name: Cron / Crowdin Pull
run-name: Crowdin Pull - ${{ github.event_name == 'workflow_dispatch' && 'Manual' || 'Scheduled' }}

on:
  workflow_dispatch:
  schedule:
    # Run weekly on Sunday at 00:00 UTC
    - cron: '0 0 * * 0'
    
permissions: {}

jobs:
  crowdin-sync:
    name: Crowdin Pull - ${{ github.event_name }}
    runs-on: ubuntu-24.04
    permissions:
      contents: read
      id-token: write
    steps:
      - name: Checkout repo
        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
        with:
          persist-credentials: false

      - name: Log in to Azure
        uses: bitwarden/gh-actions/azure-login@main
        with:
          subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
          tenant_id: ${{ secrets.AZURE_TENANT_ID }}
          client_id: ${{ secrets.AZURE_CLIENT_ID }}

      - name: Get Azure Key Vault secrets
        id: get-kv-secrets
        uses: bitwarden/gh-actions/get-keyvault-secrets@main
        with:
          keyvault: gh-org-bitwarden
          secrets: "BW-GHAPP-ID,BW-GHAPP-KEY"

      - name: Retrieve secrets
        id: retrieve-secrets
        uses: bitwarden/gh-actions/get-keyvault-secrets@main
        with:
          keyvault: "bitwarden-ci"
          secrets: "crowdin-api-token, github-gpg-private-key, github-gpg-private-key-passphrase"

      - name: Log out from Azure
        uses: bitwarden/gh-actions/azure-logout@main

      - name: Generate GH App token
        uses: actions/create-github-app-token@a8d616148505b5069dccd32f177bb87d7f39123b # v2.1.1
        id: app-token
        with:
          app-id: ${{ steps.get-kv-secrets.outputs.BW-GHAPP-ID }}
          private-key: ${{ steps.get-kv-secrets.outputs.BW-GHAPP-KEY }}
          permission-contents: write      # for creating and pushing a new branch
          permission-pull-requests: write # for creating pull request

      - name: Download translations
        uses: crowdin/github-action@0749939f635900a2521aa6aac7a3766642b2dc71 # v2.11.0
        env:
          GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
          CROWDIN_API_TOKEN: ${{ steps.retrieve-secrets.outputs.crowdin-api-token }}
          _CROWDIN_PROJECT_ID: "269690"
        with:
          config: crowdin.yml
          upload_sources: false
          upload_translations: false
          download_translations: true
          github_user_name: "bitwarden-devops-bot"
          github_user_email: "106330231+bitwarden-devops-bot@users.noreply.github.com"
          commit_message: "Crowdin Pull"
          localization_branch_name: "crowdin-pull"
          create_pull_request: true
          pull_request_title: "Crowdin Pull"
          pull_request_body: ":inbox_tray: New translations received!"
          pull_request_labels: "automated-pr, t:misc"
          gpg_private_key: ${{ steps.retrieve-secrets.outputs.github-gpg-private-key }}
          gpg_passphrase: ${{ steps.retrieve-secrets.outputs.github-gpg-private-key-passphrase }}