From 3b24319e730c13008262482fc04e4f9a6f0aa947 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Bidoul?= <stephane.bidoul@acsone.eu>
Date: Fri, 3 Jan 2025 15:31:07 +0100
Subject: [PATCH] Push .pot changes without GitHub secret

Use a short lived token to push to the repository.
Don't expose the token to the test jobs.
---
 ...ci == 'GitHub' %}test.yml{% endif %}.jinja | 35 +++++++++++++++++--
 1 file changed, 33 insertions(+), 2 deletions(-)

diff --git a/src/.github/workflows/{% if ci == 'GitHub' %}test.yml{% endif %}.jinja b/src/.github/workflows/{% if ci == 'GitHub' %}test.yml{% endif %}.jinja
index 0c76f66..8ee2586 100644
--- a/src/.github/workflows/{% if ci == 'GitHub' %}test.yml{% endif %}.jinja	
+++ b/src/.github/workflows/{% if ci == 'GitHub' %}test.yml{% endif %}.jinja	
@@ -167,6 +167,37 @@ jobs:
       {%- endif %}
       {% raw -%}
       - name: Update .pot files
-        run: oca_export_and_push_pot https://x-access-token:${{ secrets.GIT_PUSH_TOKEN }}@github.com/${{ github.repository }}
-      {%- endraw %}
+        run: |
+          oca_export_and_commit_pot
+          git format-patch --output-directory=po-patch --keep-subject @{u}..@
         if: {{ "${{" }} matrix.makepot == 'true' && github.event_name == 'push' && github.repository_owner == '{{ org_slug }}' {{ "}}" }}
+      - uses: actions/upload-artifact@v4
+        with:
+          name: po-patch
+          path: po.patch
+          if-no-files-found: ignore
+        if: {{ "${{" }} matrix.makepot == 'true' && github.event_name == 'push' && github.repository_owner == '{{ org_slug }}' {{ "}}" }}
+  push-pot:
+    needs: [test]
+    runs-on: ubuntu-24.04
+    if: {{ "${{" }} github.event_name == 'push' && github.repository_owner == '{{ org_slug }}' {{ "}}" }}
+    permissions:
+      contents: write
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/download-artifact@v4
+        with:
+          name: po-patch
+          path: po-patch
+      - name: Configure git user
+        run: |
+          git config user.email "oca-ci"
+          git config user.name "oca-ci@odoo-community.org"
+      - name: Apply .pot files changes
+        run: git am --keep po-patch/*
+        if: ${{ hashFiles('po-patch/*') != '' }}
+      - name: Push .pot file changes
+        run: git push
+        if: ${{ hashFiles('po-patch/*') != '' }}
+        # Don't fail in case something has changed upstream in the meantime
+        continue-on-error: true