47:58.000000000 +0200 @@ -292,6 +292,11 @@ diggerConfig.MentionDriftedProjectsInPR = false } + if diggerYaml.GenerateProjectsConfig != nil { + diggerConfig.DriftExcludePatterns = diggerYaml.GenerateProjectsConfig.DriftExcludePatterns + diggerConfig.DriftIncludePatterns = diggerYaml.GenerateProjectsConfig.DriftIncludePatterns + } + if diggerYaml.PrLocks != nil { diggerConfig.PrLocks = *diggerYaml.PrLocks } else { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/digger-cli-0.6.144/libs/digger_config/yaml.go new/digger-cli-0.6.145/libs/digger_config/yaml.go --- old/digger-cli-0.6.144/libs/digger_config/yaml.go 2026-03-24 02:40:13.000000000 +0100 +++ new/digger-cli-0.6.145/libs/digger_config/yaml.go 2026-05-05 00:47:58.000000000 +0200 @@ -159,6 +159,8 @@ TerragruntParsingConfig *TerragruntParsingConfig `yaml:"terragrunt_parsing,omitempty"` AwsRoleToAssume *AssumeRoleForProjectConfig `yaml:"aws_role_to_assume,omitempty"` AwsCognitoOidcConfig *AwsCognitoOidcConfig `yaml:"aws_cognito_oidc,omitempty"` + DriftExcludePatterns []string `yaml:"drift_exclude_patterns,omitempty"` + DriftIncludePatterns []string `yaml:"drift_include_patterns,omitempty"` } type TerragruntParsingConfig struct { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/digger-cli-0.6.144/self-hosting/kubernetes/helm-charts/README.md new/digger-cli-0.6.145/self-hosting/kubernetes/helm-charts/README.md --- old/digger-cli-0.6.144/self-hosting/kubernetes/helm-charts/README.md 2026-03-24 02:40:13.000000000 +0100 +++ new/digger-cli-0.6.145/self-hosting/kubernetes/helm-charts/README.md 2026-05-05 00:47:58.000000000 +0200 @@ -68,7 +68,7 @@ ```yaml global: - imageRegistry: ghcr.io/diggerhq/digger # ✅ Public registry (no auth needed) + imageRegistry: ghcr.io/diggerhq # ✅ Public registry (no auth needed) # Or use your private registry: # imageRegistry: us-central1-docker.pkg.dev/YOUR-PROJECT/YOUR-REPO ``` @@ -159,7 +159,7 @@ kubectl create secret generic ui-secrets \ --from-env-file=.secrets/ui.env -n opentaco -kubectl create secret generic backend-secrets \ +kubectl create secret generic taco-orchestrator-secrets \ --from-env-file=.secrets/digger-backend.env -n opentaco kubectl create secret generic statesman-secrets \ @@ -281,10 +281,10 @@ kubectl get pods -n opentaco # Check logs -kubectl logs -f deployment/opentaco-statesman -n opentaco -c statesman +kubectl logs -f deployment/opentaco-taco-statesman -n opentaco -c statesman # Access UI locally -kubectl port-forward svc/opentaco-ui 3030:3030 -n opentaco +kubectl port-forward svc/opentaco-taco-ui 3030:3030 -n opentaco open http://localhost:3030 ``` @@ -294,19 +294,21 @@ ```bash # From within the cluster: -http://opentaco-digger-backend-web:3000 -http://opentaco-drift:3004 -http://opentaco-statesman:8080 -http://opentaco-ui:3030 +http://opentaco-taco-orchestrator-web:3000 +http://opentaco-taco-drift:3004 +http://opentaco-taco-statesman:8080 +http://opentaco-taco-ui:3030 ``` These URLs are configured in `ui.env`: ```bash -ORCHESTRATOR_BACKEND_URL="http://opentaco-digger-backend-web:3000"; -DRIFT_REPORTING_BACKEND_URL="http://opentaco-drift:3004"; -STATESMAN_BACKEND_URL="http://opentaco-statesman:8080"; +ORCHESTRATOR_BACKEND_URL="http://opentaco-taco-orchestrator-web:3000"; +DRIFT_REPORTING_BACKEND_URL="http://opentaco-taco-drift:3004"; +STATESMAN_BACKEND_URL="http://opentaco-taco-statesman:8080"; ``` +If you install with a release name other than `opentaco`, adjust these hostnames to match that release prefix. + ## Upgrading ```bash @@ -343,7 +345,7 @@ kubectl get secrets -n opentaco # Verify secret contents -kubectl get secret backend-secrets -n opentaco -o jsonpath='{.data}' | jq 'keys' +kubectl get secret taco-orchestrator-secrets -n opentaco -o jsonpath='{.data}' | jq 'keys' ``` ### Cloud SQL connection issues diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/digger-cli-0.6.144/self-hosting/kubernetes/helm-charts/opentaco/Chart.yaml new/digger-cli-0.6.145/self-hosting/kubernetes/helm-charts/opentaco/Chart.yaml --- old/digger-cli-0.6.144/self-hosting/kubernetes/helm-charts/opentaco/Chart.yaml 2026-03-24 02:40:13.000000000 +0100 +++ new/digger-cli-0.6.145/self-hosting/kubernetes/helm-charts/opentaco/Chart.yaml 2026-05-05 00:47:58.000000000 +0200 @@ -2,7 +2,7 @@ name: opentaco description: OpenTaco - Complete Infrastructure-as-Code platform deployment type: application -version: 0.1.1-public +version: 0.1.2-public appVersion: "0.1.0" # Umbrella chart that deploys all OpenTaco components @@ -17,7 +17,7 @@ dependencies: # Taco Orchestrator - terraform orchestration backend - name: taco-orchestrator - version: "0.1.1-public" + version: "0.1.2-public" repository: "oci://ghcr.io/diggerhq/helm-charts" condition: taco-orchestrator.enabled tags: @@ -25,7 +25,7 @@ # Taco Statesman - IaC state management - name: taco-statesman - version: "0.1.1-public" + version: "0.1.2-public" repository: "oci://ghcr.io/diggerhq/helm-charts" condition: taco-statesman.enabled tags: @@ -33,7 +33,7 @@ # Taco Sidecar - sandbox sidecar service - name: taco-sidecar - version: "0.1.3-public" + version: "0.1.4-public" repository: "oci://ghcr.io/diggerhq/helm-charts" condition: