Add note about secrets and CC

Issue #22937
gradle · Feb 23, 2023 · 8fd3277 · 8fd3277
1 parent bc3da47
commit 8fd3277
Showing 1 changed file with 15 additions and 9 deletions.
diff --git a/subprojects/docs/src/docs/userguide/running-builds/configuration_cache.adoc b/subprojects/docs/src/docs/userguide/running-builds/configuration_cache.adoc
@@ -956,21 +956,27 @@ include::sample[dir="snippets/valueProviders/fileContentsDo/kotlin",files="build
 In general, you should avoid reading files at configuration time, to avoid invalidating configuration cache entries when the file content changes.
 Instead, you can connect the `Provider` returned by link:{javadocPath}/org/gradle/api/provider/ProviderFactory.html#fileContents-org.gradle.api.file.RegularFile-[providers.fileContents()] to task properties.
 
-[[config_cache:requirements:safe_credentials]]
-
-=== Safe credentials
-
-For security reasons, the configuration cache does not store credentials declared inline.
-
-To use credentials in build scripts with the configuration cache, declare credentials with Gradle Properties. To learn more about using credentials with Gradle Properties, check out the example in the
-<<declaring_repositories.adoc#sec:handling_credentials,credential handling documentation>>.
-
 [[config_cache:not_yet_implemented]]
 == Not yet implemented
 
 Support for using configuration caching with certain Gradle features is not yet implemented.
 Support for these features will be added in later Gradle releases.
 
+[[config_cache:not_yet_implemented:secrets]]
+=== Handling of credentials and secrets
+
+The configuration cache has currently no option to hide secrets that are used as inputs.
+It means that they end up in the serialized configuration cache entry.
+
+This means that you should:
+
+* Either secure access to configuration cache entries that may contain secrets
+* Or leverage `<<directory_layout.adoc#dir:gradle_user_home,GRADLE_USER_HOME>>/gradle.properties` for storing secrets.
+The content of that file is not part of the configuration cache, only its fingerprint.
+If you store secrets in that file, care must be taken to protect access to the file content.
+
+See link:{gradle-issues}22618[gradle/gradle#22618].
+
 [[config_cache:not_yet_implemented:sharing]]
 === Sharing the configuration cache