Add GitHub org token for platform (#175)

* feat: add GitHub fine-grained credential integration for Seqera Platform

- Create new github_credentials integration module for Seqera Platform
- Add support for fine-grained GitHub tokens to avoid API rate limits
- Update configuration to include PLATFORM_GITHUB_ORG_TOKEN from ESC
- Integrate credential creation into main infrastructure deployment
- Export GitHub credential information for monitoring and reference
- Use protected resource to prevent accidental credential deletion

This enables Seqera Platform to pull pipeline repositories without hitting
GitHub rate limits by using fine-grained personal access tokens with
scoped access to nf-core repositories.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <[email protected]>

* fix: add base_url to scope GitHub credential to nf-core organization

- Add base_url="https://github.com/nf-core/" to GitHub credential
- Prevents conflicts with existing generic GitHub credentials
- Scopes fine-grained token specifically to nf-core repositories
- Resolves "Credentials already exist within workspace" error

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <[email protected]>

* feat: add base_url to GitHub credential export information

- Include base_url in GitHub credential export for monitoring
- Shows credential is scoped to https://github.com/nf-core/
- Improves visibility of credential configuration
- Helps with troubleshooting and documentation

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <[email protected]>

---------

Co-authored-by: Claude <[email protected]>

Author: edmundmiller

pulumi/AWSMegatests/__main__.py

@@ -15,7 +15,7 @@
     deploy_seqera_environments_terraform,
     get_compute_environment_ids_terraform,
 )
-from src.integrations import create_github_resources
+from src.integrations import create_github_resources, create_github_credential
 from src.integrations.workspace_participants_command import (
     create_individual_member_commands,
 )
@@ -35,6 +35,14 @@ def main():
     # Create Seqera provider early for credential upload
     seqera_provider = create_seqera_provider(config)
 
+    # Step 3.5: Create GitHub fine-grained credential in Seqera Platform
+    # This allows Platform to pull pipeline repositories without hitting GitHub rate limits
+    github_credential, github_credential_id = create_github_credential(
+        seqera_provider=seqera_provider,
+        workspace_id=int(config["tower_workspace_id"]),
+        github_token=config.get("platform_github_org_token", ""),
+    )
+
     # Step 4: Set up S3 infrastructure
     s3_resources = create_s3_infrastructure(aws_provider)
     nf_core_awsmegatests_bucket = s3_resources["bucket"]
@@ -136,6 +144,20 @@ def main():
     pulumi.export("workspace_id", config["tower_workspace_id"])
     pulumi.export("deployment_method", deployment_method)
 
+    # Export GitHub credential information
+    pulumi.export(
+        "github_credential",
+        {
+            "credential_id": github_credential_id,
+            "credential_name": "nf-core-github-finegrained",
+            "description": "Fine-grained GitHub token to avoid rate limits when Platform pulls pipeline repositories",
+            "provider_type": "github",
+            "base_url": "https://github.com/nf-core/",
+            "workspace_id": config["tower_workspace_id"],
+            "purpose": "Prevents GitHub API rate limiting during pipeline repository access",
+        },
+    )
+
     # Export Terraform provider resources
     pulumi.export(
         "terraform_resources",

pulumi/AWSMegatests/src/config/settings.py

@@ -20,12 +20,14 @@ class InfrastructureConfig:
     Attributes:
         tower_access_token: Seqera Platform access token
         tower_workspace_id: Seqera Platform workspace ID
-        github_token: GitHub personal access token
+        github_token: GitHub personal access token (classic)
+        platform_github_org_token: GitHub fine-grained token to avoid rate limits when pulling pipelines
     """
 
     tower_access_token: Optional[str]
     tower_workspace_id: str
     github_token: Optional[str]
+    platform_github_org_token: Optional[str]
 
     def validate(self) -> None:
         """Validate configuration values.
@@ -98,6 +100,7 @@ def get_configuration() -> Dict[str, Any]:
         tower_access_token=os.environ.get("TOWER_ACCESS_TOKEN"),
         tower_workspace_id=workspace_id or "",
         github_token=os.environ.get("GITHUB_TOKEN"),
+        platform_github_org_token=os.environ.get("PLATFORM_GITHUB_ORG_TOKEN"),
     )
 