taco-sidecar.enabled tags: @@ -41,7 +41,7 @@ # Token Service - API token management - name: taco-token-service - version: "0.1.1-public" + version: "0.1.2-public" repository: "oci://ghcr.io/diggerhq/helm-charts" condition: taco-token-service.enabled tags: @@ -49,7 +49,7 @@ # Drift Detection - name: taco-drift - version: "0.1.1-public" + version: "0.1.2-public" repository: "oci://ghcr.io/diggerhq/helm-charts" condition: taco-drift.enabled tags: @@ -57,7 +57,7 @@ # Taco UI - React frontend - name: taco-ui - version: "0.1.2-public" + version: "0.1.3-public" repository: "oci://ghcr.io/diggerhq/helm-charts" condition: taco-ui.enabled tags: @@ -73,4 +73,3 @@ - iac - opentaco - digger - diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/digger-cli-0.6.144/self-hosting/kubernetes/helm-charts/opentaco/helm.platform-reference.yaml new/digger-cli-0.6.145/self-hosting/kubernetes/helm-charts/opentaco/helm.platform-reference.yaml --- old/digger-cli-0.6.144/self-hosting/kubernetes/helm-charts/opentaco/helm.platform-reference.yaml 2026-03-24 02:40:13.000000000 +0100 +++ new/digger-cli-0.6.145/self-hosting/kubernetes/helm-charts/opentaco/helm.platform-reference.yaml 1970-01-01 01:00:00.000000000 +0100 @@ -1,100 +0,0 @@ -# This values file is intended to be used together with the -# `opentaco-platform-reference` chart. It contains overrides aligned with -# the platform reference CloudNativePG and MinIO resources. - -global: - imageRegistry: ghcr.io/diggerhq - -taco-orchestrator: - digger: - image: - repository: digger_backend - cloudSql: - enabled: false - config: - loadProjectsOnPush: true - backgroundJobsClientType: local-exec - projectsRefreshBin: /app/projects_refesh_main - postgres: - host: postgresql-shared-rw.opentaco.svc.cluster.local - port: "5432" - user: orchestrator - database: orchestrator - sslmode: disable - existingSecretName: postgresql-orchestrator-app - existingSecretKey: password - -taco-statesman: - taco: - # Public URL used in Terraform Cloud snippets and signed URLs. - # Replace with your externally reachable host. - image: - repository: digger/taco-statesman - publicBaseUrl: https://your-domain.com - # OPENTACO_SECRET_KEY is required in statesman-secrets for signed URL flows. - storage: - type: s3 - s3: - bucket: opentaco - region: us-east-1 - endpoint: http://minio.opentaco.svc.cluster.local:9000 - accessKeyId: minioadmin - secretAccessKey: change-me-minio-password - awsRegion: us-east-1 - queryBackend: postgres - allowXForwardedFor: true - postgres: - host: postgresql-shared-rw.opentaco.svc.cluster.local - port: "5432" - user: statesman - database: statesman - sslmode: disable - existingSecretName: postgresql-statesman-app - existingSecretKey: password - cloudSql: - enabled: false - -taco-token-service: - tokenService: - image: - repository: digger/taco-token-service - secret: - useExistingSecret: false - database: - backend: postgres - postgres: - host: postgresql-shared-rw.opentaco.svc.cluster.local - port: 5432 - user: token - dbname: token - sslmode: disable - secretName: postgresql-token-app - secretKey: password - cloudSql: - enabled: false - -taco-drift: - drift: - image: - repository: digger/drift - # Drift needs hostnames in drift-secrets: - # - DIGGER_APP_URL=https://your-domain.com - # - DIGGER_HOSTNAME=http://opentaco-taco-drift:3004 - # - DIGGER_DRIFT_REPORTER_HOSTNAME=https://your-domain.com - cronjobs: - enabled: true - -taco-ui: - ui: - image: - repository: digger/taco-ui - -taco-sidecar: - enabled: true - sidecar: - secret: - useExistingSecret: false - # existingSecretName: opentaco-taco-sidecar-secrets - sandboxRunner: e2b - e2bApiKey: E2B_API_KEY_PLACEHOLDER - e2bBareBonesTemplateId: E2B_TEMPLATE_ID_PLACEHOLDER diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/digger-cli-0.6.144/self-hosting/kubernetes/helm-charts/opentaco/values-production.yaml.example new/digger-cli-0.6.145/self-hosting/kubernetes/helm-charts/opentaco/values-production.yaml.example --- old/digger-cli-0.6.144/self-hosting/kubernetes/helm-charts/opentaco/values-production.yaml.example 2026-03-24 02:40:13.000000000 +0100 +++ new/digger-cli-0.6.145/self-hosting/kubernetes/helm-charts/opentaco/values-production.yaml.example 2026-05-05 00:47:58.000000000 +0200 @@ -2,7 +2,7 @@ # Copy this file and customize for your environment. global: - imageRegistry: ghcr.io/diggerhq/digger + imageRegistry: ghcr.io/diggerhq imagePullPolicy: IfNotPresent # ============================================================================ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/digger-cli-0.6.144/self-hosting/kubernetes/helm-charts/opentaco/values-test.yaml.example new/digger-cli-0.6.145/self-hosting/kubernetes/helm-charts/opentaco/values-test.yaml.example --- old/digger-cli-0.6.144/self-hosting/kubernetes/helm-charts/opentaco/values-test.yaml.example 2026-03-24 02:40:13.000000000 +0100 +++ new/digger-cli-0.6.145/self-hosting/kubernetes/helm-charts/opentaco/values-test.yaml.example 2026-05-05 00:47:58.000000000 +0200 @@ -5,7 +5,7 @@ # Global Configuration # ============================================================================ global: - imageRegistry: ghcr.io/diggerhq/digger + imageRegistry: ghcr.io/diggerhq imagePullPolicy: IfNotPresent # Note: imagePullSecrets not needed for public GHCR images # imagePullSecrets: @@ -80,4 +80,3 @@ allowedHosts: "localhost" ingress: enabled: false # Using port-forward for testing - diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/digger-cli-0.6.144/self-hosting/kubernetes/helm-charts/opentaco/values.platform-reference.yaml new/digger-cli-0.6.145/self-hosting/kubernetes/helm-charts/opentaco/values.platform-reference.yaml --- old/digger-cli-0.6.144/self-hosting/kubernetes/helm-charts/opentaco/values.platform-reference.yaml 1970-01-01 01:00:00.000000000 +0100 +++ new/digger-cli-0.6.145/self-hosting/kubernetes/helm-charts/opentaco/values.platform-reference.yaml 2026-05-05 00:47:58.000000000 +0200 @@ -0,0 +1,100 @@ +# This values file is intended to be used together with the +# `opentaco-platform-reference` chart. It contains overrides aligned with +# the platform reference CloudNativePG and MinIO resources. + +global: + imageRegistry: ghcr.io/diggerhq + +taco-orchestrator: + digger: + image: + repository: digger_backend + cloudSql: + enabled: false + config: + loadProjectsOnPush: true + backgroundJobsClientType: local-exec + projectsRefreshBin: /app/projects_refesh_main + postgres: + host: postgresql-shared-rw.opentaco.svc.cluster.local + port: "5432" + user: orchestrator + database: orchestrator + sslmode: disable + existingSecretName: postgresql-orchestrator-app + existingSecretKey: password + +taco-statesman: + taco: + # Public URL used in Terraform Cloud snippets and signed URLs. + # Replace with your externally reachable host. + image: + repository: digger/taco-statesman + publicBaseUrl: https://your-domain.com + # OPENTACO_SECRET_KEY is required in statesman-secrets for signed URL flows. + storage: + type: s3 + s3: + bucket: opentaco + region: us-east-1 + endpoint: http://minio.opentaco.svc.cluster.local:9000 + accessKeyId: minioadmin + secretAccessKey: change-me-minio-password + awsRegion: us-east-1 + queryBackend: postgres + allowXForwardedFor: true + postgres: + host: postgresql-shared-rw.opentaco.svc.cluster.local + port: "5432" + user: statesman + database: statesman + sslmode: disable + existingSecretName: postgresql-statesman-app + existingSecretKey: password + cloudSql: + enabled: false + +taco-token-service: + tokenService: + image: + repository: digger/taco-token-service + secret: + useExistingSecret: false + database: + backend: postgres + postgres: + host: postgresql-shared-rw.opentaco.svc.cluster.local + port: 5432 + user: token + dbname: token + sslmode: disable + secretName: postgresql-token-app + secretKey: password + cloudSql: + enabled: false + +taco-drift: + drift: + image: + repository: digger/drift + # Drift needs hostnames in drift-secrets: + # - DIGGER_APP_URL=https://your-domain.com + # - DIGGER_HOSTNAME=http://opentaco-taco-drift:3004 + # - DIGGER_DRIFT_REPORTER_HOSTNAME=https://your-domain.com + cronjobs: + enabled: true + +taco-ui: + ui: + image: + repository: digger/taco-ui + +taco-sidecar: + enabled: true + sidecar: + secret: + useExistingSecret: false + # existingSecretName: opentaco-taco-sidecar-secrets + sandboxRunner: e2b + e2bApiKey: E2B_API_KEY_PLACEHOLDER + e2bBareBonesTemplateId: E2B_TEMPLATE_ID_PLACEHOLDER diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/digger-cli-0.6.144/self-hosting/kubernetes/helm-charts/opentaco/values.yaml new/digger-cli-0.6.145/self-hosting/kubernetes/helm-charts/opentaco/values.yaml --- old/digger-cli-0.6.144/self-hosting/kubernetes/helm-charts/opentaco/values.yaml 2026-03-24 02:40:13.000000000 +0100 +++ new/digger-cli-0.6.145/self-hosting/kubernetes/helm-charts/opentaco/values.yaml 2026-05-05 00:47:58.000000000 +0200 @@ -13,7 +13,11 @@ # ============================================================================ global: # Image registry for all custom images - imageRegistry: ghcr.io/diggerhq/digger + imageRegistry: ghcr.io/diggerhq + + # Pod annotations applied to all subchart workloads by default. + # Each subchart can override these keys via its own podAnnotations map. + podAnnotations: {} # Image pull policy imagePullPolicy: IfNotPresent @@ -45,7 +49,7 @@ digger: image: - repository: digger-backend-ee + repository: digger_backend tag: "latest" replicaCount: 1 @@ -92,7 +96,7 @@ taco: image: - repository: taco-statesman + repository: digger/taco-statesman tag: "latest" replicaCount: 1 @@ -142,7 +146,7 @@ tokenService: image: - repository: taco-token-service + repository: digger/taco-token-service tag: "v0.1.0" pullPolicy: "IfNotPresent" @@ -199,7 +203,7 @@ drift: image: - repository: drift + repository: digger/drift tag: "latest" replicaCount: 1 @@ -246,7 +250,7 @@ ui: image: - repository: taco-ui + repository: digger/taco-ui tag: "v0.1.0" replicaCount: 1 @@ -264,10 +268,12 @@ # Backend service URLs (for server-side API calls) backends: - orchestratorUrl: "http://taco-orchestrator:3000"; - driftReportingUrl: "http://taco-drift:3004"; - statesmanUrl: "http://taco-statesman:8080"; - tokensServiceUrl: "http://taco-token-service:8081"; + # These defaults assume release name "opentaco". + # If you install with a different release name, update these hostnames. + orchestratorUrl: "http://opentaco-taco-orchestrator-web:3000"; + driftReportingUrl: "http://opentaco-taco-drift:3004"; + statesmanUrl: "http://opentaco-taco-statesman:8080"; + tokensServiceUrl: "http://opentaco-taco-token-service:8081"; ingress: enabled: false diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/digger-cli-0.6.144/self-hosting/kubernetes/helm-charts/taco-drift/Chart.yaml new/digger-cli-0.6.145/self-hosting/kubernetes/helm-charts/taco-drift/Chart.yaml --- old/digger-cli-0.6.144/self-hosting/kubernetes/helm-charts/taco-drift/Chart.yaml 2026-03-24 02:40:13.000000000 +0100 +++ new/digger-cli-0.6.145/self-hosting/kubernetes/helm-charts/taco-drift/Chart.yaml 2026-05-05 00:47:58.000000000 +0200 @@ -2,6 +2,6 @@ name: taco-drift description: Taco Drift - Automated infrastructure drift detection and reporting service type: application -version: 0.1.1-public +version: 0.1.2-public appVersion: "v0.1.0" icon: https://raw.githubusercontent.com/diggerhq/digger/main/docs/logo/digger-logo.png diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/digger-cli-0.6.144/self-hosting/kubernetes/helm-charts/taco-drift/templates/cronjobs.yaml new/digger-cli-0.6.145/self-hosting/kubernetes/helm-charts/taco-drift/templates/cronjobs.yaml --- old/digger-cli-0.6.144/self-hosting/kubernetes/helm-charts/taco-drift/templates/cronjobs.yaml 2026-03-24 02:40:13.000000000 +0100 +++ new/digger-cli-0.6.145/self-hosting/kubernetes/helm-charts/taco-drift/templates/cronjobs.yaml 2026-05-05 00:47:58.000000000 +0200 @@ -5,6 +5,7 @@ {{- else }} {{- $driftSecretName = printf "%s-secret" (include "digger-drift.fullname" .) -}} {{- end }} +{{- $podAnnotations := mergeOverwrite (dict) (default (dict) .Values.global.podAnnotations) (default (dict) .Values.drift.podAnnotations) -}} apiVersion: batch/v1 kind: CronJob metadata: @@ -23,6 +24,10 @@ spec: template: metadata: + {{- if $podAnnotations }} + annotations: + {{- toYaml $podAnnotations | nindent 12 }} + {{- end }} labels: app.kubernetes.io/name: {{ include "digger-drift.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} @@ -68,6 +73,10 @@ spec: template: metadata: + {{- if $podAnnotations }} + annotations: + {{- toYaml $podAnnotations | nindent 12 }} + {{- end }} labels: app.kubernetes.io/name: {{ include "digger-drift.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/digger-cli-0.6.144/self-hosting/kubernetes/helm-charts/taco-drift/templates/deployment.yaml new/digger-cli-0.6.145/self-hosting/kubernetes/helm-charts/taco-drift/templates/deployment.yaml --- old/digger-cli-0.6.144/self-hosting/kubernetes/helm-charts/taco-drift/templates/deployment.yaml 2026-03-24 02:40:13.000000000 +0100 +++ new/digger-cli-0.6.145/self-hosting/kubernetes/helm-charts/taco-drift/templates/deployment.yaml 2026-05-05 00:47:58.000000000 +0200 @@ -11,6 +11,11 @@ {{- include "digger-drift.selectorLabels" . | nindent 6 }} template: metadata: + {{- $podAnnotations := mergeOverwrite (dict) (default (dict) .Values.global.podAnnotations) (default (dict) .Values.drift.podAnnotations) }} + {{- if $podAnnotations }} + annotations: + {{- toYaml $podAnnotations | nindent 8 }} + {{- end }} labels: {{- include "digger-drift.selectorLabels" . | nindent 8 }} spec: @@ -22,7 +27,7 @@ {{- end }} containers: - name: {{ .Chart.Name }} - image: "{{ .Values.global.imageRegistry | default "ghcr.io/diggerhq/digger" }}/{{ .Values.drift.image.repository }}:{{ .Values.drift.image.tag | default .Chart.AppVersion }}" + image: "{{ .Values.drift.image.registry | default .Values.global.imageRegistry | default "ghcr.io/diggerhq" }}/{{ .Values.drift.image.repository }}:{{ .Values.drift.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.drift.image.pullPolicy | default "IfNotPresent" }} ports: - name: http diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/digger-cli-0.6.144/self-hosting/kubernetes/helm-charts/taco-drift/values.yaml new/digger-cli-0.6.145/self-hosting/kubernetes/helm-charts/taco-drift/values.yaml --- old/digger-cli-0.6.144/self-hosting/kubernetes/helm-charts/taco-drift/values.yaml 2026-03-24 02:40:13.000000000 +0100 +++ new/digger-cli-0.6.145/self-hosting/kubernetes/helm-charts/taco-drift/values.yaml 2026-05-05 00:47:58.000000000 +0200 @@ -12,13 +12,19 @@ # Note: Full registry path comes from global.imageRegistry # Public image: ghcr.io/diggerhq/digger/drift image: - repository: drift + # Optional per-chart registry override. Falls back to global.imageRegistry. + registry: "" + repository: digger/drift tag: "latest" pullPolicy: "IfNotPresent" # Number of replicas replicaCount: 1 + # Pod annotations for drift pods. + # These override matching keys from global.podAnnotations. + podAnnotations: {} + # Custom environment variables customEnv: [] # - name: MY_CUSTOM_ENV @@ -107,3 +113,4 @@ # Global configuration (optional) global: imagePullSecrets: [] + podAnnotations: {} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/digger-cli-0.6.144/self-hosting/kubernetes/helm-charts/taco-orchestrator/Chart.yaml