From 55e8999b1834a8c1fd141393b0394ee44f1d6b0e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andrzej=20Kobyli=C5=84ski?= <endrju397@gmail.com>
Date: Tue, 7 Apr 2026 15:45:13 +0200
Subject: [PATCH 1/2] fix: mask decoded PGP key in CI logs

Previous approach wrote the decoded key to $GITHUB_ENV, which leaked it
in the env block of subsequent step logs. Now decode + mask each line
with ::add-mask:: + export in the same step, so the key never appears
in logs.
---
 .github/workflows/ci.yml | 17 +++++++----------
 1 file changed, 7 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index b64a285..21838fb 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -113,19 +113,16 @@ jobs:
       - name: Setup Gradle
         uses: gradle/actions/setup-gradle@39e147cb9de83bb9910b8ef8bd7fff0ee20fcd6f # v6.0.1
 
-      - name: Decode PGP key
+      - name: Publish to Maven Central
         run: |
-          echo "$PGP_SECRET_BASE64" | base64 -d > /tmp/secring.asc
-          echo "ORG_GRADLE_PROJECT_signingInMemoryKey<<EOF" >> $GITHUB_ENV
-          cat /tmp/secring.asc >> $GITHUB_ENV
-          echo "EOF" >> $GITHUB_ENV
-          rm /tmp/secring.asc
+          DECODED_KEY=$(echo "$PGP_SECRET_BASE64" | base64 -d)
+          while IFS= read -r line; do
+            echo "::add-mask::$line"
+          done <<< "$DECODED_KEY"
+          export ORG_GRADLE_PROJECT_signingInMemoryKey="$DECODED_KEY"
+          ./gradlew publishAndReleaseToMavenCentral
         env:
           PGP_SECRET_BASE64: ${{ secrets.PGP_SECRET }}
-
-      - name: Publish to Maven Central
-        run: ./gradlew publishAndReleaseToMavenCentral
-        env:
           ORG_GRADLE_PROJECT_mavenCentralUsername: ${{ secrets.SONATYPE_USERNAME }}
           ORG_GRADLE_PROJECT_mavenCentralPassword: ${{ secrets.SONATYPE_PASSWORD }}
           ORG_GRADLE_PROJECT_signingInMemoryKeyPassword: ${{ secrets.PGP_PASSPHRASE }}

From 66b852d9140326a00580bb8728a7b556a61db919 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andrzej=20Kobyli=C5=84ski?= <endrju397@gmail.com>
Date: Tue, 7 Apr 2026 21:44:34 +0200
Subject: [PATCH 2/2] fix: skip empty lines in add-mask to avoid warning

---
 .github/workflows/ci.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 21838fb..f197b25 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -117,7 +117,7 @@ jobs:
         run: |
           DECODED_KEY=$(echo "$PGP_SECRET_BASE64" | base64 -d)
           while IFS= read -r line; do
-            echo "::add-mask::$line"
+            [ -n "$line" ] && echo "::add-mask::$line"
           done <<< "$DECODED_KEY"
           export ORG_GRADLE_PROJECT_signingInMemoryKey="$DECODED_KEY"
           ./gradlew publishAndReleaseToMavenCentral