New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remove safe credentials reference #22937
Comments
Below is the snippet / instructions I've been using to analyze what is stored in CC. In regards to gradle.properties, it looks like the individual properties there are NOT stored in CC. It appears some form of hash/checksum is stored for each gradle.properties file.
|
Thanks a lot for sharing this and helping us. |
Using
Plus, it assumes the credentials are static. In my use case it's a ValueSource that grabs temporary credentials from an API call (that further integrates AWS SSO/MFA for the user as required). This, and other 'dynamic' variations, aren't addressed by using gradle.properties. Not sure what the implementation lift is on this, but as a starting point:
That gets us to an OK point, and can be built on to have expiring secrets, etc in the future (per thoughts in #22618) |
Sorry, I should have been more specific. My reflections concern this particular issue, not the general solution we need to provide for CC. |
I see. Thanks for clarifying. If I understand correctly the approach (for the current state of CC) would be "put sensitive items in gradle.properties" (which is not a new recommendation) and not in CC. |
Changes are in for Gradle 7.6.1 |
Following the details in #22618 and the comment that some checks were removed from 7.6, we need to fully remove the "safe credentials" documentation reference and add something about the risks of having credentials be part of the configuration cache entries.
One thing that should be determined is if credentials inside a
gradle.properties
are saved or if only the checksum of that file is saved.The text was updated successfully, but these errors were encountered: