Add terraform state registry

models/packages/descriptor.go

@@ -212,6 +212,8 @@ func GetPackageDescriptorWithCache(ctx context.Context, pv *PackageVersion, c *c
 		metadata = &rubygems.Metadata{}
 	case TypeSwift:
 		metadata = &swift.Metadata{}
+	case TypeTerraformState:
+		// terraform packages have no metadata
 	case TypeVagrant:
 		metadata = &vagrant.Metadata{}
 	default:

models/packages/package.go

@@ -30,28 +30,29 @@ type Type string
 
 // List of supported packages
 const (
-	TypeAlpine    Type = "alpine"
-	TypeArch      Type = "arch"
-	TypeCargo     Type = "cargo"
-	TypeChef      Type = "chef"
-	TypeComposer  Type = "composer"
-	TypeConan     Type = "conan"
-	TypeConda     Type = "conda"
-	TypeContainer Type = "container"
-	TypeCran      Type = "cran"
-	TypeDebian    Type = "debian"
-	TypeGeneric   Type = "generic"
-	TypeGo        Type = "go"
-	TypeHelm      Type = "helm"
-	TypeMaven     Type = "maven"
-	TypeNpm       Type = "npm"
-	TypeNuGet     Type = "nuget"
-	TypePub       Type = "pub"
-	TypePyPI      Type = "pypi"
-	TypeRpm       Type = "rpm"
-	TypeRubyGems  Type = "rubygems"
-	TypeSwift     Type = "swift"
-	TypeVagrant   Type = "vagrant"
+	TypeAlpine         Type = "alpine"
+	TypeArch           Type = "arch"
+	TypeCargo          Type = "cargo"
+	TypeChef           Type = "chef"
+	TypeComposer       Type = "composer"
+	TypeConan          Type = "conan"
+	TypeConda          Type = "conda"
+	TypeContainer      Type = "container"
+	TypeCran           Type = "cran"
+	TypeDebian         Type = "debian"
+	TypeGeneric        Type = "generic"
+	TypeGo             Type = "go"
+	TypeHelm           Type = "helm"
+	TypeMaven          Type = "maven"
+	TypeNpm            Type = "npm"
+	TypeNuGet          Type = "nuget"
+	TypePub            Type = "pub"
+	TypePyPI           Type = "pypi"
+	TypeRpm            Type = "rpm"
+	TypeRubyGems       Type = "rubygems"
+	TypeSwift          Type = "swift"
+	TypeTerraformState Type = "terraform"
+	TypeVagrant        Type = "vagrant"
 )
 
 var TypeList = []Type{
@@ -76,6 +77,7 @@ var TypeList = []Type{
 	TypeRpm,
 	TypeRubyGems,
 	TypeSwift,
+	TypeTerraformState,
 	TypeVagrant,
 }
 
@@ -124,6 +126,8 @@ func (pt Type) Name() string {
 		return "RubyGems"
 	case TypeSwift:
 		return "Swift"
+	case TypeTerraformState:
+		return "Terraform State"
 	case TypeVagrant:
 		return "Vagrant"
 	}
@@ -175,6 +179,8 @@ func (pt Type) SVGName() string {
 		return "gitea-rubygems"
 	case TypeSwift:
 		return "gitea-swift"
+	case TypeTerraformState:
+		return "gitea-terraform"
 	case TypeVagrant:
 		return "gitea-vagrant"
 	}

modules/json/jsonlegacy.go

@@ -6,6 +6,7 @@
 package json
 
 import (
+	"encoding/json"
 	"io"
 )
 
@@ -20,3 +21,5 @@ func MarshalKeepOptionalEmpty(v any) ([]byte, error) {
 func NewDecoderCaseInsensitive(reader io.Reader) Decoder {
 	return DefaultJSONHandler.NewDecoder(reader)
 }
+
+type Value = json.RawMessage

modules/json/jsonv2.go

@@ -8,6 +8,7 @@ package json
 import (
 	"bytes"
 	jsonv1 "encoding/json"    //nolint:depguard // this package wraps it
+	"encoding/json/jsontext"  //nolint:depguard // this package wraps it
 	jsonv2 "encoding/json/v2" //nolint:depguard // this package wraps it
 	"io"
 )
@@ -90,3 +91,5 @@ func (d *jsonV2Decoder) Decode(v any) error {
 func NewDecoderCaseInsensitive(reader io.Reader) Decoder {
 	return &jsonV2Decoder{reader: reader, opts: jsonV2.unmarshalCaseInsensitiveOptions}
 }
+
+type Value = jsontext.Value