new/digger-cli-0.6.145/self-hosting/kubernetes/helm-charts/taco-orchestrator/Chart.yaml --- old/digger-cli-0.6.144/self-hosting/kubernetes/helm-charts/taco-orchestrator/Chart.yaml 2026-03-24 02:40:13.000000000 +0100 +++ new/digger-cli-0.6.145/self-hosting/kubernetes/helm-charts/taco-orchestrator/Chart.yaml 2026-05-05 00:47:58.000000000 +0200 @@ -15,7 +15,7 @@ # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.1-public +version: 0.1.2-public # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/digger-cli-0.6.144/self-hosting/kubernetes/helm-charts/taco-orchestrator/templates/backend-deployment.yaml new/digger-cli-0.6.145/self-hosting/kubernetes/helm-charts/taco-orchestrator/templates/backend-deployment.yaml --- old/digger-cli-0.6.144/self-hosting/kubernetes/helm-charts/taco-orchestrator/templates/backend-deployment.yaml 2026-03-24 02:40:13.000000000 +0100 +++ new/digger-cli-0.6.145/self-hosting/kubernetes/helm-charts/taco-orchestrator/templates/backend-deployment.yaml 2026-05-05 00:47:58.000000000 +0200 @@ -11,6 +11,11 @@ app: {{ include "taco-orchestrator.name" . }}-web template: metadata: + {{- $podAnnotations := mergeOverwrite (dict) (default (dict) .Values.global.podAnnotations) (default (dict) .Values.digger.podAnnotations) }} + {{- if $podAnnotations }} + annotations: + {{- toYaml $podAnnotations | nindent 8 }} + {{- end }} labels: app: {{ include "taco-orchestrator.name" . }}-web {{- include "taco-orchestrator.selectorLabels" . | nindent 8 }} @@ -42,7 +47,7 @@ {{- end }} containers: - name: web - image: "{{ .Values.global.imageRegistry | default "ghcr.io/diggerhq/digger" }}/{{ .Values.digger.image.repository }}:{{ .Values.digger.image.tag }}" + image: "{{ .Values.digger.image.registry | default .Values.global.imageRegistry | default "ghcr.io/diggerhq" }}/{{ .Values.digger.image.repository }}:{{ .Values.digger.image.tag }}" imagePullPolicy: {{ .Values.digger.image.pullPolicy | default "IfNotPresent" }} ports: - name: http diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/digger-cli-0.6.144/self-hosting/kubernetes/helm-charts/taco-orchestrator/tests/deployments_test.yaml new/digger-cli-0.6.145/self-hosting/kubernetes/helm-charts/taco-orchestrator/tests/deployments_test.yaml --- old/digger-cli-0.6.144/self-hosting/kubernetes/helm-charts/taco-orchestrator/tests/deployments_test.yaml 2026-03-24 02:40:13.000000000 +0100 +++ new/digger-cli-0.6.145/self-hosting/kubernetes/helm-charts/taco-orchestrator/tests/deployments_test.yaml 2026-05-05 00:47:58.000000000 +0200 @@ -39,3 +39,34 @@ limits: cpu: "500m" memory: "200Mi" + + - it: should combine global imageRegistry with unqualified repository + set: + global.imageRegistry: registry.example.com/acme + digger.image.repository: digger_backend + digger.image.tag: v1.2.3 + asserts: + - equal: + path: spec.template.spec.containers[0].image + value: registry.example.com/acme/digger_backend:v1.2.3 + + - it: should prefer digger image registry over global imageRegistry + set: + global.imageRegistry: registry.example.com/global + digger.image.registry: registry.example.com/service + digger.image.repository: digger_backend + digger.image.tag: v1.2.3 + asserts: + - equal: + path: spec.template.spec.containers[0].image + value: registry.example.com/service/digger_backend:v1.2.3 + + - it: should always combine registry and repository path + set: + global.imageRegistry: registry.example.com/acme + digger.image.repository: diggerhq/digger_backend + digger.image.tag: v1.2.3 + asserts: + - equal: + path: spec.template.spec.containers[0].image + value: registry.example.com/acme/diggerhq/digger_backend:v1.2.3 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/digger-cli-0.6.144/self-hosting/kubernetes/helm-charts/taco-orchestrator/values.yaml new/digger-cli-0.6.145/self-hosting/kubernetes/helm-charts/taco-orchestrator/values.yaml --- old/digger-cli-0.6.144/self-hosting/kubernetes/helm-charts/taco-orchestrator/values.yaml 2026-03-24 02:40:13.000000000 +0100 +++ new/digger-cli-0.6.145/self-hosting/kubernetes/helm-charts/taco-orchestrator/values.yaml 2026-05-05 00:47:58.000000000 +0200 @@ -12,13 +12,19 @@ replicaCount: 1 # Image configuration - # Note: Full registry path comes from global.imageRegistry - # Public image: ghcr.io/diggerhq/digger/digger-backend-ee + # Repository path is combined with digger.image.registry/global.imageRegistry. + # Example rendered image: ghcr.io/diggerhq/digger_backend:latest image: - repository: digger-backend-ee + # Optional per-chart registry override. Falls back to global.imageRegistry. + registry: "" + repository: digger_backend tag: "latest" pullPolicy: IfNotPresent + # Pod annotations for orchestrator pods. + # These override matching keys from global.podAnnotations. + podAnnotations: {} + # RBAC configuration for Job spawning # The orchestrator needs permissions to create and manage Kubernetes Jobs rbac: @@ -177,3 +183,4 @@ # Global configuration (optional) global: imagePullSecrets: [] + podAnnotations: {} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/digger-cli-0.6.144/self-hosting/kubernetes/helm-charts/taco-sidecar/Chart.yaml new/digger-cli-0.6.145/self-hosting/kubernetes/helm-charts/taco-sidecar/Chart.yaml --- old/digger-cli-0.6.144/self-hosting/kubernetes/helm-charts/taco-sidecar/Chart.yaml 2026-03-24 02:40:13.000000000 +0100 +++ new/digger-cli-0.6.145/self-hosting/kubernetes/helm-charts/taco-sidecar/Chart.yaml 2026-05-05 00:47:58.000000000 +0200 @@ -2,7 +2,7 @@ name: taco-sidecar description: Sandbox sidecar service for OpenTaco remote Terraform/OpenTofu runs type: application -version: 0.1.3-public +version: 0.1.4-public appVersion: "0.1.0.1" keywords: - terraform diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/digger-cli-0.6.144/self-hosting/kubernetes/helm-charts/taco-sidecar/templates/deployment.yaml new/digger-cli-0.6.145/self-hosting/kubernetes/helm-charts/taco-sidecar/templates/deployment.yaml --- old/digger-cli-0.6.144/self-hosting/kubernetes/helm-charts/taco-sidecar/templates/deployment.yaml 2026-03-24 02:40:13.000000000 +0100 +++ new/digger-cli-0.6.145/self-hosting/kubernetes/helm-charts/taco-sidecar/templates/deployment.yaml 2026-05-05 00:47:58.000000000 +0200 @@ -11,12 +11,17 @@ {{- include "taco-sidecar.selectorLabels" . | nindent 6 }} template: metadata: + {{- $podAnnotations := mergeOverwrite (dict) (default (dict) .Values.global.podAnnotations) (default (dict) .Values.sidecar.podAnnotations) }} + {{- if $podAnnotations }} + annotations: + {{- toYaml $podAnnotations | nindent 8 }} + {{- end }} labels: {{- include "taco-sidecar.selectorLabels" . | nindent 8 }} spec: containers: - name: sidecar - image: "{{ .Values.sidecar.image.repository }}:{{ .Values.sidecar.image.tag }}" + image: "{{ .Values.sidecar.image.registry | default .Values.global.imageRegistry | default "ghcr.io/diggerhq" }}/{{ .Values.sidecar.image.repository }}:{{ .Values.sidecar.image.tag }}" imagePullPolicy: {{ .Values.sidecar.image.pullPolicy }} ports: - name: http diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/digger-cli-0.6.144/self-hosting/kubernetes/helm-charts/taco-sidecar/values.yaml new/digger-cli-0.6.145/self-hosting/kubernetes/helm-charts/taco-sidecar/values.yaml --- old/digger-cli-0.6.144/self-hosting/kubernetes/helm-charts/taco-sidecar/values.yaml 2026-03-24 02:40:13.000000000 +0100 +++ new/digger-cli-0.6.145/self-hosting/kubernetes/helm-charts/taco-sidecar/values.yaml 2026-05-05 00:47:58.000000000 +0200 @@ -1,11 +1,17 @@ sidecar: image: - repository: ghcr.io/diggerhq/sandbox-sidecar + # Optional per-chart registry override. Falls back to global.imageRegistry. + registry: "" + repository: sandbox-sidecar tag: "latest" pullPolicy: IfNotPresent replicaCount: 1 + # Pod annotations for sidecar pods. + # These override matching keys from global.podAnnotations. + podAnnotations: {} + service: type: ClusterIP port: 9100 @@ -51,3 +57,7 @@ nodeSelector: {} tolerations: [] affinity: {} + +global: + imageRegistry: "" + podAnnotations: {} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/digger-cli-0.6.144/self-hosting/kubernetes/helm-charts/taco-statesman/Chart.yaml new/digger-cli-0.6.145/self-hosting/kubernetes/helm-charts/taco-statesman/Chart.yaml --- old/digger-cli-0.6.144/self-hosting/kubernetes/helm-charts/taco-statesman/Chart.yaml 2026-03-24 02:40:13.000000000 +0100 +++ new/digger-cli-0.6.145/self-hosting/kubernetes/helm-charts/taco-statesman/Chart.yaml 2026-05-05 00:47:58.000000000 +0200 @@ -2,6 +2,6 @@ name: taco-statesman description: Taco Statesman - Infrastructure-as-Code state management and coordination service type: application -version: 0.1.1-public +version: 0.1.2-public appVersion: "v0.1.0" icon: https://raw.githubusercontent.com/diggerhq/digger/main/docs/logo/digger-logo.png diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/digger-cli-0.6.144/self-hosting/kubernetes/helm-charts/taco-statesman/templates/deployment.yaml new/digger-cli-0.6.145/self-hosting/kubernetes/helm-charts/taco-statesman/templates/deployment.yaml --- old/digger-cli-0.6.144/self-hosting/kubernetes/helm-charts/taco-statesman/templates/deployment.yaml 2026-03-24 02:40:13.000000000 +0100 +++ new/digger-cli-0.6.145/self-hosting/kubernetes/helm-charts/taco-statesman/templates/deployment.yaml 2026-05-05 00:47:58.000000000 +0200 @@ -11,6 +11,11 @@ {{- include "taco-statesman.selectorLabels" . | nindent 6 }} template: metadata: + {{- $podAnnotations := mergeOverwrite (dict) (default (dict) .Values.global.podAnnotations) (default (dict) .Values.taco.podAnnotations) }} + {{- if $podAnnotations }} + annotations: + {{- toYaml $podAnnotations | nindent 8 }} + {{- end }} labels: {{- include "taco-statesman.selectorLabels" . | nindent 8 }} spec: @@ -25,7 +30,7 @@ {{- end }} containers: - name: {{ .Chart.Name }} - image: "{{ .Values.global.imageRegistry | default "ghcr.io/diggerhq/digger" }}/{{ .Values.taco.image.repository }}:{{ .Values.taco.image.tag | default .Chart.AppVersion }}" + image: "{{ .Values.taco.image.registry | default .Values.global.imageRegistry | default "ghcr.io/diggerhq" }}/{{ .Values.taco.image.repository }}:{{ .Values.taco.