Externalize tokens for Danger, use correct base branch ref

.ci/build.sh

@@ -12,7 +12,7 @@ set -e
 #set -x
 
 function pmd_ci_build_main() {
-    pmd_ci_setup_env
+    pmd_ci_setup_private_env
     pmd_ci_setup_gpg_key
     pmd_ci_setup_ssh
 

.ci/files/maven-settings.xml

@@ -12,7 +12,7 @@
   <servers>
     <server>
       <id>ossrh</id>
-      <username>${env.CI_DEPLY_USER}</username>
+      <username>${env.CI_DEPLOY_USER}</username>
       <password>${env.CI_DEPLOY_PASSWORD}</password>
     </server>
   </servers>

.ci/inc/regression-tester.inc

@@ -5,11 +5,19 @@
 # The functions here require the following environment variables:
 # PMD_SF_USER
 # PMD_CI_BRANCH
+#
+# DANGER_GITHUB_API_TOKEN
+# PMD_CI_CHUNK_TOKEN
 
 function regression_tester_setup_ci() {
     # install openjdk8 for pmd-regression-tests
     .ci/install-openjdk.sh 8
 
+    gpg --batch --yes --decrypt --passphrase="GnxdjywUEPveyCD1RLiTd7t8CImnefYr" \
+        --output .ci/files/public-env .ci/files/public-env.gpg
+    source .ci/files/public-env >/dev/null 2>&1
+    rm .ci/files/public-env
+
     if hash "bundler" 2>/dev/null; then
         log_debug "Bundler is already installed"
     else
@@ -17,11 +25,6 @@ function regression_tester_setup_ci() {
         gem install bundler
     fi
 
-    # Token for danger to add comments to PRs
-    export DANGER_GITHUB_API_TOKEN=f2f658fd5e72410e465104b65805dd7245479666
-    # Token for uploading reports to chunk.io
-    export PMD_CI_CHUNK_TOKEN="pmd:dMvJ1TH3oOl76QHf04EJ"
-
     rm -f .bundle/config
     bundle config set --local path vendor/bundle
     bundle config set --local with release_notes_preprocessing
@@ -38,9 +41,6 @@ function regression_tester_uploadBaseline() {
     log_debug "$FUNCNAME branch=${PMD_CI_BRANCH}"
     local targetUrl="https://sourceforge.net/projects/pmd/files/pmd-regression-tester/"
 
-    PMD_CI_BRANCH=${PMD_CI_BRANCH##refs/heads/}
-    log_debug "Using modified branch name: ${PMD_CI_BRANCH}"
-
     local errexitstate="$(shopt -po errexit)"
     set +e # disable errexit
     (
@@ -94,10 +94,6 @@ function regression_tester_executeDanger() {
         set -e
         trap danger_failed ERR
 
-        PMD_CI_BRANCH=${PMD_CI_BRANCH##refs/heads/}
-        export PMD_CI_BRANCH
-        log_debug "Using modified branch name: ${PMD_CI_BRANCH}"
-
         # Create a corresponding remote branch locally
         if ! git show-ref --verify --quiet refs/heads/${PMD_CI_BRANCH}; then
             git fetch --no-tags origin +refs/heads/${PMD_CI_BRANCH}:refs/remotes/origin/${PMD_CI_BRANCH}

.ci/inc/setup-secrets.inc

@@ -1,6 +1,6 @@
-function pmd_ci_setup_env() {
+function pmd_ci_setup_private_env() {
     log_info "Setting up secrets as environment variables..."
-    local -r ENV_FILE=.ci/files/env
+    local -r ENV_FILE=.ci/files/private-env
 
     printenv PMD_CI_SECRET_PASSPHRASE | gpg --batch --yes --decrypt \
         --passphrase-fd 0 \

.github/workflows/pull-requests.yml

@@ -34,5 +34,5 @@ jobs:
         shell: bash
         env:
           MAVEN_OPTS: -Dmaven.wagon.httpconnectionManager.ttlSeconds=180 -Dmaven.wagon.http.retryHandler.count=3
-          PMD_CI_BRANCH: ${{ github.ref }}
+          PMD_CI_BRANCH: ${{ github.event.base.ref }}
           PMD_CI_PULL_REQUEST_NUMBER: ${{ github.event.number }}