diggerhq · breardon2011 · Oct 28, 2025 · Oct 28, 2025 · Oct 28, 2025 · Oct 28, 2025
diff --git a/.github/workflows/taco-release.yml b/.github/workflows/taco-release.yml
@@ -5,6 +5,7 @@ on:
     tags:
       - 'taco/cli/v*'
       - 'taco/statesman/v*'
+      - 'taco/token-service/v*'
 
 permissions:
   contents: write
@@ -73,6 +74,8 @@ jobs:
             echo "build_dir=taco/cmd/taco" >> $GITHUB_OUTPUT
           elif [ "$APP_DIR" = "taco/statesman" ]; then
             echo "build_dir=taco/cmd/statesman" >> $GITHUB_OUTPUT
+          elif [ "$APP_DIR" = "taco/token-service" ]; then
+            echo "build_dir=taco/cmd/token_service" >> $GITHUB_OUTPUT
           fi
 
       - name: Build CLI
@@ -93,6 +96,15 @@ jobs:
             -o statesman-${{ matrix.os }}-${{ matrix.arch }}${{ matrix.goos == 'windows' && '.exe' || '' }} .
           sha256sum statesman-${{ matrix.os }}-${{ matrix.arch }}${{ matrix.goos == 'windows' && '.exe' || '' }} > statesman-${{ matrix.os }}-${{ matrix.arch }}${{ matrix.goos == 'windows' && '.exe' || '' }}.sha256
 
+      - name: Build Token Service
+        if: startsWith(steps.meta.outputs.app_dir, 'taco/token-service')
+        working-directory: ${{ steps.meta.outputs.build_dir }}
+        run: |
+          CGO_ENABLED=0 GOOS=${{ matrix.goos }} GOARCH=${{ matrix.goarch }} go build \
+            -ldflags="-X 'main.Version=${{ steps.meta.outputs.version }}' -X 'main.Commit=${{ github.sha }}' -s -w" \
+            -o token_service-${{ matrix.os }}-${{ matrix.arch }}${{ matrix.goos == 'windows' && '.exe' || '' }} .
+          sha256sum token_service-${{ matrix.os }}-${{ matrix.arch }}${{ matrix.goos == 'windows' && '.exe' || '' }} > token_service-${{ matrix.os }}-${{ matrix.arch }}${{ matrix.goos == 'windows' && '.exe' || '' }}.sha256
+
       - name: Upload CLI artifacts
         if: startsWith(steps.meta.outputs.app_dir, 'taco/cli')
         uses: actions/upload-artifact@v4
@@ -107,8 +119,15 @@ jobs:
           name: taco-statesman-${{ matrix.os }}-${{ matrix.arch }}
           path: ${{ steps.meta.outputs.build_dir }}/statesman-${{ matrix.os }}-${{ matrix.arch }}${{ matrix.goos == 'windows' && '.exe' || '' }}*
 
