From 67eb35edc3db2ad28ef455459fd5d56e2771b549 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andrzej=20Kobyli=C5=84ski?= <endrju397@gmail.com>
Date: Tue, 7 Apr 2026 15:37:04 +0200
Subject: [PATCH] fix: decode base64 PGP key before signing

SML org-level PGP_SECRET is base64-encoded (for sbt ci-release compat).
vanniktech expects raw ASCII-armored key. Decode in workflow step.
---
 .github/workflows/ci.yml | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index d417a9d..b64a285 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -113,12 +113,21 @@ jobs:
       - name: Setup Gradle
         uses: gradle/actions/setup-gradle@39e147cb9de83bb9910b8ef8bd7fff0ee20fcd6f # v6.0.1
 
+      - name: Decode PGP key
+        run: |
+          echo "$PGP_SECRET_BASE64" | base64 -d > /tmp/secring.asc
+          echo "ORG_GRADLE_PROJECT_signingInMemoryKey<<EOF" >> $GITHUB_ENV
+          cat /tmp/secring.asc >> $GITHUB_ENV
+          echo "EOF" >> $GITHUB_ENV
+          rm /tmp/secring.asc
+        env:
+          PGP_SECRET_BASE64: ${{ secrets.PGP_SECRET }}
+
       - name: Publish to Maven Central
         run: ./gradlew publishAndReleaseToMavenCentral
         env:
           ORG_GRADLE_PROJECT_mavenCentralUsername: ${{ secrets.SONATYPE_USERNAME }}
           ORG_GRADLE_PROJECT_mavenCentralPassword: ${{ secrets.SONATYPE_PASSWORD }}
-          ORG_GRADLE_PROJECT_signingInMemoryKey: ${{ secrets.PGP_SECRET }}
           ORG_GRADLE_PROJECT_signingInMemoryKeyPassword: ${{ secrets.PGP_PASSPHRASE }}
 
       - name: Extract version from tag