modules/packages/terraform/lock.go

@@ -0,0 +1,102 @@
+// Copyright 2026 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package terraform
+
+import (
+	"context"
+	"errors"
+	"io"
+	"time"
+
+	"code.gitea.io/gitea/models/db"
+	packages_model "code.gitea.io/gitea/models/packages"
+	"code.gitea.io/gitea/modules/json"
+	"code.gitea.io/gitea/modules/util"
+
+	"xorm.io/builder"
+)
+
+const LockFile = "terraform.lock"
+
+var ErrMissingLockID = util.NewInvalidArgumentErrorf("terraform lock is missing an ID")
+
+// LockInfo is the metadata for a terraform lock.
+type LockInfo struct {
+	ID        string    `json:"ID"`
+	Operation string    `json:"Operation"`
+	Info      string    `json:"Info"`
+	Who       string    `json:"Who"`
+	Version   string    `json:"Version"`
+	Created   time.Time `json:"Created"`
+	Path      string    `json:"Path"`
+}
+
+func (l *LockInfo) IsLocked() bool {
+	return l.ID != ""
+}
+
+func ParseLockInfo(r io.Reader) (*LockInfo, error) {
+	var lock LockInfo
+	err := json.NewDecoder(r).Decode(&lock)
+	if err != nil {
+		return nil, err
+	}
+	// ID is required. Rest is less important.
+	if lock.ID == "" {
+		return nil, ErrMissingLockID
+	}
+	return &lock, nil
+}
+
+// GetLock returns the terraform lock for the given package.
+// Lock is empty if no lock exists.
+func GetLock(ctx context.Context, packageID int64) (LockInfo, error) {
+	var lock LockInfo
+	locks, err := packages_model.GetPropertiesByName(ctx, packages_model.PropertyTypePackage, packageID, LockFile)
+	if err != nil {
+		return lock, err
+	}
+	if len(locks) == 0 || locks[0].Value == "" {
+		return lock, nil
+	}
+
+	err = json.Unmarshal([]byte(locks[0].Value), &lock)
+	return lock, err
+}
+
+// SetLock sets the terraform lock for the given package.
+func SetLock(ctx context.Context, packageID int64, lock *LockInfo) error {
+	jsonBytes, err := json.Marshal(lock)
+	if err != nil {
+		return err
+	}
+
+	return updateLock(ctx, packageID, string(jsonBytes), builder.Eq{"value": ""})
+}
+
+// RemoveLock removes the terraform lock for the given package.
+func RemoveLock(ctx context.Context, packageID int64) error {
+	return updateLock(ctx, packageID, "", builder.Neq{"value": ""})
+}
+
+func updateLock(ctx context.Context, refID int64, value string, cond builder.Cond) error {
+	pp := packages_model.PackageProperty{RefType: packages_model.PropertyTypePackage, RefID: refID, Name: LockFile}
+	ok, err := db.GetEngine(ctx).Get(&pp)
+	if err != nil {
+		return err
+	}
+	if ok {
+		n, err := db.GetEngine(ctx).Where("ref_type=? AND ref_id=? AND name=?", packages_model.PropertyTypePackage, refID, LockFile).And(cond).Cols("value").Update(&packages_model.PackageProperty{Value: value})
+		if err != nil {
+			return err
+		}
+		if n == 0 {
+			return errors.New("failed to update lock state")
+		}
+
+		return nil
+	}
+	_, err = packages_model.InsertProperty(ctx, packages_model.PropertyTypePackage, refID, LockFile, value)
+	return err
+}

modules/packages/terraform/state.go

@@ -0,0 +1,59 @@
+// Copyright 2026 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package terraform
+
+import (
+	"io"
+
+	"code.gitea.io/gitea/modules/json"
+	"code.gitea.io/gitea/modules/util"
+)
+
+var (
+	ErrNoSerial           = util.NewInvalidArgumentErrorf("state serial is missing")
+	ErrNoLineage          = util.NewInvalidArgumentErrorf("state lineage is missing")
+	ErrNoTerraformVersion = util.NewInvalidArgumentErrorf("state terraform version is missing")
+	ErrNoResources        = util.NewInvalidArgumentErrorf("state resources are missing")
+	ErrNoOutputs          = util.NewInvalidArgumentErrorf("state outputs are missing")
+)
+
+type State struct {
+	Version          int        `json:"version"`
+	TerraformVersion string     `json:"terraform_version"`
+	Serial           uint64     `json:"serial"`
+	Lineage          string     `json:"lineage"`
+	Resources        json.Value `json:"resources"`
+	Outputs          json.Value `json:"outputs"`
+}
+
+// ParseState parses the Terraform state file
+func ParseState(r io.Reader) (*State, error) {
+	var state State
+	err := json.NewDecoder(r).Decode(&state)
+	if err != nil {
+		return nil, err
+	}
+	// Serial starts at 1; 0 means it wasn't set in the state file
+	if state.Serial == 0 {
+		return nil, ErrNoSerial
+	}
+	if state.Version != 4 {
+		return nil, util.NewInvalidArgumentErrorf("state version %d is not supported", state.Version)
+	}
+	if state.TerraformVersion == "" {
+		return nil, ErrNoTerraformVersion
+	}
+	// Lineage should always be set
+	if state.Lineage == "" {
+		return nil, ErrNoLineage
+	}
+	if state.Resources == nil {
+		return nil, ErrNoResources
+	}
+	if state.Outputs == nil {
+		return nil, ErrNoOutputs
+	}
+
+	return &state, nil
+}

modules/setting/packages.go

@@ -39,6 +39,7 @@ var (
 		LimitSizeRpm         int64
 		LimitSizeRubyGems    int64
 		LimitSizeSwift       int64
+		LimitSizeTerraform   int64
 		LimitSizeVagrant     int64
 
