fix(workflow): expose POEDITOR_TOKEN to locale audit step

[Copilot]

The Run locale audit step lacked POEDITOR_TOKEN in its environment, causing npm run locale:audit to always fail with POEDITOR_TOKEN environment variable is required. Additionally, audit-only mode skipped the token presence check despite the audit script requiring the token to call the POEditor API.

Changes

• Job-level env: Moved POEDITOR_TOKEN: ${{ secrets.POEDITOR_TOKEN }} from the download step to the job level, making it available to all steps including Run locale audit
• Token check: Removed if: inputs.operation_mode != 'audit-only' guard from Check POEditor Token — the check is required for all modes since the audit calls the POEditor API
• Cleanup: Removed now-redundant step-level env block from Download locales from POEditor

jobs:
  download:
    runs-on: ubuntu-latest
    env:
      POEDITOR_TOKEN: ${{ secrets.POEDITOR_TOKEN }}   # ← was only on the download step

Original prompt

Fix failing GitHub Actions workflow job 66047598996 (Locale Download POEditor) where npm run locale:audit fails with POEDITOR_TOKEN environment variable is required.

Context:

• Workflow: .github/workflows/locale-poeditor-download.yml
• Job logs show the workflow checks ${{ secrets.POEDITOR_TOKEN }} and prints configured, but later the locale audit script (locale/scripts/locale-audit.js) fails because it reads process.env.POEDITOR_TOKEN and the audit step does not export the secret to the environment.
• Download step already sets env: POEDITOR_TOKEN: ${{ secrets.POEDITOR_TOKEN }} but the audit step does not.
• Additionally, audit-only mode currently skips the token check but still runs the audit, which requires the token.

Required changes:

1. Update .github/workflows/locale-poeditor-download.yml so the Run locale audit step has access to the token (either via step-level env or job-level env). Prefer a job-level env for clarity and to cover all steps, but ensure it does not break the audit-only mode.
2. Ensure Check POEditor Token behavior aligns with audit-only mode:
   • Either run the token check for audit-only mode too, or otherwise guarantee that audit-only runs won’t fail due to missing token.
3. Keep changes minimal and focused on fixing the failing job.

Reference run/job:

• https://github.com/ChurchCRM/CRM/actions/runs/22769871384/job/66047598996

Acceptance criteria:

• Workflow no longer fails at locale audit due to missing POEDITOR_TOKEN.
• Scheduled and workflow_dispatch runs succeed when secret is present.
• audit-only mode behavior is consistent (does not falsely skip needed token check).

This pull request was created from Copilot chat.

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[Copilot]

Pull request overview

This PR fixes a failing GitHub Actions workflow (locale-poeditor-download.yml) where the Run locale audit step failed because npm run locale:audit reads process.env.POEDITOR_TOKEN but the secret was not exported to that step's environment. The fix promotes the token to a job-level env variable so all steps (including Run locale audit) automatically inherit it, removes the now-redundant step-level env on the Download locales from POEditor step, and removes the audit-only bypass on the Check POEditor Token step to ensure the token is always validated (since audit-only mode also calls the POEditor API).

Changes:

• Moved POEDITOR_TOKEN secret to job-level env, making it available to all steps including Run locale audit
• Removed the if: inputs.operation_mode != 'audit-only' guard from the Check POEditor Token step so token validation runs in every mode
• Removed the now-redundant step-level env block from the Download locales from POEditor step