Skip to main content

CI secret injection standard

For remote adapters, keep secrets in your CI secret manager and inject them only in jobs that call hyperlocalise sync.
  • Commit only *Env variable names in i18n.yml.
  • Inject token values at runtime through job-level environment variables.
  • Use separate credentials for read-only checks vs write-enabled sync jobs.
  • Avoid printing environment variables in pipeline steps.

Install the CLI in GitHub Actions

Use the install action to download a release binary and add hyperlocalise to PATH for later steps. This is the recommended setup for CI jobs that run CLI commands directly.
Pin a specific release when you want tighter change control:
Inputs:
  • version: release tag to install. Defaults to latest.
  • install-dir: optional install directory. Defaults to a runner temp directory.
For pull request drift and integrity checks without hand-rolling CLI steps, use the GitHub Action drift check composite action instead.

Suggested checks

Install the CLI first, then run these commands in your job.

1. Config + planning smoke test

2. Status snapshot

Store CSV as a build artifact for trend tracking.

3. Sync preview gate

sync pull and sync push apply changes by default. Add --dry-run for non-mutating CI preview jobs.
Run without --dry-run only in jobs that are explicitly authorized to write local files or remote systems.

Scheduled sync job examples

Use these GitHub Actions examples as a baseline. Adapt secret names and approval rules to your CI platform.

Scheduled pull sync (read-only, safe default)

To apply remote changes to local files in CI, switch to:

Scheduled push sync (write-enabled, active)

For a non-mutating validation pass, use:
For write-enabled jobs, prefer protected environments, approval gates, and least-privilege service credentials.