> ## Documentation Index
> Fetch the complete documentation index at: https://hyperlocalise.dev/llms.txt
> Use this file to discover all available pages before exploring further.

# CI automation

> Secure CI patterns for drift checks and scheduled TMS pull/push synchronization.

## CI secret injection standard

For remote adapters, keep secrets in your CI secret manager and inject them only in jobs that call `hyperlocalise sync`.

* Commit only `*Env` variable names in `i18n.yml`.
* Inject token values at runtime through job-level environment variables.
* Use separate credentials for read-only checks vs write-enabled sync jobs.
* Avoid printing environment variables in pipeline steps.

## Install the CLI in GitHub Actions

Use the install action to download a release binary and add `hyperlocalise` to `PATH` for later steps. This is the recommended setup for CI jobs that run CLI commands directly.

```yaml theme={null}
- uses: hyperlocalise/hyperlocalise/install@v1
  with:
    version: latest
```

Pin a specific release when you want tighter change control:

```yaml theme={null}
- uses: hyperlocalise/hyperlocalise/install@v1
  with:
    version: v1.2.3
```

Inputs:

* `version`: release tag to install. Defaults to `latest`.
* `install-dir`: optional install directory. Defaults to a runner temp directory.

For pull request drift and integrity checks without hand-rolling CLI steps, use the [GitHub Action drift check](/workflows/github-action-drift-check) composite action instead.

## Suggested checks

Install the CLI first, then run these commands in your job.

### 1. Config + planning smoke test

```bash theme={null}
hyperlocalise run --dry-run
```

### 2. Status snapshot

```bash theme={null}
hyperlocalise status --output csv
```

Store CSV as a build artifact for trend tracking.

### 3. Sync preview gate

`sync pull` and `sync push` apply changes by default. Add `--dry-run` for non-mutating CI preview jobs.

```bash theme={null}
hyperlocalise sync pull --output json --dry-run
hyperlocalise sync push --output json --dry-run
```

Run without `--dry-run` only in jobs that are explicitly authorized to write local files or remote systems.

## Scheduled sync job examples

Use these GitHub Actions examples as a baseline. Adapt secret names and approval rules to your CI platform.

### Scheduled pull sync (read-only, safe default)

```yaml theme={null}
name: tms-pull-sync

on:
  schedule:
    - cron: "0 */6 * * *"
  workflow_dispatch:

jobs:
  pull-sync:
    runs-on: ubuntu-latest
    permissions:
      contents: read
    env:
      SMARTLING_USER_SECRET: ${{ secrets.SMARTLING_USER_SECRET }}
      LOKALISE_API_TOKEN: ${{ secrets.LOKALISE_API_TOKEN }}
    steps:
      - uses: actions/checkout@v4
      - uses: hyperlocalise/hyperlocalise/install@v1
        with:
          version: latest
      - run: hyperlocalise sync pull --output json --dry-run
```

To apply remote changes to local files in CI, switch to:

```bash theme={null}
hyperlocalise sync pull --output json
```

### Scheduled push sync (write-enabled, active)

```yaml theme={null}
name: tms-push-sync

on:
  schedule:
    - cron: "30 2 * * *"
  workflow_dispatch:

jobs:
  push-sync:
    runs-on: ubuntu-latest
    environment: production
    permissions:
      contents: read
    env:
      SMARTLING_USER_SECRET: ${{ secrets.SMARTLING_USER_SECRET }}
      LOKALISE_API_TOKEN: ${{ secrets.LOKALISE_API_TOKEN }}
    steps:
      - uses: actions/checkout@v4
      - uses: hyperlocalise/hyperlocalise/install@v1
        with:
          version: latest
      - run: hyperlocalise sync push --output json
```

For a non-mutating validation pass, use:

```bash theme={null}
hyperlocalise sync push --output json --dry-run
```

For write-enabled jobs, prefer protected environments, approval gates, and least-privilege service credentials.