     # Validate configuration
@@ -108,6 +111,7 @@ def get_configuration() -> Dict[str, Any]:
         "tower_access_token": config.tower_access_token,
         "tower_workspace_id": config.tower_workspace_id,
         "github_token": config.github_token,
+        "platform_github_org_token": config.platform_github_org_token,
         # AWS credentials (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN)
         # are automatically handled by ESC and picked up by the AWS provider
     }

pulumi/AWSMegatests/src/integrations/__init__.py

@@ -1,5 +1,10 @@
 """Third-party integrations for AWS Megatests."""
 
 from .github import create_github_resources
+from .github_credentials import create_github_credential, get_github_credential_config
 
-__all__ = ["create_github_resources"]
+__all__ = [
+    "create_github_resources",
+    "create_github_credential",
+    "get_github_credential_config",
+]

pulumi/AWSMegatests/src/integrations/github_credentials.py

@@ -0,0 +1,96 @@
+"""GitHub credentials integration for Seqera Platform."""
+
+import pulumi
+import pulumi_seqera as seqera
+from typing import Dict, Tuple
+
+
+class GitHubCredentialError(Exception):
+    """Exception raised when GitHub credential creation fails."""
+
+    pass
+
+
+def create_github_credential(
+    seqera_provider: seqera.Provider,
+    workspace_id: int,
+    github_token: str,
+    github_username: str = "nf-core-bot",
+    credential_name: str = "nf-core-github-finegrained",
+) -> Tuple[seqera.Credential, str]:
+    """Create a GitHub fine-grained credential in Seqera Platform.
+
+    This credential allows Seqera Platform to pull pipeline repositories from GitHub
+    without hitting GitHub rate limits. The fine-grained token provides secure,
+    scoped access to nf-core repositories with minimal required permissions.
+
+    Args:
+        seqera_provider: Configured Seqera provider instance
+        workspace_id: Seqera workspace ID
+        github_token: Fine-grained GitHub personal access token for repository access
+        github_username: GitHub username (default: nf-core-bot)
+        credential_name: Name for the credential in Seqera
+
+    Returns:
+        Tuple of (credential_resource, credential_id)
+
+    Raises:
+        GitHubCredentialError: If credential creation fails
+        ValueError: If required parameters are missing
+    """
+    # Validate required parameters
+    if not github_token:
+        raise ValueError("GitHub token is required")
+    if not workspace_id:
+        raise ValueError("Workspace ID is required")
+
+    pulumi.log.info(
+        f"Creating GitHub credential '{credential_name}' in workspace {workspace_id}"
+    )
+
+    try:
+        # Create GitHub credential using Seqera Terraform provider
+        github_credential = seqera.Credential(
+            f"github-credential-{credential_name}",
+            name=credential_name,
+            description="Fine-grained GitHub token to avoid rate limits when Platform pulls pipeline repositories",
+            provider_type="github",
+            base_url="https://github.com/nf-core/",  # Scope to nf-core organization
+            keys=seqera.CredentialKeysArgs(
+                github=seqera.CredentialKeysGithubArgs(
+                    username=github_username,
+                    password=github_token,  # GitHub tokens go in the password field
+                )
+            ),
+            workspace_id=workspace_id,
+            opts=pulumi.ResourceOptions(
+                provider=seqera_provider,
+                protect=True,  # Protect credential from accidental deletion
+            ),
+        )
+
+        # Return both the resource and the credential ID for reference
+        return github_credential, github_credential.id
+
+    except Exception as e:
+        pulumi.log.error(f"Failed to create GitHub credential: {str(e)}")
+        raise GitHubCredentialError(
+            f"GitHub credential creation failed: {str(e)}"
+        ) from e
+
+
+def get_github_credential_config() -> Dict[str, str]:
+    """Get configuration for GitHub credential creation.
+
+    Returns:
+        Dict containing configuration values from ESC environment
+    """
+    import os
+
+    return {
+        "github_finegrained_token": os.environ.get("PLATFORM_GITHUB_ORG_TOKEN", ""),
+        "github_username": os.environ.get("GITHUB_USERNAME", "nf-core-bot"),
+        "credential_name": os.environ.get(
+            "GITHUB_CREDENTIAL_NAME", "nf-core-github-finegrained"
+        ),
+    }