amazon_s3_base_path=%BRANCH%
      - shell: |
          #!/usr/local/bin/runbld --redirect-stderr
          set -euo pipefail

          set +x
          VAULT_TOKEN=$(vault write -field=token auth/approle/login role_id=$VAULT_ROLE_ID secret_id=$VAULT_SECRET_ID)
          export VAULT_TOKEN
          export data=$(vault read -format=json aws-test/creds/elasticsearch-ci-s3)

            RUNTIME_JAVA_HOME=$HOME/.java/$ES_RUNTIME_JAVA
      - shell: |
          #!/usr/local/bin/runbld --redirect-stderr
          set +x
          VAULT_TOKEN=$(vault write -field=token auth/approle/login role_id=$VAULT_ROLE_ID secret_id=$VAULT_SECRET_ID)
          export VAULT_TOKEN
          export eql_test_credentials_file="$(pwd)/x-pack/plugin/eql/qa/correctness/credentials.gcs.json"

          set -euo pipefail
          export google_storage_service_account=$(pwd)/gcs_service_account.json

          set +x
          VAULT_TOKEN=$(vault write -field=token auth/approle/login role_id=$VAULT_ROLE_ID secret_id=$VAULT_SECRET_ID)
          export VAULT_TOKEN

            azure_storage_base_path=%BRANCH%
      - shell: |
          #!/usr/local/bin/runbld --redirect-stderr
          set -euo pipefail
          set +x
          VAULT_TOKEN=$(vault write -field=token auth/approle/login role_id=$VAULT_ROLE_ID secret_id=$VAULT_SECRET_ID)
          export VAULT_TOKEN
          export data=$(vault read -format=json secret/elasticsearch-ci/azure_thirdparty_sas_test_creds)

            azure_storage_base_path=%BRANCH%
      - shell: |
          #!/usr/local/bin/runbld --redirect-stderr
          set -euo pipefail
          set +x
          VAULT_TOKEN=$(vault write -field=token auth/approle/login role_id=$VAULT_ROLE_ID secret_id=$VAULT_SECRET_ID)
          export VAULT_TOKEN
          export data=$(vault read -format=json secret/elasticsearch-ci/azure_thirdparty_test_creds)

            RUNTIME_JAVA_HOME=$HOME/.java/$ES_RUNTIME_JAVA
      - shell: |
          #!/usr/local/bin/runbld --redirect-stderr
          set +x
          VAULT_TOKEN=$(vault write -field=token auth/approle/login role_id=$VAULT_ROLE_ID secret_id=$VAULT_SECRET_ID)
          export VAULT_TOKEN
          export eql_test_credentials_file="$(pwd)/x-pack/plugin/eql/qa/correctness/credentials.gcs.json"

final String vaultToken = System.getenv('VAULT_TOKEN') ?: new Vault(
  new VaultConfig()
    .address(System.env.VAULT_ADDR)
    .engineVersion(1)
    .build()
)
  .withRetries(5, 1000)
  .auth()
  .loginByAppRole("approle", System.env.VAULT_ROLE_ID, System.env.VAULT_SECRET_ID)
  .getAuthClientToken()

final Vault vault = new Vault(
  new VaultConfig()
    .address(System.env.VAULT_ADDR)
    .engineVersion(1)
    .token(vaultToken)

name: Label Approved

on:
  schedule:
    - cron: "0 12 * * *"
  workflow_dispatch:

permissions:
  pull-requests: write

jobs:
  label-approved:
    if: github.repository_owner == 'fastapi'
    runs-on: ubuntu-latest
    steps:
    - name: Dump GitHub context
      env:
        GITHUB_CONTEXT: ${{ toJson(github) }}
      run: echo "$GITHUB_CONTEXT"
    - uses: actions/checkout@v6
    - name: Set up Python

Once a native speaker comes, reviews the PR, and approves it, the GitHub Action will come and remove the `awaiting-review` label, and add the `approved-1` label.

This way, we can notice when there are new translations ready, because they have the `approved-1` label.

## Merge Translation PRs

Translations are generated automatically with LLMs and scripts.

-   If all looks good, the reviewer will approve the PR.
-   If a change is needed, the contributor is requested to make the suggested
    change.
-   You make the change and submit it for the review again.
-   This cycle repeats itself until the PR gets approved.
-   Note: As a friendly reminder, we may reach out to you if the PR is awaiting
    your response for more than 2 weeks.

**4. Approved**