Push .pot changes without GitHub secret

Use a short lived token to push to the repository. Don't expose the token to the test jobs.
OCA · Jan 3, 2025 · 08bb46e · 08bb46e
1 parent 6ea5ca8
commit 08bb46e
Showing 1 changed file with 30 additions and 2 deletions.
diff --git a/src/.github/workflows/{% if ci == 'GitHub' %}test.yml{% endif %}.jinja b/src/.github/workflows/{% if ci == 'GitHub' %}test.yml{% endif %}.jinja
@@ -167,6 +167,34 @@ jobs:
       {%- endif %}
       {% raw -%}
       - name: Update .pot files
-        run: oca_export_and_push_pot https://x-access-token:${{ secrets.GIT_PUSH_TOKEN }}@github.com/${{ github.repository }}
-      {%- endraw %}
+        run: |
+          oca_export_and_commit_pot
+          git format-patch --stdout --keep-subject @{u}..@ > po.patch
         if: {{ "${{" }} matrix.makepot == 'true' && github.event_name == 'push' && github.repository_owner == '{{ org_slug }}' {{ "}}" }}
+      - uses: actions/upload-artifact@v4
+        with:
+          name: po-patch
+          path: po.patch
+        if: {{ "${{" }} matrix.makepot == 'true' && github.event_name == 'push' && github.repository_owner == '{{ org_slug }}' {{ "}}" }}
+  push-pot:
+    needs: [test]
+    runs-on: ubuntu-24.04
+    if: {{ "${{" }} github.event_name == 'push' && github.repository_owner == '{{ org_slug }}' {{ "}}" }}
+    permissions:
+      contents: write
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ github.sha }}
+      - uses: actions/download-artifact@v4
+        with:
+          name: po-patch
+      - name: Push .pot files
+        run: |
+          if [ -s po.patch ]; then
+            git config user.email "oca-ci"
+            git config user.name "[email protected]"
+            git am --keep po.patch
+            # Push but don't fail if upstream has changed in the meantime
+            git push origin HEAD:${{ github.ref_name }} || true
+          fi