Skip to main content

CI secret injection standard

For remote adapters, keep secrets in your CI secret manager and inject them only in jobs that call hyperlocalise sync.
  • Commit only *Env variable names in i18n.jsonc.
  • Inject token values at runtime through job-level environment variables.
  • Use separate credentials for read-only checks vs write-enabled sync jobs.
  • Avoid printing environment variables in pipeline steps.

Suggested checks

1. Config + planning smoke test

hyperlocalise run --config i18n.jsonc --dry-run

2. Status snapshot

hyperlocalise status --config i18n.jsonc --output csv
Store CSV as a build artifact for trend tracking.

3. Sync conflict gate

sync pull and sync push default to --dry-run=true, which is a safe CI baseline. 
hyperlocalise sync pull --config i18n.jsonc --output json --fail-on-conflict --dry-run=true
hyperlocalise sync push --config i18n.jsonc --output json --fail-on-conflict --dry-run=true
Use --dry-run=false only in jobs that are explicitly authorized to write local files or remote systems.

Scheduled sync job examples

Use these GitHub Actions examples as a baseline. Adapt secret names and approval rules to your CI platform.

Scheduled pull sync (read-only, safe default)

name: tms-pull-sync

on:
  schedule:
    - cron: "0 */6 * * *"
  workflow_dispatch:

jobs:
  pull-sync:
    runs-on: ubuntu-latest
    permissions:
      contents: read
    env:
      SMARTLING_USER_SECRET: ${{ secrets.SMARTLING_USER_SECRET }}
      LOKALISE_API_TOKEN: ${{ secrets.LOKALISE_API_TOKEN }}
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-go@v5
        with:
          go-version-file: go.mod
      - run: go run . sync pull --config i18n.jsonc --output json --fail-on-conflict --dry-run=true
To apply remote changes to local files in CI, switch to: 
go run . sync pull --config i18n.jsonc --output json --fail-on-conflict --dry-run=false

Scheduled push sync (write-enabled, active)

name: tms-push-sync

on:
  schedule:
    - cron: "30 2 * * *"
  workflow_dispatch:

jobs:
  push-sync:
    runs-on: ubuntu-latest
    environment: production
    permissions:
      contents: read
    env:
      SMARTLING_USER_SECRET: ${{ secrets.SMARTLING_USER_SECRET }}
      LOKALISE_API_TOKEN: ${{ secrets.LOKALISE_API_TOKEN }}
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-go@v5
        with:
          go-version-file: go.mod
      - run: go run . sync push --config i18n.jsonc --output json --fail-on-conflict --dry-run=false
For a non-mutating validation pass, use: 
go run . sync push --config i18n.jsonc --output json --fail-on-conflict --dry-run=true
For write-enabled jobs, prefer protected environments, approval gates, and least-privilege service credentials.