docs: add GitHub REST API provider setup

[alexeykazakov]

• Document bearer credential setup for api.github.com
• Add configmap skill guidance on GitHub API vs gh CLI
• Explain why api.github.com needs a separate credential from the pre-allowed github.com domain

Summary by CodeRabbit

• Documentation
  • Enhanced provider setup documentation with a new "External Services" section explaining how to configure GitHub REST API access using Kubernetes Secrets and bearer credentials
  • Added guidance on setting up credentials for GitHub API and understanding how authorization headers are injected during requests
  • Included clarification on the differences between standard git operations and REST API access requirements
  • Added recommendations for using curl-based GitHub REST API skills

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: adadec8b-07b1-4bf7-b9cd-f33bda1b0770

📥 Commits

Reviewing files that changed from the base of the PR and between 368d076 and a14bfd4.

📒 Files selected for processing (2)

• docs/provider-setup.md
• internal/assets/manifests/claw/configmap.yaml

📜 Recent review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: Unit Tests
• GitHub Check: E2E Tests

🧰 Additional context used

📓 Path-based instructions (1)

**

⚙️ CodeRabbit configuration file

-Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity.

Files:

• internal/assets/manifests/claw/configmap.yaml
• docs/provider-setup.md

🪛 LanguageTool

docs/provider-setup.md

[uncategorized] ~623-~623: The official name of this software platform is spelled with a capital “H”.
Context: ...teway pod. > Note: The pre-allowed github.com domain covers git HTTPS clones onl...

(GITHUB)

---

[uncategorized] ~623-~623: The official name of this software platform is spelled with a capital “H”.
Context: ...TPS clones only (for npm dependencies). api.github.com is a separate host and requires an...

(GITHUB)

---

[uncategorized] ~654-~654: The official name of this software platform is spelled with a capital “H”.
Context: ...F ``` The proxy intercepts requests to api.github.com and injects `Authorization: Bearer...

(GITHUB)

🔀 Multi-repo context codeready-toolchain/api, codeready-toolchain/toolchain-common, codeready-toolchain/host-operator, codeready-toolchain/toolchain-e2e

[::codeready-toolchain/api::]

• Types related to proxy/credentials and GitHub:
  • api/v1alpha1/zz_generated.openapi.go — contains schema entries for ProxyPlugin, ProxyPluginSpec, ProxyPluginStatus and GitHubSecret. (multiple occurrences)
  • api/v1alpha1/ (tooling) — generated CRD schemas include "GitHubSecret" and "ProxyPlugin" types referenced in OpenAPI generation.
    (Observation: API types/schemas exist for proxy/credentials/GitHub-related CRs; docs in the PR describing a Claw credential for api.github.com relate to these CRD concepts.)

[::codeready-toolchain/toolchain-common::]

• Direct GitHub API consumers / helpers:
  • pkg/status/versionchecks.go — implements checks that call GitHub commits API (builds/uses GitHub REST API responses; error messages reference "github commits API").
  • pkg/status/versionchecks_test.go — tests exercise GitHub-related behavior; imports github client types.
  • pkg/test/github_client.go — test helpers referencing github client & mock packages.
• Proxy / workspace code that may be relevant to credential injection:
  • pkg/proxy/workspace.go — proxy-related workspace handling; references API types.
  • pkg/proxy/workspace_test.go — tests for proxy behavior.
    (Observation: toolchain-common contains runtime and test code that calls GitHub REST endpoints and proxy-related code that could be impacted by guidance about api.github.com vs github.com and bearer credential injection.)

[::codeready-toolchain/host-operator::]

• Uses API types; tests reference API:
  • many test files under test/ and pkg/ import github/api types via api module (toolchainv1alpha1).
  • No direct references to api.github.com strings found in root-level search, but host-operator templates/tests depend on toolchain-common/api types (so indirect relevance).

[::codeready-toolchain/toolchain-e2e::]

• E2E tests that exercise proxy/public viewer behavior:
  • test/e2e/parallel/proxy_test.go — uses common proxy package (imports: commonproxy "github.com/codeready-toolchain/toolchain-common/pkg/proxy").
  • testsupport/proxyplugin.go — references proxy plugin types (toolchain API).
    (Observation: E2E tests exercise proxy behavior and may need updates or verification when docs change credential guidance for api.github.com access.)

Summary / impact:

• The PR is documentation-only (Claw operator docs / ConfigMap text) describing how to add bearer credentials for api.github.com and how the proxy injects Authorization: Bearer . No code changes in these repos were found, but there are multiple consumers that call GitHub REST APIs or implement proxy behavior (toolchain-common: pkg/status/versionchecks.go, proxy package, and tests; e2e proxy tests). Reviewers may want to ensure the documented credential format and domain (api.github.com) align with how proxy/ProxyPlugin/credentials are implemented and consumed by these components and tests.

🔇 Additional comments (2)

docs/provider-setup.md (1)

616-657: LGTM! Clear and accurate GitHub REST API documentation.

The new section provides complete setup instructions following the established pattern. Key strengths:

• Correctly distinguishes github.com (pre-allowed for git HTTPS) from api.github.com (REST/GraphQL, requires credential)
• Credential configuration matches the bearer token pattern used for OpenAI and xAI
• Security best practice: recommends fine-grained PAT over classic token
• Valuable operational guidance: explains why curl-based skills work better than gh CLI due to credential injection mechanism

The instructions are complete and technically accurate.

internal/assets/manifests/claw/configmap.yaml (1)

417-447: LGTM! Consistent and well-integrated GitHub API documentation.

The new section correctly mirrors the user-facing documentation from docs/provider-setup.md while adapting the content for AI assistant consumption. Key observations:

• Credential YAML example (lines 426-433) is identical to the provider-setup.md version, ensuring consistency
• Explanation properly distinguishes between pre-allowed github.com (git HTTPS) and api.github.com (REST/GraphQL)
• The gh CLI guidance is appropriately expanded with security implications (interactive OAuth, credentials stored in container)
• Content integrates well with the existing PLATFORM.md structure and voice

The documentation accurately represents the credential injection architecture and provides actionable guidance.

---

Walkthrough

This PR adds documentation for configuring OpenClaw to access GitHub's REST API, covering both user-facing setup instructions and embedded platform documentation. The changes explain how to create Kubernetes secrets, configure Claw CR credentials with bearer tokens, and clarify proxy-based authorization header injection.

Changes

GitHub REST API Configuration Documentation

Layer / File(s)	Summary
User-Facing Setup Guide docs/provider-setup.md	New "External Services" section with "GitHub REST API" subsection explaining secret creation, Claw CR credential configuration (type: bearer, domain: api.github.com), and behavioral notes on PAT injection vs gh CLI limitations.
Embedded Platform Documentation internal/assets/manifests/claw/configmap.yaml	New "GitHub API Access" section in PLATFORM.md clarifying REST/GraphQL allowlisting scope for api.github.com, providing credential configuration example, and recommending curl-based skills over gh CLI.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Suggested labels

documentation

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'docs: add GitHub REST API provider setup' directly and clearly summarizes the main change—adding documentation for GitHub REST API provider configuration.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}