build: Integrate 1Password provider for GitHub token management

edmundmiller · edmundmiller · commit 13e7a61d8048 · 2025-06-03T18:20:27.000-05:00
- Added pulumi-onepassword dependency to manage GitHub tokens securely.
- Updated Pulumi configuration to include 1Password account details.
- Modified testpipeline.py to fetch GitHub token from 1Password and configure GitHub provider accordingly.
diff --git a/pulumi/github/repos/Pulumi.dev.yaml b/pulumi/github/repos/Pulumi.dev.yaml
@@ -1,5 +1,7 @@
 config:
   github:owner: nf-core-tf
-  # https://start.1password.com/open/i?a=O5GICFDKPNABLLVGMKBL5JWDWA&v=rdfcz6oy6qxxrc4clu467a7dmm&i=4ajrv44kc5lcbboa37fr5oydla&h=nf-core.1password.eu
+  # GitHub token stored in 1Password: https://start.1password.com/open/i?a=O5GICFDKPNABLLVGMKBL5JWDWA&v=rdfcz6oy6qxxrc4clu467a7dmm&i=4ajrv44kc5lcbboa37fr5oydla&h=nf-core.1password.eu
+  # 1Password provider configuration
+  pulumi-onepassword:account: nf-core.1password.eu
 environment:
   - github-nf-core-tf
diff --git a/pulumi/github/repos/Pulumi.prod.yaml b/pulumi/github/repos/Pulumi.prod.yaml
@@ -1,5 +1,4 @@
 config:
   github:owner: nf-core
-# https://start.1password.com/open/i?a=O5GICFDKPNABLLVGMKBL5JWDWA&v=rdfcz6oy6qxxrc4clu467a7dmm&i=ttqz63qvlr5qfwfde424nbl4re&h=nf-core.1password.eu
-environment:
-  - github-prod
+  pulumi-onepassword:service_account_token:
+    secure: AAABAOVuHjkvr7WBtuxqrIv2W0MkvP9DkIoAqXc2YKGgbjDWCQWGKrXV0wZbmA+064gFec1V6fPVSphDWm9CPx1yq1WkVSnfX4gpNvQKDtJUFq8dqf5Z0XrNljAEr3Tegp3J6L08wj0zvN8R/HfveoOysKzmn6iUuwCEoizq4Yeaz8z20lWpWorE0ICHo6AXBTTH/qGC1HSW9qFfnGtUPvmnNHt2mLhFjnrOGP6My9m3x3tF9no+ptFdWN54lhCyARcBhn6JP2MhEJ09UPXw+uxwFfj8euwgU/pRsqdu22pJLMLA5mOn5gShYcRFT4eaWoRiu9eYaElItfgB8HSKiWrk26+eDz1VvdjdqfcUeLp7X2BGxD50q3s5Y6IRvHKhYZhJzNGq57qhk4M8sYXcl3sDDLZcKuidv4/NfFlLcop5i4KJ8lVBz1jP0v6QQHWjGXT6U1CvX5EwhqemEO862V/5RRYfy/qX85aVv/Xf01lIosGF2v5C5888F0mh8kelKwZGoqm6K+5o1Cy8V/nfCdmRXCEo7DY0iBYa0LfLmv++587rMs0kS84ocBIm/CjdgLoG+zlJRZGXcA0BlJwcWGYPaJ5J/FNDagMNikjwnHmHcTU0nflbzaArC4GJKMboKhl0OFxU3Z8KmhPIv0tUQBEwceDCi3fbEFdgvgnP0kjbFOgT5LMht44M+0B/r7KWZWwYDmZI5t7Bh5FC+qWg+GUiK5MtpOOy9MNi0gC7WrvTH3vhXpGzfx41EOdu3LF6SycigF0IMznl784PimFX1fMxH+9pX29dUP5LxXkS2INs6QQQOcOmlRKZqEsgZOPA34fzyNQliIj1thmS6GrC80UZcAPQ9HZtvKHX2/EZnzjTKcNvQrwsbRlD2de05xRjKCstAwQJVusN0+t8zMzeqgYUe1+Y9+fQ+5nZ3+uQvj9OvLjHFGuzYUwYAbSnAWgWZgUQ4gXNac7MCR4uc5ENJOByE72yL0SuJrGbhPACOE0rZTx35L88+XD7wGbM0iJ8D/2QU5XOgvXaXHQZk4xxsmDg9hY7klQ1atf05eRD+nO9htMgbuvlWeA478vZo2+BbOjn5ziHlDvs9+/NNi3VmP+10WtEkecL71luvmnMyoxI2oouQfcT9xEWW7Xj830BddVO3lr+C5Sdkp27ZENGEhZruZtpzH4x
diff --git a/pulumi/github/repos/pipelines/testpipeline.py b/pulumi/github/repos/pipelines/testpipeline.py
@@ -3,6 +3,29 @@
 # https://github.com/pulumi/examples/blob/74db62a03d013c2854d2cf933c074ea0a3bbf69d/testing-unit-py/test_ec2.py
 import pulumi
 import pulumi_github as github
+import pulumi_onepassword as onepassword
+
+# Configure 1Password provider with account details
+onepassword_provider = onepassword.Provider(
+    "onepassword-provider",
+    account="nf-core.1password.eu"
+)
+
+# Fetch GitHub token from 1Password
+# Item ID from the 1Password URL: 4ajrv44kc5lcbboa37fr5oydla
+# Vault ID from the 1Password URL: rdfcz6oy6qxxrc4clu467a7dmm
+github_token_item = onepassword.get_item(
+    vault="rdfcz6oy6qxxrc4clu467a7dmm",  # Vault ID from the 1Password URL
+    uuid="4ajrv44kc5lcbboa37fr5oydla",   # Item ID from the 1Password URL
+    opts=pulumi.InvokeOptions(provider=onepassword_provider)
+)
+
+# Configure GitHub provider with token from 1Password
+github_provider = github.Provider(
+    "github-provider",
+    token=github_token_item.password,  # The token is stored in the password field
+    owner="nf-core-tf"
+)
 
