Skip to main content

CI secret injection standard

For remote adapters, keep secrets in your CI secret manager and inject them only in jobs that call hyperlocalise sync.
  • Commit only *Env variable names in i18n.yml.
  • Inject token values at runtime through job-level environment variables.
  • Use separate credentials for read-only checks vs write-enabled sync jobs.
  • Avoid printing environment variables in pipeline steps.

Install the CLI in GitHub Actions

Use the install action to download a release binary and add hyperlocalise to PATH for later steps. This is the recommended setup for CI jobs that run CLI commands directly. 
- uses: hyperlocalise/hyperlocalise/install@v1
  with:
    version: latest
Pin a specific release when you want tighter change control: 
- uses: hyperlocalise/hyperlocalise/install@v1
  with:
    version: v1.2.3
Inputs:
  • version: release tag to install. Defaults to latest.
  • install-dir: optional install directory. Defaults to a runner temp directory.
For pull request drift and integrity checks without hand-rolling CLI steps, use the GitHub Action drift check composite action instead.

Suggested checks

Install the CLI first, then run these commands in your job.

1. Config + planning smoke test

hyperlocalise run --dry-run

2. Status snapshot

hyperlocalise status --output csv
Store CSV as a build artifact for trend tracking.

3. Sync preview gate

sync pull and sync push apply changes by default. Add --dry-run for non-mutating CI preview jobs. 
hyperlocalise sync pull --output json --dry-run
hyperlocalise sync push --output json --dry-run
Run without --dry-run only in jobs that are explicitly authorized to write local files or remote systems.

Scheduled sync job examples

Use these GitHub Actions examples as a baseline. Adapt secret names and approval rules to your CI platform.

Scheduled pull sync (read-only, safe default)

name: tms-pull-sync

on:
  schedule:
    - cron: "0 */6 * * *"
  workflow_dispatch:

jobs:
  pull-sync:
    runs-on: ubuntu-latest
    permissions:
      contents: read
    env:
      SMARTLING_USER_SECRET: ${{ secrets.SMARTLING_USER_SECRET }}
      LOKALISE_API_TOKEN: ${{ secrets.LOKALISE_API_TOKEN }}
    steps:
      - uses: actions/checkout@v4
      - uses: hyperlocalise/hyperlocalise/install@v1
        with:
          version: latest
      - run: hyperlocalise sync pull --output json --dry-run
To apply remote changes to local files in CI, switch to: 
hyperlocalise sync pull --output json

Scheduled push sync (write-enabled, active)

name: tms-push-sync

on:
  schedule:
    - cron: "30 2 * * *"
  workflow_dispatch:

jobs:
  push-sync:
    runs-on: ubuntu-latest
    environment: production
    permissions:
      contents: read
    env:
      SMARTLING_USER_SECRET: ${{ secrets.SMARTLING_USER_SECRET }}
      LOKALISE_API_TOKEN: ${{ secrets.LOKALISE_API_TOKEN }}
    steps:
      - uses: actions/checkout@v4
      - uses: hyperlocalise/hyperlocalise/install@v1
        with:
          version: latest
      - run: hyperlocalise sync push --output json
For a non-mutating validation pass, use: 
hyperlocalise sync push --output json --dry-run
For write-enabled jobs, prefer protected environments, approval gates, and least-privilege service credentials.