feat: add GitHub CLI + token auth to agents

[stepandel]

Summary

Add GitHub CLI installation and optional token-based authentication to agent provisioning.

Changes

src/components/cloud-init.ts

• Install gh via official apt repo (system-level)
• Add githubToken?: string to CloudInitConfig interface
• Add GITHUB_TOKEN interpolation to env vars
• Authenticate as ubuntu user: echo "$GITHUB_TOKEN" | gh auth login --with-token && gh auth setup-git
• Skip auth if no token provided

src/components/openclaw-agent.ts

• Add githubToken?: pulumi.Input<string> to OpenClawAgentArgs
• Pass through to CloudInitConfig

cli/commands/init.ts

• Add optional GitHub token prompt (after Brave Search)
• Validate starts with ghp_ or github_pat_ (or empty to skip)
• Store as secret via setConfig()

cli/commands/validate.ts

• Check gh --version
• Check gh auth status (if gh installed)

cli/commands/status.ts

• Show gh version and auth status columns

esc/agent-army-secrets.yaml.example

• Add per-agent GitHub token entries

Definition of Done

• gh --version succeeds on provisioned instance
• gh auth status shows authenticated when token provided
• tsc --noEmit passes (typecheck)

Linear-Issue: AGE-19

Summary by CodeRabbit

• New Features
  • Added optional GitHub CLI integration to agent setup with per-agent token configuration
  • Status command now displays GitHub CLI version and authentication status for each agent
  • Validation flow includes checks for GitHub CLI installation and authentication state
  • Setup wizard includes interactive prompts for GitHub token management and onboarding guidance

[coderabbitai]

Caution

Review failed

The pull request is closed.

📝 Walkthrough

Walkthrough

The pull request adds GitHub CLI integration across the CLI, configuration management, and agent deployment systems. Users can now optionally configure per-agent GitHub tokens during setup, which are validated, stored in configuration, and provisioned into agents via cloud-init with automated GitHub CLI installation and authentication.

Changes

Cohort / File(s)	Summary
CLI Initialization & Configuration cli/commands/init.ts, cli/lib/constants.ts	Adds GitHub token prompt to interactive setup flow, extends integrationCredentials type with optional githubToken field, and includes onboarding instructions for generating GitHub personal access tokens (formats: github_pat_, ghp_).
CLI Status & Validation cli/commands/status.ts, cli/commands/validate.ts	Introduces SSH-based GitHub CLI version and auth status fetchers, extends status output with gh and Auth columns per agent, and adds validation checks (Check 5-6) for GitHub CLI installation and authentication state.
Deployment Configuration esc/agent-army-secrets.yaml.example, index.ts	Adds per-role GitHub token secrets (pmGithubToken, engGithubToken, testerGithubToken), implements per-role credential storage in agentGithubCredentials map, and retrieves role-specific tokens to inject into OpenClawAgent construction.
Cloud Initialization & Provisioning src/components/cloud-init.ts, src/components/openclaw-agent.ts	Extends CloudInitConfig interface with githubToken field, implements GitHub CLI installation and authentication scripts, threads githubToken through agent provisioning pipeline, and exports GITHUB_TOKEN environment variable for agent runtime.

Sequence Diagram

sequenceDiagram
    participant User
    participant CLI as CLI Init
    participant Config as Config Store
    participant Deployment as Pulumi Deployment
    participant CloudInit as Cloud-Init
    participant Agent as Agent VM

    User->>CLI: Run init command
    CLI->>User: Prompt for GitHub token (optional)
    User-->>CLI: Provide token
    CLI->>Config: Store githubToken in config
    Config-->>CLI: Token persisted
    
    Deployment->>Config: Retrieve githubToken by role
    Config-->>Deployment: Return role-specific token
    Deployment->>CloudInit: Pass githubToken to cloud-init config
    CloudInit->>CloudInit: Generate GitHub CLI install script
    CloudInit->>CloudInit: Generate GitHub CLI auth script (if token provided)
    
    CloudInit->>Agent: Execute cloud-init user data
    Agent->>Agent: Install GitHub CLI
    Agent->>Agent: Authenticate with token (gh auth login)
    Agent->>Agent: Export GITHUB_TOKEN environment variable
    Agent-->>User: Agent ready with GitHub access

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

🐰 A rabbit skips through init's golden door,
GitHub tokens shine like never before!
Through clouds and scripts, each agent takes flight,
With gh auth dancing in the night. ✨
Secrets tucked safe, credentials entwined,
Our fluffy deployment just perfectly signed! 🔐

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feature/age-19-github-cli-auth

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}