fix: mask decoded PGP key in CI logs (#20)

## Summary
- Decode base64 PGP key and mask with `::add-mask::` before passing to
Gradle
- Key stays in process memory, never written to `$GITHUB_ENV`
- Empty lines filtered to avoid `add-mask` warnings

## Test plan
- [x] Masking verified on [test
repo](https://github.com/endrju19/test-pgp-masking) — decoded key shows
as `***` in logs
- [ ] CI passes

Author: endrju19

.github/workflows/ci.yml

@@ -113,19 +113,16 @@ jobs:
       - name: Setup Gradle
         uses: gradle/actions/setup-gradle@39e147cb9de83bb9910b8ef8bd7fff0ee20fcd6f # v6.0.1
 
-      - name: Decode PGP key
+      - name: Publish to Maven Central
         run: |
-          echo "$PGP_SECRET_BASE64" | base64 -d > /tmp/secring.asc
-          echo "ORG_GRADLE_PROJECT_signingInMemoryKey<<EOF" >> $GITHUB_ENV
-          cat /tmp/secring.asc >> $GITHUB_ENV
-          echo "EOF" >> $GITHUB_ENV
-          rm /tmp/secring.asc
+          DECODED_KEY=$(echo "$PGP_SECRET_BASE64" | base64 -d)
+          while IFS= read -r line; do
+            [ -n "$line" ] && echo "::add-mask::$line"
+          done <<< "$DECODED_KEY"
+          export ORG_GRADLE_PROJECT_signingInMemoryKey="$DECODED_KEY"
+          ./gradlew publishAndReleaseToMavenCentral
         env:
           PGP_SECRET_BASE64: ${{ secrets.PGP_SECRET }}
-
-      - name: Publish to Maven Central
-        run: ./gradlew publishAndReleaseToMavenCentral
-        env:
           ORG_GRADLE_PROJECT_mavenCentralUsername: ${{ secrets.SONATYPE_USERNAME }}
           ORG_GRADLE_PROJECT_mavenCentralPassword: ${{ secrets.SONATYPE_PASSWORD }}
           ORG_GRADLE_PROJECT_signingInMemoryKeyPassword: ${{ secrets.PGP_PASSPHRASE }}