fix(pulumi): resolve 1Password config conflict and S3 deprecation warnings

- Add account="" to 1Password provider to prevent CLI account detection conflict
- Refactor S3 bucket to use separate BucketServerSideEncryptionConfigurationV2 resource
- Refactor S3 bucket to use separate BucketVersioningV2 resource
- Remove deprecated inline server_side_encryption_configuration parameter
- Remove deprecated inline versioning parameter

Fixes "Config conflict: serviceAccountToken and account are set" error by
explicitly disabling account detection when using service account tokens.

Resolves AWS deprecation warnings by moving encryption and versioning
configuration to dedicated resources as recommended by AWS provider.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

Author: edmundmiller

pulumi/co2_reports/Pulumi.AWSMegatests.yaml

@@ -2,3 +2,5 @@ encryptionsalt: v1:Dd5GnLRGGJQ=:v1:HWX/n0HL3VxDJrWR:ouykGXCccBLXFd6kAKWW0uHByWK/
 config:
   aws:region: eu-north-1
   github:owner: nf-core
+  pulumi-onepassword:service_account_token:
+    secure: v1:/9UqNK7J/BSgkoof:PLSCC8wOdrIkvfK0pdodnyOid/HSwFb5Ra6+x0zVOiN+1ZbulPub0T1tRTdyCG4yqJa8dvcnS62kPRu9CCm10tPu+/g0HCVhUaR8DLB5lO5HtWn/OA28xd7OluDhp5e2JRYFV7HWUpnfTV9rlwpxntWAaCnnsSIw53yyiQLl0cMnf/V51VOo+e2YkqZJg/fyPtpeVS28FRZvjxFUIV5nxtaCw7K/5kXhtJOf6ZR160sH9bkkhNzzqQQ53JLY02rgFqBLAQ5dPRZMH6cB6HJiznq/zgEo2331/M6+TCqzyCi1spIvfhC7i3GV1KtVNaKJSD8tVEcscHJHR4hFElsJ5yHVVT/BWYL/A/4QjktY/hRKheDeLbQfkL5zQzbpm8DkNEwBv/x+691uhAJy387nK8+MdACLjT4w5Z7kmn4S+LOi8bPIXvTdpsWdijwT9Rbv4rr7p25nhoB4T+/ikDXWGSW/Lj5eVgcKVZ8KcY2MhhYGQ/LItWvrPO4K3kjZnglOjzU3CX5wuCrki4uHhKGgpWT+/XTgSe4nerp9iFZPs42yneEMz1icYfPkXOybDuV+4TPB2rn7g1Yp1k2+1ILe8aw82Pzw2DEDcFjyVTTHsCytBGKFlOT/MxWmgiY8BCJvEBLzOrDPHqfWFTeyIVdVw62nnFMZwVoDxl68aCGbAWCsBr2sS3uTZAak7RP5cXYa9zEIb6d4dQ6PiUl/V6q4yi+yawde7F7St8qd+MTBvBgfieEXwzwwejb2IGmkI6uKD2mSOUk+Dyb4DymuuYatFf6QUlCQEBlyaLZmA1SIGSMrASKmY54VffU6C4LLZvQc8Sxa20wzuYIQ+RO/o2EGQ2Kq9b2teOVMah6kWHVFrNA46+3cNmUSMXxuoiyjsQo0KMzWY8ZpJ2qXDhCJLYdlsVKY4W3i2rS4smjGbHxpnhC6sUgH3LaJBZFHWk+OGAI35y1AVocquUzipCsJGrMD9SiZla6mOKD9Cwv3kdRQQFbSdmH1hF829lBk6o+uXrhpfxHiyD+GgsuVLTzpOTiZigehafUx22ALfrGmF28vK+uxU4rc0DYsJMzyE+/bmmIzyE6H8NRsCbaYp5XyAUCMm4jq+MoZrR0bPde96yGNNwPP/xEasIOu5S/+QoVCQN8BkeArIGY8T3M=

pulumi/co2_reports/__main__.py

@@ -16,6 +16,7 @@
 onepassword_provider = onepassword.Provider(
     "onepassword-provider",
     service_account_token=onepassword_config.require_secret("service_account_token"),
+    account="",  # Explicitly disable CLI account detection to avoid conflicts
 )
 
 # Get GitHub token from 1Password
@@ -39,15 +40,29 @@
 co2_reports_bucket = aws.s3.Bucket(
     "co2-reports-bucket",
     bucket="nf-core-co2-reports",
-    server_side_encryption_configuration=aws.s3.BucketServerSideEncryptionConfigurationArgs(
-        rule=aws.s3.BucketServerSideEncryptionConfigurationRuleArgs(
-            apply_server_side_encryption_by_default=aws.s3.BucketServerSideEncryptionConfigurationRuleApplyServerSideEncryptionByDefaultArgs(
+    opts=pulumi.ResourceOptions(provider=aws_provider),
+)
+
+# Configure server-side encryption for the bucket
+co2_reports_bucket_encryption = aws.s3.BucketServerSideEncryptionConfigurationV2(
+    "co2-reports-bucket-encryption",
+    bucket=co2_reports_bucket.id,
+    rules=[
+        aws.s3.BucketServerSideEncryptionConfigurationV2RuleArgs(
+            apply_server_side_encryption_by_default=aws.s3.BucketServerSideEncryptionConfigurationV2RuleApplyServerSideEncryptionByDefaultArgs(
                 sse_algorithm="AES256",
             ),
         ),
-    ),
-    versioning=aws.s3.BucketVersioningArgs(
-        enabled=True,
+    ],
+    opts=pulumi.ResourceOptions(provider=aws_provider),
+)
+
+# Enable versioning for the bucket
+co2_reports_bucket_versioning = aws.s3.BucketVersioningV2(
+    "co2-reports-bucket-versioning",
+    bucket=co2_reports_bucket.id,
+    versioning_configuration=aws.s3.BucketVersioningV2VersioningConfigurationArgs(
+        status="Enabled",
     ),
     opts=pulumi.ResourceOptions(provider=aws_provider),
 )