Closed
Conversation
Configure Renovate
chore(deps): update terraform github to v5.41.0
https://registry.terraform.io/providers/integrations/github/latest/docs/resources/organization_settings https://docs.github.com/en/rest/orgs/orgs?apiVersion=2022-11-28#get-an-organization gh api \ -H "Accept: application/vnd.github+json" \ -H "X-GitHub-Api-Version: 2022-11-28" \ /orgs/nf-core
- Update Pulumi 1Password integration to use Dev/AWS megatests item - Configure encrypted service account token in Pulumi.dev.yaml - Add GitHub owner configuration and proper stack settings - Update .envrc to use consistent AWS megatests credentials - Align credential sources between Pulumi and seqerakit workflows 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
- Update GitHub token reference to correct 1Password vault/title - Switch AWS provider to use environment variables instead of direct 1Password values - Add GITHUB_TOKEN to .envrc for consistency - Resolves "static credentials are empty" error 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
- Create main README.md with architecture overview and deployment guides - Update main CLAUDE.md with detailed Pulumi project context and troubleshooting - Update seqerakit README.md to reflect Pulumi integration workflow - Update seqerakit CLAUDE.md with parent project integration details - Update 1Password credential references to correct vault locations and UUIDs - Add Pulumi service account token configuration 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
…secrets - Add AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY to seqerakit_environment for proper authentication - Import os module for environment variable access - Comment out GitHub secrets creation due to insufficient token permissions (needs admin:org scope) - Update exports to show github_secrets_to_create for manual setup - Resolves seqerakit "Unauthorized" error and GitHub 403 permission issues 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
…rrors - Add ignore_changes for cors_rules, lifecycle_rules, and versioning on imported S3 bucket - Prevents Pulumi from attempting to modify existing bucket settings that require elevated permissions - Resolves AccessDenied error for s3:PutBucketCORS action on nf-core-awsmegatests bucket 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
- Update .envrc to use "op://Dev/Seqera Platform/TOWER_ACCESS_TOKEN" - Add TOWER_WORKSPACE_ID from "op://Dev/Seqera Platform/AWSMegatests workspace ID" - Update Python code to use item title instead of UUID for 1Password access - Retrieve workspace ID from 1Password fields instead of Tower CLI command - Add TOWER_API_ENDPOINT configuration for standard Seqera Cloud - Remove workspace command dependency chain that was causing auth failures - Resolves Tower CLI authentication and workspace access issues 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
…assword API usage - Update CPU environment name to "aws_ireland_fusionv2_nvme_cpu_snapshots" for consistency - Fix 1Password provider API usage to use .credential instead of .fields - Use environment variable for workspace ID instead of unsupported field access - Ensures all three compute environments properly indicate snapshots capability - Resolves 1Password provider AttributeError and TypeError issues 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
…n permissions Re-enable creation of GitHub organization secrets for Seqera Platform integration: - TOWER_COMPUTE_ENV_CPU, TOWER_COMPUTE_ENV_GPU, TOWER_COMPUTE_ENV_ARM - TOWER_ACCESS_TOKEN, TOWER_WORKSPACE_ID - Update export from github_secrets_to_create to github_secrets Requires GitHub token with admin:org scope for organization secrets management. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
Improve infrastructure reliability and developer experience: **Enhanced Debugging:** - Add detailed Tower CLI availability and authentication checks - Better error messages and debugging output for troubleshooting - Show available compute environments when ID extraction fails - Comprehensive logging of compute environment ID retrieval process **Developer Workflow Improvements:** - Contributors only need to make PRs, no infrastructure access required - Core team manages deployments via Pulumi Cloud + 1Password integration - Clear role separation between contributors and infrastructure maintainers - Simplified documentation with step-by-step workflows **Technical Changes:** - Enhanced error handling with detailed debugging output - Updated README with contributor-friendly workflow documentation - Cleaned up Pulumi configuration for clarity - Removed fallback mechanisms - if Tower CLI fails, deployment fails cleanly 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
…vironment ID extraction Simplify infrastructure by using seqerakit consistently throughout the process: **Technical Changes:** - Replace separate Tower CLI calls with seqerakit --json output parsing - Use Pulumi's .apply() method to properly handle Output[T] types - Extract compute environment IDs directly from seqerakit JSON responses - Eliminate Tower CLI syntax compatibility issues **Benefits:** - Single tool (seqerakit) for both deployment and ID extraction - Proper Pulumi Output handling prevents __str__ warnings - Multiple JSON parsing methods for robustness - Cleaner dependency chain with fallback placeholders **Architecture:** 1. seqerakit deploys environments with --json flag 2. Pulumi extracts IDs from seqerakit JSON output using .apply() 3. GitHub secrets created with extracted or placeholder IDs 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
…sues Fix two critical issues preventing proper infrastructure deployment: **JSON Parsing Fix:** - Extract JSON lines from seqerakit's mixed text/JSON output using grep - Parse clean JSON to successfully extract compute environment IDs - Resolves empty compute environment ID extraction that was causing placeholder values **GitHub Secrets Creation Fix:** - Add delete_before_replace=True to work around pulumi/pulumi-github#250 - Change visibility from "private" to "all" for organization-wide access - Successfully creates all 5 GitHub organization secrets with actual compute environment IDs **Results:** - TOWER_COMPUTE_ENV_CPU: 6OG7a9NgQ7gZBePvROj6yi - TOWER_COMPUTE_ENV_GPU: c976YzdEpy6SrRcQP0c5z - TOWER_COMPUTE_ENV_ARM: 4mhp8F1HwIx5nxSmUB3BFC - TOWER_ACCESS_TOKEN and TOWER_WORKSPACE_ID also created successfully Infrastructure automation now works end-to-end: seqerakit deployment → ID extraction → GitHub secrets creation. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
FriederikeHanssen
approved these changes
Jul 24, 2025
…ction - Convert non-sensitive compute environment IDs and workspace ID from GitHub organization secrets to GitHub organization variables - Keep TOWER_ACCESS_TOKEN as a secret for security - Fix seqerakit command execution by using full path to avoid PATH issues - Remove debug output from compute environment ID extraction to prevent cluttered variable values - Simplify JSON parsing logic to output only the final compute environment ID This resolves the "empty string mask" warnings in GitHub Actions workflows by: 1. Using appropriate GitHub resource types (variables vs secrets) 2. Ensuring seqerakit commands execute properly and return clean values 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
- Add JSON config file dependencies to seqerakit commands to detect configuration changes - Import and protect existing TOWER_ACCESS_TOKEN GitHub secret - Streamline Seqera Containers Migration project setup script with improved authentication checks 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
edmundmiller
force-pushed
the
seqerakit-pulumi
branch
from
b039c03 to
cb52220
Compare
github-project-automation
Bot
moved this from In Progress
to Done
in nf-core infrastructure projects
Merged
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Following up #157.
So this runs Seqerakit in Pulumi. 🤯
Didn't know that was a thing.
Anyways deployed the new environments. The compute ids live at
TOWER_COMPUTE_ENV_CPUTOWER_COMPUTE_ENV_GPUTOWER_COMPUTE_ENV_ARMAnd I made a new Seqera Platform account under the infrastructure email that owns the
TOWER_API_TOKEN.