 NAME = "testpipeline"
 
@@ -58,6 +81,7 @@
     visibility="public",
     topics=TOPICS,  # 'repo_keywords' => 'Minimum keywords set',
     # NOTE: @mirpedrol asked if we could add missing topics without deleting existing ones
+    opts=pulumi.ResourceOptions(provider=github_provider)
 )
 
 
@@ -69,21 +93,21 @@
     f"branch_default_{NAME}",
     branch="main",
     repository=NAME,
-    opts=pulumi.ResourceOptions(protect=True),
+    opts=pulumi.ResourceOptions(protect=True, provider=github_provider),
 )
 # 'branch_dev_exists' => 'dev branch: branch must exist',
 branch_dev_testpipeline = github.Branch(
     f"branch_dev_{NAME}",
     branch="dev",
     repository=NAME,
-    opts=pulumi.ResourceOptions(protect=True),
+    opts=pulumi.ResourceOptions(protect=True, provider=github_provider),
 )
 # 'branch_template_exists' => 'TEMPLATE branch: branch must exist',
 branch_template_testpipeline = github.Branch(
     f"branch_template_{NAME}",
     branch="TEMPLATE",
     repository=NAME,
-    opts=pulumi.ResourceOptions(protect=True),
+    opts=pulumi.ResourceOptions(protect=True, provider=github_provider),
 )
 # Add branch protections https://github.com/nf-core/website/blob/33acd6a2fab2bf9251e14212ce731ef3232b5969/public_html/pipeline_health.php#L296
 # NOTE This uses the new Rulesets instead of classic branch protection rule
@@ -122,7 +146,7 @@
         ),
     ),
     target="branch",
-    opts=pulumi.ResourceOptions(protect=True),
+    opts=pulumi.ResourceOptions(protect=True, provider=github_provider),
 )
 # TODO 'branch_dev_strict_updates' => 'dev branch: do not require branch to be up to date before merging',
 ruleset_branch_dev_testpipeline = github.RepositoryRuleset(
@@ -166,7 +190,7 @@
         ),
     ),
     target="branch",
-    opts=pulumi.ResourceOptions(protect=True),
+    opts=pulumi.ResourceOptions(protect=True, provider=github_provider),
 )
 # TODO Double check
 # Template branch protection https://github.com/nf-core/website/blob/33acd6a2fab2bf9251e14212ce731ef3232b5969/public_html/pipeline_health.php#L509
@@ -196,19 +220,21 @@
         update=True,
     ),
     target="branch",
-    opts=pulumi.ResourceOptions(protect=True),
+    opts=pulumi.ResourceOptions(protect=True, provider=github_provider),
 )
 # 'team_contributors' => 'Write access for nf-core/contributors',
 contributors_team_repo_testpipeline = github.TeamRepository(
     f"contributors_team_repo_{NAME}",
     team_id="contributors",
     repository=NAME,
     permission="push",
+    opts=pulumi.ResourceOptions(provider=github_provider),
 )
 # 'team_core' => 'Admin access for nf-core/core',
 core_team_repo_testpipeline = github.TeamRepository(
     f"core_team_repo_{NAME}",
     team_id="core",
     repository=NAME,
     permission="admin",
+    opts=pulumi.ResourceOptions(provider=github_provider),
 )
diff --git a/pulumi/github/repos/pyproject.toml b/pulumi/github/repos/pyproject.toml
@@ -7,4 +7,5 @@ requires-python = ">=3.12"
 dependencies = [
     "pulumi>=3",
     "pulumi-github>=6.7.2",
+    "pulumi-onepassword>=1.1.3",
 ]
diff --git a/pulumi/github/repos/uv.lock b/pulumi/github/repos/uv.lock

Original file line number	Diff line number	Diff line change
`@@ -7,4 +7,5 @@ requires-python = ">=3.12"`
`7`	`7`	`dependencies = [`
`8`	`8`	`"pulumi>=3",`
`9`	`9`	`"pulumi-github>=6.7.2",`
	`10`	`+ "pulumi-onepassword>=1.1.3",`
`10`	`11`	`]`