ci: add continuous translation extraction workflow#1131
Conversation
WalkthroughAdds a scheduled and manually triggered GitHub Actions workflow that prepares the Python environment, merges Estimated code review effort: 3 (Moderate) | ~20 minutes 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (2)
.github/workflows/extract-translations.yml (1)
28-32: 🔒 Security & Privacy | 🔵 Trivial | 💤 Low valueConsider setting
persist-credentials: falsefor defense-in-depth.zizmor flags this as an artipacked risk:
actions/checkoutdefaults topersist-credentials: true, which stores theGITHUB_TOKENin~/.git-credentialsfor the job's lifetime. While only trusted steps run here, explicitly configuring credentials only for the push step reduces the attack surface if a future step引入es untrusted code.Since the workflow needs credentials for
git push, you would need to configure them manually:🛡️ Optional hardening
- name: Checkout repository uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: ref: translations fetch-depth: 0 + persist-credentials: falseThen before the push step, configure credentials explicitly:
- name: Configure git credentials run: | git config --global url."https://x-access-token:${{ secrets.GITHUB_TOKEN }}`@github.com/`".insteadOf "https://github.com/"🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/extract-translations.yml around lines 28 - 32, Set persist-credentials: false in the actions/checkout step, then add a Configure git credentials step immediately before the existing push operation using the provided GITHUB_TOKEN URL rewrite so git push continues to authenticate.Source: Linters/SAST tools
sonar/translations/manual_translations.txt (1)
16-17: 📐 Maintainability & Code Quality | 🔵 TrivialTrack the removal of this test entry.
The comment says "to be removed" but there's no linked issue or TODO with a follow-up owner. This entry will add
msgid "Translation test"to every.pocatalog on the next extraction run. Consider opening an issue to track its removal once the workflow is validated, or remove it in the same PR if this is just a dry-run test.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@sonar/translations/manual_translations.txt` around lines 16 - 17, Remove the temporary _('Translation test') entry from manual_translations.txt if the extraction workflow has been validated; otherwise add a clearly referenced tracking TODO or issue owner for its removal, ensuring the test string is not left permanently in generated translation catalogs.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/extract-translations.yml:
- Around line 76-81: Update the retry loop in the translation workflow to track
whether git push succeeds and explicitly fail the step after all three attempts
if it does not. Remove the unconditional `|| true` from the merge operation,
detect merge conflicts, abort the merge with `git merge --abort`, and fail or
continue only with a clean repository state before retrying.
---
Nitpick comments:
In @.github/workflows/extract-translations.yml:
- Around line 28-32: Set persist-credentials: false in the actions/checkout
step, then add a Configure git credentials step immediately before the existing
push operation using the provided GITHUB_TOKEN URL rewrite so git push continues
to authenticate.
In `@sonar/translations/manual_translations.txt`:
- Around line 16-17: Remove the temporary _('Translation test') entry from
manual_translations.txt if the extraction workflow has been validated; otherwise
add a clearly referenced tracking TODO or issue owner for its removal, ensuring
the test string is not left permanently in generated translation catalogs.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 8e389021-6642-4f5b-aeae-080664b1a80d
📒 Files selected for processing (2)
.github/workflows/extract-translations.ymlsonar/translations/manual_translations.txt
b31fd55 to
663356a
Compare
Introduce the extraction side of the continuous localization loop. A scheduled job (nightly, plus manual dispatch) keeps the `translations` branch equal to `staging` plus the not-yet-released translations: - merge (never rebase) `staging` into `translations` so the buffer is never rewritten; - regenerate the gettext catalogs with `extract_messages` / `update_catalog --no-fuzzy-matching`; - commit and push back to `translations` only when the catalogs change, ignoring the POT-Creation-Date churn that pybabel rewrites on every run, and re-merging any concurrent Weblate commit before pushing. Weblate tracks the same branch and edits only translations, so the two never touch the same lines. The buffer is squash-merged into `staging` once per release, keeping history linear. This removes the need for force-push, branch locks and Weblate resets. Co-Authored-by: Pascal Repond <pascal.repond@rero.ch>
663356a to
8469913
Compare
Introduce the extraction side of the continuous localization loop. A scheduled job (nightly, plus manual dispatch) keeps the
translationsbranch equal tostagingplus the not-yet-released translations:stagingintotranslationsso the buffer is never rewritten;extract_messages/update_catalog --no-fuzzy-matching;translationsonly when the catalogs change, ignoring the POT-Creation-Date churn that pybabel rewrites on every run, and re-merging any concurrent Weblate commit before pushing.Weblate tracks the same branch and edits only translations, so the two never touch the same lines. The buffer is squash-merged into
stagingonce per release, keeping history linear.This removes the need for force-push, branch locks and Weblate resets.