Skip to content

ci: add continuous translation extraction workflow#1131

Merged
PascalRepond merged 1 commit into
rero:stagingfrom
PascalRepond:rep-i18n-continuous
Jul 10, 2026
Merged

ci: add continuous translation extraction workflow#1131
PascalRepond merged 1 commit into
rero:stagingfrom
PascalRepond:rep-i18n-continuous

Conversation

@PascalRepond

Copy link
Copy Markdown
Contributor

Introduce the extraction side of the continuous localization loop. A scheduled job (nightly, plus manual dispatch) keeps the translations branch equal to staging plus the not-yet-released translations:

  • merge (never rebase) staging into translations so the buffer is never rewritten;
  • regenerate the gettext catalogs with extract_messages / update_catalog --no-fuzzy-matching;
  • commit and push back to translations only when the catalogs change, ignoring the POT-Creation-Date churn that pybabel rewrites on every run, and re-merging any concurrent Weblate commit before pushing.

Weblate tracks the same branch and edits only translations, so the two never touch the same lines. The buffer is squash-merged into staging once per release, keeping history linear.

This removes the need for force-push, branch locks and Weblate resets.

@coderabbitai

coderabbitai Bot commented Jul 10, 2026

Copy link
Copy Markdown

Review Change Stack

Walkthrough

Adds a scheduled and manually triggered GitHub Actions workflow that prepares the Python environment, merges staging into translations, regenerates gettext catalogs, and conditionally commits and pushes catalog changes with retry handling. Adds a commented Translation test extraction entry to the manual translations file.

Estimated code review effort: 3 (Moderate) | ~20 minutes

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title accurately summarizes the new CI workflow for continuous translation extraction.
Description check ✅ Passed The description matches the workflow and translation extraction changes in the pull request.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (2)
.github/workflows/extract-translations.yml (1)

28-32: 🔒 Security & Privacy | 🔵 Trivial | 💤 Low value

Consider setting persist-credentials: false for defense-in-depth.

zizmor flags this as an artipacked risk: actions/checkout defaults to persist-credentials: true, which stores the GITHUB_TOKEN in ~/.git-credentials for the job's lifetime. While only trusted steps run here, explicitly configuring credentials only for the push step reduces the attack surface if a future step引入es untrusted code.

Since the workflow needs credentials for git push, you would need to configure them manually:

🛡️ Optional hardening
       - name: Checkout repository
         uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
         with:
           ref: translations
           fetch-depth: 0
+          persist-credentials: false

Then before the push step, configure credentials explicitly:

      - name: Configure git credentials
        run: |
          git config --global url."https://x-access-token:${{ secrets.GITHUB_TOKEN }}`@github.com/`".insteadOf "https://github.com/"
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/extract-translations.yml around lines 28 - 32, Set
persist-credentials: false in the actions/checkout step, then add a Configure
git credentials step immediately before the existing push operation using the
provided GITHUB_TOKEN URL rewrite so git push continues to authenticate.

Source: Linters/SAST tools

sonar/translations/manual_translations.txt (1)

16-17: 📐 Maintainability & Code Quality | 🔵 Trivial

Track the removal of this test entry.

The comment says "to be removed" but there's no linked issue or TODO with a follow-up owner. This entry will add msgid "Translation test" to every .po catalog on the next extraction run. Consider opening an issue to track its removal once the workflow is validated, or remove it in the same PR if this is just a dry-run test.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@sonar/translations/manual_translations.txt` around lines 16 - 17, Remove the
temporary _('Translation test') entry from manual_translations.txt if the
extraction workflow has been validated; otherwise add a clearly referenced
tracking TODO or issue owner for its removal, ensuring the test string is not
left permanently in generated translation catalogs.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/extract-translations.yml:
- Around line 76-81: Update the retry loop in the translation workflow to track
whether git push succeeds and explicitly fail the step after all three attempts
if it does not. Remove the unconditional `|| true` from the merge operation,
detect merge conflicts, abort the merge with `git merge --abort`, and fail or
continue only with a clean repository state before retrying.

---

Nitpick comments:
In @.github/workflows/extract-translations.yml:
- Around line 28-32: Set persist-credentials: false in the actions/checkout
step, then add a Configure git credentials step immediately before the existing
push operation using the provided GITHUB_TOKEN URL rewrite so git push continues
to authenticate.

In `@sonar/translations/manual_translations.txt`:
- Around line 16-17: Remove the temporary _('Translation test') entry from
manual_translations.txt if the extraction workflow has been validated; otherwise
add a clearly referenced tracking TODO or issue owner for its removal, ensuring
the test string is not left permanently in generated translation catalogs.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 8e389021-6642-4f5b-aeae-080664b1a80d

📥 Commits

Reviewing files that changed from the base of the PR and between 9afb0d6 and b31fd55.

📒 Files selected for processing (2)
  • .github/workflows/extract-translations.yml
  • sonar/translations/manual_translations.txt

Comment thread .github/workflows/extract-translations.yml
@PascalRepond PascalRepond force-pushed the rep-i18n-continuous branch from b31fd55 to 663356a Compare July 10, 2026 07:58
Introduce the extraction side of the continuous localization loop. A
scheduled job (nightly, plus manual dispatch) keeps the `translations`
branch equal to `staging` plus the not-yet-released translations:

- merge (never rebase) `staging` into `translations` so the buffer is
  never rewritten;
- regenerate the gettext catalogs with `extract_messages` /
  `update_catalog --no-fuzzy-matching`;
- commit and push back to `translations` only when the catalogs change,
  ignoring the POT-Creation-Date churn that pybabel rewrites on every run,
  and re-merging any concurrent Weblate commit before pushing.

Weblate tracks the same branch and edits only translations, so the two
never touch the same lines. The buffer is squash-merged into `staging`
once per release, keeping history linear.

This removes the need for force-push, branch locks and Weblate resets.

Co-Authored-by: Pascal Repond <pascal.repond@rero.ch>
@PascalRepond PascalRepond force-pushed the rep-i18n-continuous branch from 663356a to 8469913 Compare July 10, 2026 08:01
@PascalRepond PascalRepond merged commit 3acf186 into rero:staging Jul 10, 2026
3 checks passed
@PascalRepond PascalRepond deleted the rep-i18n-continuous branch July 10, 2026 08:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant