Harden release workflow GPG key import for Maven Central publish

[Copilot]

The Publish to Maven Central Actions job failed during Import GPG private key because the workflow treated non-armored input as base64 unconditionally, causing base64: invalid input and aborting release publishing. This change makes key parsing format-tolerant so release signing can proceed across common secret encodings.

• Root-cause correction: resilient key format handling

  • Normalize escaped newlines first.
  • If armored PGP content is detected, import directly.
  • Otherwise attempt base64 decode.
  • If decode fails, fall back to normalized raw content instead of hard-failing.

• Operational clarity

  • Add a targeted ::notice:: message when base64 decode is invalid and fallback is used, with guidance on expected armored key format.

normalized_key="$(printf '%s' "${GPG_PRIVATE_KEY}" | sed 's/\\n/\n/g')"

if [[ "${normalized_key}" == *"-----BEGIN PGP PRIVATE KEY BLOCK-----"* ]]; then
  printf '%s' "${normalized_key}" > "${key_file}"
else
  if ! printf '%s' "${normalized_key}" | base64 --decode > "${key_file}" 2>/dev/null; then
    echo "::notice::GPG_PRIVATE_KEY is not valid base64-encoded. Using raw key format. If import fails, verify the secret contains a valid PGP private key block (armored format)."
    printf '%s' "${normalized_key}" > "${key_file}"
  fi
fi