+      - name: Upload Token Service artifacts
+        if: startsWith(steps.meta.outputs.app_dir, 'taco/token-service')
+        uses: actions/upload-artifact@v4
+        with:
+          name: taco-token-service-${{ matrix.os }}-${{ matrix.arch }}
+          path: ${{ steps.meta.outputs.build_dir }}/token_service-${{ matrix.os }}-${{ matrix.arch }}${{ matrix.goos == 'windows' && '.exe' || '' }}*
+
   build-docker:
-    if: startsWith(github.ref_name, 'taco/statesman/')
+    if: startsWith(github.ref_name, 'taco/statesman/') || startsWith(github.ref_name, 'taco/token-service/')
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
@@ -136,11 +155,22 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
+      - name: Determine service name
+        id: service
+        run: |
+          if [[ "${{ github.ref_name }}" == taco/statesman/* ]]; then
+            echo "name=statesman" >> $GITHUB_OUTPUT
+            echo "dockerfile=Dockerfile_statesman" >> $GITHUB_OUTPUT
+          elif [[ "${{ github.ref_name }}" == taco/token-service/* ]]; then
+            echo "name=token-service" >> $GITHUB_OUTPUT
+            echo "dockerfile=Dockerfile_token_service" >> $GITHUB_OUTPUT
+          fi
+
       - name: Extract metadata
         id: docker-meta
         uses: docker/metadata-action@v5
         with:
-          images: ghcr.io/${{ github.repository }}/taco-statesman
+          images: ghcr.io/${{ github.repository }}/taco-${{ steps.service.outputs.name }}
           tags: |
             type=raw,value=${{ steps.meta.outputs.version }}
             type=ref,event=tag
@@ -150,7 +180,7 @@ jobs:
         uses: docker/build-push-action@v5
         with:
           context: ./taco
-          file: ./taco/Dockerfile_statesman
+          file: ./taco/${{ steps.service.outputs.dockerfile }}
           push: true
           platforms: linux/amd64,linux/arm64
           tags: ${{ steps.docker-meta.outputs.tags }}
@@ -261,3 +291,57 @@ jobs:
             taco-statesman-*/*
           draft: false
           prerelease: false
+
+  create-release-token-service:
+    if: startsWith(github.ref_name, 'taco/token-service/')
+    needs: [build, build-docker]
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Derive app dir and version
+        id: meta
+        run: |
+          TAG="${GITHUB_REF_NAME}"          # e.g. taco/token-service/v1.2.3
+          APP_DIR="${TAG%/v*}"              # taco/token-service
+          VERSION="${TAG##*/}"              # v1.2.3
+          echo "app_dir=$APP_DIR" >> $GITHUB_OUTPUT
+          echo "version=$VERSION" >> $GITHUB_OUTPUT
+
+      - name: Download all artifacts
+        uses: actions/download-artifact@v4
+
+      - name: Create release for Token Service
+        uses: softprops/action-gh-release@v1
+        with:
+          tag_name: ${{ github.ref_name }}
+          name: taco/token-service/${{ steps.meta.outputs.version }}
+          body: |
+            ## Taco Token Service ${{ steps.meta.outputs.version }}
+
+            ### Downloads
+            - **Linux AMD64**: [token_service-linux-amd64](https://github.com/${{ github.repository }}/releases/download/${{ github.ref_name }}/token_service-linux-amd64) ([checksum](https://github.com/${{ github.repository }}/releases/download/${{ github.ref_name }}/token_service-linux-amd64.sha256))
+            - **Linux ARM64**: [token_service-linux-arm64](https://github.com/${{ github.repository }}/releases/download/${{ github.ref_name }}/token_service-linux-arm64) ([checksum](https://github.com/${{ github.repository }}/releases/download/${{ github.ref_name }}/token_service-linux-arm64.sha256))
+            - **Linux 386**: [token_service-linux-386](https://github.com/${{ github.repository }}/releases/download/${{ github.ref_name }}/token_service-linux-386) ([checksum](https://github.com/${{ github.repository }}/releases/download/${{ github.ref_name }}/token_service-linux-386.sha256))
+            - **macOS AMD64**: [token_service-darwin-amd64](https://github.com/${{ github.repository }}/releases/download/${{ github.ref_name }}/token_service-darwin-amd64) ([checksum](https://github.com/${{ github.repository }}/releases/download/${{ github.ref_name }}/token_service-darwin-amd64.sha256))
+            - **macOS ARM64**: [token_service-darwin-arm64](https://github.com/${{ github.repository }}/releases/download/${{ github.ref_name }}/token_service-darwin-arm64) ([checksum](https://github.com/${{ github.repository }}/releases/download/${{ github.ref_name }}/token_service-darwin-arm64.sha256))
+            - **Windows AMD64**: [token_service-windows-amd64.exe](https://github.com/${{ github.repository }}/releases/download/${{ github.ref_name }}/token_service-windows-amd64.exe) ([checksum](https://github.com/${{ github.repository }}/releases/download/${{ github.ref_name }}/token_service-windows-amd64.exe.sha256))
+            - **Windows 386**: [token_service-windows-386.exe](https://github.com/${{ github.repository }}/releases/download/${{ github.ref_name }}/token_service-windows-386.exe) ([checksum](https://github.com/${{ github.repository }}/releases/download/${{ github.ref_name }}/token_service-windows-386.exe.sha256))
+
+            ### Docker
+            ```bash
+            docker pull ghcr.io/${{ github.repository }}/taco-token-service:${{ steps.meta.outputs.version }}
+            ```
+
+            ### Installation
+            Download the appropriate binary for your platform and make it executable:
+            ```bash
+            chmod +x token_service-<platform>-<arch>
+            sudo mv token_service-<platform>-<arch> /usr/local/bin/token_service
+            ```
+          files: |
+            taco-token-service-*/*
+          draft: false
+          prerelease: false
diff --git a/helm-charts/opentaco/Chart.yaml b/helm-charts/opentaco/Chart.yaml
@@ -10,6 +10,7 @@ appVersion: "0.1.0"
 #   - PostgreSQL database (optional - can use Cloud SQL instead)
 #   - Digger Managed (terraform orchestration backend)
 #   - Taco Statesman (IaC state management)
+#   - Token Service (API token management)
 #   - Drift Detection service
 #   - Taco UI (React frontend)
 
@@ -22,48 +23,42 @@ dependencies:
     tags:
       - database
 
-  # Digger Managed - terraform orchestration backend
+  # Taco Orchestrator - terraform orchestration backend
   - name: taco-orchestrator
     version: "0.1.0"
-    # For production: use OCI registry
     repository: "oci://ghcr.io/diggerhq/helm-charts"
-    # For local testing: use file reference
-    #repository: "file://../taco-orchestrator"
     condition: taco-orchestrator.enabled
     tags:
       - backend
 
