Remove API token requirement from Danger workflow

Switch to tokenless execution using  with GitHub Actions
annotations for inline feedback. This eliminates the need for the
grape-bot token while still providing PR feedback via workflow annotations.

Changes:
- Use commit SHAs instead of branch refs for reliable diff calculation
- Output violations as GitHub Actions annotations (errors, warnings, notices)
- Update to actions/checkout@v6 with full history fetch

Author: numbata

.github/workflows/danger.yml

@@ -6,16 +6,16 @@ jobs:
   danger:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v6
       with:
-        fetch-depth: 100    
+        fetch-depth: 0
     - name: Set up Ruby
       uses: ruby/setup-ruby@v1
       with:
         ruby-version: 3.4
         bundler-cache: true
     - name: Run Danger
-      run: |
-        # the token is public, has public_repo scope and belongs to the grape-bot user owned by @dblock, this is ok
-        TOKEN=$(echo -n Z2hwX2lYb0dPNXNyejYzOFJyaTV3QUxUdkNiS1dtblFwZTFuRXpmMwo= | base64 --decode)
-        DANGER_GITHUB_API_TOKEN=$TOKEN bundle exec danger --verbose
+      env:
+        BASE_SHA: ${{ github.event.pull_request.base.sha }}
+        HEAD_SHA: ${{ github.event.pull_request.head.sha }}
+      run: bundle exec danger dry_run --base=$BASE_SHA --head=$HEAD_SHA --verbose

Dangerfile

@@ -1,3 +1,58 @@
 # frozen_string_literal: true
 
-danger.import_dangerfile(gem: 'ruby-grape-danger')
+# Inline checks from ruby-grape-danger (avoids plugins requiring GitHub API token)
+
+has_app_changes = !git.modified_files.grep(/lib/).empty?
+has_spec_changes = !git.modified_files.grep(/spec/).empty?
+
+if has_app_changes && !has_spec_changes
+  warn("There're library changes, but not tests. That's OK as long as you're refactoring existing code.", sticky: false)
+end
+
+if !has_app_changes && has_spec_changes
+  message('We really appreciate pull requests that demonstrate issues, even without a fix. That said, the next step is to try and fix the failing tests!', sticky: false)
+end
+
+# Simplified changelog check (replaces danger-changelog plugin which requires github.* methods)
+# Note: toc.check! from danger-toc plugin removed (not essential for CI)
+has_changelog_changes = git.modified_files.include?('CHANGELOG.md') || git.added_files.include?('CHANGELOG.md')
+if has_app_changes && !has_changelog_changes
+  warn('Please update CHANGELOG.md with a description of your changes.', sticky: false)
+end
+
+(git.modified_files + git.added_files - %w[Dangerfile]).each do |file|
+  next unless File.file?(file)
+
+  contents = File.read(file)
+  if file.start_with?('spec')
+    fail("`xit` or `fit` left in tests (#{file})") if contents =~ /^\w*[xf]it/
+    fail("`fdescribe` left in tests (#{file})") if contents =~ /^\w*fdescribe/
+  end
+end
+
+# Output as GitHub Actions annotations (since we can't post PR comments without token)
+if ENV['GITHUB_ACTIONS']
+  violation_report[:errors].each do |v|
+    if v.file && v.line
+      puts "::error file=#{v.file},line=#{v.line}::#{v.message}"
+    else
+      puts "::error::#{v.message}"
+    end
+  end
+
+  violation_report[:warnings].each do |v|
+    if v.file && v.line
+      puts "::warning file=#{v.file},line=#{v.line}::#{v.message}"
+    else
+      puts "::warning::#{v.message}"
+    end
+  end
+
+  violation_report[:messages].each do |v|
+    if v.file && v.line
+      puts "::notice file=#{v.file},line=#{v.line}::#{v.message}"
+    else
+      puts "::notice::#{v.message}"
+    end
+  end
+end