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.taco.image.pullPolicy | default "IfNotPresent" }} ports: - name: http diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/digger-cli-0.6.144/self-hosting/kubernetes/helm-charts/taco-statesman/values.yaml new/digger-cli-0.6.145/self-hosting/kubernetes/helm-charts/taco-statesman/values.yaml --- old/digger-cli-0.6.144/self-hosting/kubernetes/helm-charts/taco-statesman/values.yaml 2026-03-24 02:40:13.000000000 +0100 +++ new/digger-cli-0.6.145/self-hosting/kubernetes/helm-charts/taco-statesman/values.yaml 2026-05-05 00:47:58.000000000 +0200 @@ -12,13 +12,19 @@ # Note: Full registry path comes from global.imageRegistry # Public image: ghcr.io/diggerhq/digger/taco-statesman image: - repository: taco-statesman + # Optional per-chart registry override. Falls back to global.imageRegistry. + registry: "" + repository: digger/taco-statesman tag: "latest" pullPolicy: "IfNotPresent" # Number of replicas replicaCount: 1 + # Pod annotations for statesman pods. + # These override matching keys from global.podAnnotations. + podAnnotations: {} + # Service configuration # Creates: OPENTACO_PORT (set automatically from port) service: @@ -154,3 +160,4 @@ # Global configuration (optional) global: imagePullSecrets: [] + podAnnotations: {} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/digger-cli-0.6.144/self-hosting/kubernetes/helm-charts/taco-token-service/Chart.yaml new/digger-cli-0.6.145/self-hosting/kubernetes/helm-charts/taco-token-service/Chart.yaml --- old/digger-cli-0.6.144/self-hosting/kubernetes/helm-charts/taco-token-service/Chart.yaml 2026-03-24 02:40:13.000000000 +0100 +++ new/digger-cli-0.6.145/self-hosting/kubernetes/helm-charts/taco-token-service/Chart.yaml 2026-05-05 00:47:58.000000000 +0200 @@ -2,6 +2,6 @@ name: taco-token-service description: A Helm chart for Taco Token Service type: application -version: 0.1.1-public +version: 0.1.2-public appVersion: "v0.1.0" icon: https://raw.githubusercontent.com/diggerhq/digger/main/docs/logo/digger-logo.png diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/digger-cli-0.6.144/self-hosting/kubernetes/helm-charts/taco-token-service/templates/deployment.yaml new/digger-cli-0.6.145/self-hosting/kubernetes/helm-charts/taco-token-service/templates/deployment.yaml --- old/digger-cli-0.6.144/self-hosting/kubernetes/helm-charts/taco-token-service/templates/deployment.yaml 2026-03-24 02:40:13.000000000 +0100 +++ new/digger-cli-0.6.145/self-hosting/kubernetes/helm-charts/taco-token-service/templates/deployment.yaml 2026-05-05 00:47:58.000000000 +0200 @@ -11,6 +11,11 @@ {{- include "taco-token-service.selectorLabels" . | nindent 6 }} template: metadata: + {{- $podAnnotations := mergeOverwrite (dict) (default (dict) .Values.global.podAnnotations) (default (dict) .Values.tokenService.podAnnotations) }} + {{- if $podAnnotations }} + annotations: + {{- toYaml $podAnnotations | nindent 8 }} + {{- end }} labels: {{- include "taco-token-service.selectorLabels" . | nindent 8 }} spec: @@ -19,7 +24,7 @@ {{- end }} containers: - name: token-service - image: "{{ .Values.global.imageRegistry | default "ghcr.io/diggerhq/digger" }}/{{ .Values.tokenService.image.repository }}:{{ .Values.tokenService.image.tag | default .Chart.AppVersion }}" + image: "{{ .Values.tokenService.image.registry | default .Values.global.imageRegistry | default "ghcr.io/diggerhq" }}/{{ .Values.tokenService.image.repository }}:{{ .Values.tokenService.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.tokenService.image.pullPolicy | default "IfNotPresent" }} ports: - name: http diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/digger-cli-0.6.144/self-hosting/kubernetes/helm-charts/taco-token-service/values.yaml new/digger-cli-0.6.145/self-hosting/kubernetes/helm-charts/taco-token-service/values.yaml --- old/digger-cli-0.6.144/self-hosting/kubernetes/helm-charts/taco-token-service/values.yaml 2026-03-24 02:40:13.000000000 +0100 +++ new/digger-cli-0.6.145/self-hosting/kubernetes/helm-charts/taco-token-service/values.yaml 2026-05-05 00:47:58.000000000 +0200 @@ -3,13 +3,19 @@ tokenService: # Image configuration image: - repository: taco-token-service + # Optional per-chart registry override. Falls back to global.imageRegistry. + registry: "" + repository: digger/taco-token-service tag: "v0.1.0" pullPolicy: "IfNotPresent" # Number of replicas replicaCount: 1 + # Pod annotations for token-service pods. + # These override matching keys from global.podAnnotations. + podAnnotations: {} + # Service configuration service: type: ClusterIP @@ -59,3 +65,4 @@ # Global configuration (optional) global: imagePullSecrets: [] + podAnnotations: {} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/digger-cli-0.6.144/self-hosting/kubernetes/helm-charts/taco-ui/Chart.yaml new/digger-cli-0.6.145/self-hosting/kubernetes/helm-charts/taco-ui/Chart.yaml --- old/digger-cli-0.6.144/self-hosting/kubernetes/helm-charts/taco-ui/Chart.yaml 2026-03-24 02:40:13.000000000 +0100 +++ new/digger-cli-0.6.145/self-hosting/kubernetes/helm-charts/taco-ui/Chart.yaml 2026-05-05 00:47:58.000000000 +0200 @@ -2,6 +2,6 @@ name: taco-ui description: Taco UI - Web-based frontend for OpenTaco infrastructure management platform type: application -version: 0.1.2-public +version: 0.1.3-public appVersion: "v0.1.1" icon: https://raw.githubusercontent.com/diggerhq/digger/main/docs/logo/digger-logo.png diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/digger-cli-0.6.144/self-hosting/kubernetes/helm-charts/taco-ui/templates/deployment.yaml new/digger-cli-0.6.145/self-hosting/kubernetes/helm-charts/taco-ui/templates/deployment.yaml --- old/digger-cli-0.6.144/self-hosting/kubernetes/helm-charts/taco-ui/templates/deployment.yaml 2026-03-24 02:40:13.000000000 +0100 +++ new/digger-cli-0.6.145/self-hosting/kubernetes/helm-charts/taco-ui/templates/deployment.yaml 2026-05-05 00:47:58.000000000 +0200 @@ -11,6 +11,11 @@ {{- include "taco-ui.selectorLabels" . | nindent 6 }} template: metadata: + {{- $podAnnotations := mergeOverwrite (dict) (default (dict) .Values.global.podAnnotations) (default (dict) .Values.ui.podAnnotations) }} + {{- if $podAnnotations }} + annotations: + {{- toYaml $podAnnotations | nindent 8 }} + {{- end }} labels: {{- include "taco-ui.selectorLabels" . | nindent 8 }} spec: @@ -22,7 +27,7 @@ {{- end }} containers: - name: {{ .Chart.Name }} - image: "{{ .Values.global.imageRegistry | default "ghcr.io/diggerhq/digger" }}/{{ .Values.ui.image.repository }}:{{ .Values.ui.image.tag | default .Chart.AppVersion }}" + image: "{{ .Values.ui.image.registry | default .Values.global.imageRegistry | default "ghcr.io/diggerhq" }}/{{ .Values.ui.image.repository }}:{{ .Values.ui.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.ui.image.pullPolicy | default "IfNotPresent" }} ports: - name: http diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/digger-cli-0.6.144/self-hosting/kubernetes/helm-charts/taco-ui/values.yaml new/digger-cli-0.6.145/self-hosting/kubernetes/helm-charts/taco-ui/values.yaml --- old/digger-cli-0.6.144/self-hosting/kubernetes/helm-charts/taco-ui/values.yaml 2026-03-24 02:40:13.000000000 +0100 +++ new/digger-cli-0.6.145/self-hosting/kubernetes/helm-charts/taco-ui/values.yaml 2026-05-05 00:47:58.000000000 +0200 @@ -17,13 +17,19 @@ # Note: Full registry path comes from global.imageRegistry # Public image: ghcr.io/diggerhq/digger/taco-ui image: - repository: taco-ui + # Optional per-chart registry override. Falls back to global.imageRegistry. + registry: "" + repository: digger/taco-ui tag: "latest" pullPolicy: "IfNotPresent" # Number of replicas replicaCount: 1 + # Pod annotations for ui pods. + # These override matching keys from global.podAnnotations. + podAnnotations: {} + # Service configuration # Creates: PORT (set automatically from port) service: @@ -128,3 +134,4 @@ # Global configuration (optional) global: imagePullSecrets: [] + podAnnotations: {} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/digger-cli-0.6.144/ui/src/lib/env.server.ts new/digger-cli-0.6.145/ui/src/lib/env.server.ts --- old/digger-cli-0.6.144/ui/src/lib/env.server.ts 2026-03-24 02:40:13.000000000 +0100 +++ new/digger-cli-0.6.145/ui/src/lib/env.server.ts 2026-05-05 00:47:58.000000000 +0200 @@ -10,6 +10,7 @@ PUBLIC_HOSTNAME: string STATESMAN_BACKEND_URL: string WORKOS_REDIRECT_URI: string + ORCHESTRATOR_GITHUB_APP_URL: string POSTHOG_KEY?: string POSTHOG_HOST?: string } @@ -21,6 +22,7 @@ PUBLIC_HOSTNAME: process.env.PUBLIC_URL?.replace('https://', '').replace('http://', '') ?? '', STATESMAN_BACKEND_URL: process.env.STATESMAN_BACKEND_URL ?? '', WORKOS_REDIRECT_URI: process.env.WORKOS_REDIRECT_URI ?? '', + ORCHESTRATOR_GITHUB_APP_URL: process.env.ORCHESTRATOR_GITHUB_APP_URL ?? '', POSTHOG_KEY: process.env.POSTHOG_KEY || process.env.NEXT_PUBLIC_POSTHOG_KEY || process.env.VITE_PUBLIC_POSTHOG_KEY || '', POSTHOG_HOST: process.env.POSTHOG_HOST || process.env.NEXT_PUBLIC_POSTHOG_HOST || process.env.VITE_PUBLIC_POSTHOG_HOST || 'https://app.posthog.com', } as Env diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/digger-cli-0.6.144/ui/src/routes/_authenticated/_dashboard/dashboard/onboarding.tsx new/digger-cli-0.6.145/ui/src/routes/_authenticated/_dashboard/dashboard/onboarding.tsx --- old/digger-cli-0.6.144/ui/src/routes/_authenticated/_dashboard/dashboard/onboarding.tsx 2026-03-24 02:40:13.000000000 +0100 +++ new/digger-cli-0.6.145/ui/src/routes/_authenticated/_dashboard/dashboard/onboarding.tsx 2026-05-05 00:47:58.000000000 +0200 @@ -17,7 +17,7 @@ loader: async ({ context }) => { const { user, organisationId, publicServerConfig } = context const publicHostname = publicServerConfig?.PUBLIC_HOSTNAME || '' - const githubAppUrl = '/orchestrator/github/setup' + const githubAppUrl = publicServerConfig?.ORCHESTRATOR_GITHUB_APP_URL || '' return { user, organisationId, publicHostname, githubAppUrl } }, }) ++++++ digger-cli.obsinfo ++++++ --- /var/tmp/diff_new_pack.ZsThQJ/_old 2026-05-06 19:20:52.884461034 +0200 +++ /var/tmp/diff_new_pack.ZsThQJ/_new 2026-05-06 19:20:52.892461364 +0200 @@ -1,5 +1,5 @@ name: digger-cli -version: 0.6.144 -mtime: 1774316413 -commit: fd5d38526e54518714a137b9e0dbc5dad9bee2dc +version: 0.6.145 +mtime: 1777934878 +commit: 5adb2843ebfde0c53d2d8c1295e4d90e4df38536 ++++++ vendor.tar.gz ++++++ /work/SRC/openSUSE:Factory/digger-cli/vendor.tar.gz /work/SRC/openSUSE:Factory/.digger-cli.new.30200/vendor.tar.gz differ: char 32, line 2
