Push .pot changes without GitHub secret

Use a short lived token to push to the repository. Don't expose the token to the test jobs.
OCA · Jan 4, 2025 · ac40f08 · ac40f08
1 parent 6ea5ca8
commit ac40f08
Showing 1 changed file with 35 additions and 3 deletions.
diff --git a/src/.github/workflows/{% if ci == 'GitHub' %}test.yml{% endif %}.jinja b/src/.github/workflows/{% if ci == 'GitHub' %}test.yml{% endif %}.jinja
@@ -165,8 +165,40 @@ jobs:
         with:
           token: {{"${{ secrets.CODECOV_TOKEN }}"}}
       {%- endif %}
-      {% raw -%}
       - name: Update .pot files
-        run: oca_export_and_push_pot https://x-access-token:${{ secrets.GIT_PUSH_TOKEN }}@github.com/${{ github.repository }}
-      {%- endraw %}
+        run: |
+          git reset --hard {% raw %}${{ github.sha }}{% endraw %}
+          oca_export_and_commit_pot
+          mkdir oca-ci-po-patch && touch oca-ci-po-patch/keep
+          git format-patch --output-directory=oca-ci-po-patch --keep-subject @{u}..@
         if: {{ "${{" }} matrix.makepot == 'true' && github.event_name == 'push' && github.repository_owner == '{{ org_slug }}' {{ "}}" }}
+      - uses: actions/upload-artifact@v4
+        with:
+          name: oca-ci-po-patch
+          path: oca-ci-po-patch
+          retention-days: 7
+        if: {{ "${{" }} matrix.makepot == 'true' && github.event_name == 'push' && github.repository_owner == '{{ org_slug }}' {{ "}}" }}
+  push-pot:
+    needs: [test]
+    runs-on: ubuntu-latest
+    if: {{ "${{" }} github.event_name == 'push' && github.repository_owner == '{{ org_slug }}' {{ "}}" }}
+    permissions:
+      contents: write
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/download-artifact@v4
+        with:
+          name: oca-ci-po-patch
+          path: oca-ci-po-patch
+      - name: Configure git user
+        run: |
+          git config user.name "oca-ci"
+          git config user.email "[email protected]"
+      - name: Apply .pot files changes
+        run: git am --keep oca-ci-po-patch/*.patch
+        if: {% raw %}${{ hashFiles('oca-ci-po-patch/*.patch') != '' }}{% endraw %}
+      - name: Push .pot file changes
+        run: git push
+        if: {% raw %}${{ hashFiles('oca-ci-po-patch/*.patch') != '' }}{% endraw %}
+        # Don't fail in case something has changed upstream in the meantime
+        continue-on-error: true