From ac40f08b98d4da2b39d187c0947c7256848196f4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Bidoul?= <stephane.bidoul@acsone.eu>
Date: Fri, 3 Jan 2025 15:31:07 +0100
Subject: [PATCH] Push .pot changes without GitHub secret

Use a short lived token to push to the repository.
Don't expose the token to the test jobs.
---
 ...ci == 'GitHub' %}test.yml{% endif %}.jinja | 38 +++++++++++++++++--
 1 file changed, 35 insertions(+), 3 deletions(-)

diff --git a/src/.github/workflows/{% if ci == 'GitHub' %}test.yml{% endif %}.jinja b/src/.github/workflows/{% if ci == 'GitHub' %}test.yml{% endif %}.jinja
index 0c76f66..524e0e3 100644
--- a/src/.github/workflows/{% if ci == 'GitHub' %}test.yml{% endif %}.jinja	
+++ b/src/.github/workflows/{% if ci == 'GitHub' %}test.yml{% endif %}.jinja	
@@ -165,8 +165,40 @@ jobs:
         with:
           token: {{"${{ secrets.CODECOV_TOKEN }}"}}
       {%- endif %}
-      {% raw -%}
       - name: Update .pot files
-        run: oca_export_and_push_pot https://x-access-token:${{ secrets.GIT_PUSH_TOKEN }}@github.com/${{ github.repository }}
-      {%- endraw %}
+        run: |
+          git reset --hard {% raw %}${{ github.sha }}{% endraw %}
+          oca_export_and_commit_pot
+          mkdir oca-ci-po-patch && touch oca-ci-po-patch/keep
+          git format-patch --output-directory=oca-ci-po-patch --keep-subject @{u}..@
         if: {{ "${{" }} matrix.makepot == 'true' && github.event_name == 'push' && github.repository_owner == '{{ org_slug }}' {{ "}}" }}
+      - uses: actions/upload-artifact@v4
+        with:
+          name: oca-ci-po-patch
+          path: oca-ci-po-patch
+          retention-days: 7
+        if: {{ "${{" }} matrix.makepot == 'true' && github.event_name == 'push' && github.repository_owner == '{{ org_slug }}' {{ "}}" }}
+  push-pot:
+    needs: [test]
+    runs-on: ubuntu-latest
+    if: {{ "${{" }} github.event_name == 'push' && github.repository_owner == '{{ org_slug }}' {{ "}}" }}
+    permissions:
+      contents: write
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/download-artifact@v4
+        with:
+          name: oca-ci-po-patch
+          path: oca-ci-po-patch
+      - name: Configure git user
+        run: |
+          git config user.name "oca-ci"
+          git config user.email "oca-ci@odoo-community.org"
+      - name: Apply .pot files changes
+        run: git am --keep oca-ci-po-patch/*.patch
+        if: {% raw %}${{ hashFiles('oca-ci-po-patch/*.patch') != '' }}{% endraw %}
+      - name: Push .pot file changes
+        run: git push
+        if: {% raw %}${{ hashFiles('oca-ci-po-patch/*.patch') != '' }}{% endraw %}
+        # Don't fail in case something has changed upstream in the meantime
+        continue-on-error: true