 		DefaultRPMSignEnabled bool
@@ -86,6 +87,7 @@ func loadPackagesFrom(rootCfg ConfigProvider) (err error) {
 	Packages.LimitSizeRpm = mustBytes(sec, "LIMIT_SIZE_RPM")
 	Packages.LimitSizeRubyGems = mustBytes(sec, "LIMIT_SIZE_RUBYGEMS")
 	Packages.LimitSizeSwift = mustBytes(sec, "LIMIT_SIZE_SWIFT")
+	Packages.LimitSizeTerraform = mustBytes(sec, "LIMIT_SIZE_TERRAFORM")
 	Packages.LimitSizeVagrant = mustBytes(sec, "LIMIT_SIZE_VAGRANT")
 	Packages.DefaultRPMSignEnabled = sec.Key("DEFAULT_RPM_SIGN_ENABLED").MustBool(false)
 	return nil

options/locale/locale_en-US.json

@@ -3602,6 +3602,18 @@
   "packages.swift.registry": "Set up this registry from the command line:",
   "packages.swift.install": "Add the package in your <code>Package.swift</code> file:",
   "packages.swift.install2": "and run the following command:",
+  "packages.terraform.install": "Set your state to use the HTTP backend",
+  "packages.terraform.install2": "and run the following command:",
+  "packages.terraform.lock_status": "Lock Status",
+  "packages.terraform.locked_by": "Locked by %s",
+  "packages.terraform.unlocked": "Unlocked",
+  "packages.terraform.lock": "Lock",
+  "packages.terraform.unlock": "Unlock",
+  "packages.terraform.lock.success": "Terraform state was successfully locked.",
+  "packages.terraform.unlock.success": "Terraform state was successfully unlocked.",
+  "packages.terraform.lock.error.already_locked": "Terraform state is already locked.",
+  "packages.terraform.delete.locked": "Terraform state is locked and cannot be deleted.",
+  "packages.terraform.delete.latest": "The latest version of a Terraform state cannot be deleted.",
   "packages.vagrant.install": "To add a Vagrant box, run the following command:",
   "packages.settings.link": "Link this package to a repository",
   "packages.settings.link.description": "If you link a package with a repository, the package will appear in the repository's package list. Only repositories under the same owner can be linked. Leaving the field empty will remove the link.",

routers/api/packages/api.go

@@ -32,6 +32,7 @@ import (
 	"code.gitea.io/gitea/routers/api/packages/rpm"
 	"code.gitea.io/gitea/routers/api/packages/rubygems"
 	"code.gitea.io/gitea/routers/api/packages/swift"
+	"code.gitea.io/gitea/routers/api/packages/terraform"
 	"code.gitea.io/gitea/routers/api/packages/vagrant"
 	"code.gitea.io/gitea/services/auth"
 	"code.gitea.io/gitea/services/context"
@@ -514,6 +515,21 @@ func CommonRoutes() *web.Router {
 				r.Get("/identifiers", swift.CheckAcceptMediaType(swift.AcceptJSON), swift.LookupPackageIdentifiers)
 			}, reqPackageAccess(perm.AccessModeRead))
 		})
+		// See https://docs.gitlab.com/ci/jobs/fine_grained_permissions/#terraform-state-endpoints
+		// For endpoint and permission reference
+		r.Group("/terraform/state/{name}", func() {
+			r.Get("", terraform.GetTerraformState)
+			r.Get("/versions/{serial}", terraform.GetTerraformStateBySerial)
+			r.Group("", func() {
+				r.Post("", terraform.UploadState)
+				r.Delete("", terraform.DeleteState)
+				r.Delete("/versions/{serial}", terraform.DeleteStateBySerial)
+			}, reqPackageAccess(perm.AccessModeWrite))
+			r.Group("/lock", func() {
+				r.Post("", terraform.LockState)
+				r.Delete("", terraform.UnlockState)
+			}, reqPackageAccess(perm.AccessModeWrite))
+		}, reqPackageAccess(perm.AccessModeRead))
 		r.Group("/vagrant", func() {
 			r.Group("/authenticate", func() {
 				r.Get("", vagrant.CheckAuthenticate)