   # Taco Statesman - IaC state management  
-  - name: statesman
-    alias: taco-statesman
+  - name: taco-statesman
     version: "0.1.0"
-    # For production: use OCI registry
     repository: "oci://ghcr.io/diggerhq/helm-charts"
-    # For local testing: use file reference
-    #repository: "file://../taco-statesman"
     condition: taco-statesman.enabled
     tags:
       - backend
 
+  # Token Service - API token management
+  - name: taco-token-service
+    version: "0.1.0"
+    repository: "oci://ghcr.io/diggerhq/helm-charts"
+    condition: taco-token-service.enabled
+    tags:
+      - backend
+
   # Drift Detection
-  - name: drift
+  - name: taco-drift
     version: "0.1.0"
-    # For production: use OCI registry
     repository: "oci://ghcr.io/diggerhq/helm-charts"
-    # For local testing: use file reference
-    #repository: "file://../taco-drift"
-    condition: drift.enabled
+    condition: taco-drift.enabled
     tags:
       - backend
 
   # Taco UI - React frontend
-  - name: ui
-    alias: taco-ui
+  - name: taco-ui
     version: "0.1.0"
-    # For production: use OCI registry
     repository: "oci://ghcr.io/diggerhq/helm-charts"
-    # For local testing: use file reference
-    #repository: "file://../taco-ui"
     condition: taco-ui.enabled
     tags:
       - frontend

diff --git a/helm-charts/opentaco/templates/NOTES.txt b/helm-charts/opentaco/templates/NOTES.txt
@@ -21,18 +21,23 @@ DEPLOYMENT STATUS:
 {{- end }}
 
 {{- if index .Values "taco-orchestrator" "enabled" }}
-✓ Digger Managed: Enabled
-  Service: digger-managed:3000
+✓ Taco Orchestrator: Enabled
+  Service: taco-orchestrator:3000
 {{- end }}
 
 {{- if index .Values "taco-statesman" "enabled" }}
 ✓ Taco Statesman: Enabled
   Service: taco-statesman:8080
 {{- end }}
 
-{{- if .Values.drift.enabled }}
+{{- if index .Values "taco-token-service" "enabled" }}
+✓ Token Service: Enabled
+  Service: taco-token-service:8081
+{{- end }}
+
+{{- if index .Values "taco-drift" "enabled" }}
 ✓ Drift Detection: Enabled
-  Service: drift:3004
+  Service: taco-drift:3004
 {{- end }}
 
 {{- if index .Values "taco-ui" "enabled" }}

diff --git a/helm-charts/opentaco/values-production.yaml.example b/helm-charts/opentaco/values-production.yaml.example
@@ -18,9 +18,9 @@ cloudSql:
   serviceAccount: "cloudsql-sa"
 
 # ============================================================================
-# Digger Managed
+# Taco Orchestrator
 # ============================================================================
-digger-managed:
+taco-orchestrator:
   enabled: true
   digger:
     replicaCount: 2
@@ -39,7 +39,7 @@ digger-managed:
       host: "api.opentaco.example.com"  # CHANGE THIS
       path: /
       tls:
-        secretName: digger-managed-tls
+        secretName: taco-orchestrator-tls
 
 # ============================================================================
 # Taco Statesman
@@ -64,7 +64,7 @@ taco-statesman:
 # ============================================================================
 # Drift Detection
 # ============================================================================
-drift:
+taco-drift:
   enabled: true
   drift:
     replicaCount: 2

diff --git a/helm-charts/opentaco/values-test.yaml.example b/helm-charts/opentaco/values-test.yaml.example
@@ -26,7 +26,7 @@ cloudSql:
 # ============================================================================
 # Components - All enabled with defaults
 # ============================================================================
-digger-managed:
+taco-orchestrator:
   enabled: true
   # Note: imagePullSecrets not needed for public images
   # global:
@@ -38,7 +38,7 @@ digger-managed:
       useExistingSecret: true
       existingSecretName: "backend-secrets"
 
-statesman:
+taco-statesman:
   enabled: true
   # Note: imagePullSecrets not needed for public images
   # global:
@@ -54,7 +54,7 @@ statesman:
     storage:
       type: "s3" 
 
-drift:
+taco-drift:
   enabled: true
   # Note: imagePullSecrets not needed for public images
   # global:
@@ -64,7 +64,7 @@ drift:
     replicaCount: 1
     existingSecretName: "drift-secrets"
 
-ui:
+taco-ui:
   enabled: true
   # Note: imagePullSecrets not needed for public images
   # imagePullSecrets: