From 8fd3277a9f1c1eaf6f675c3a28c34d4464bffcf2 Mon Sep 17 00:00:00 2001 From: Louis Jacomet Date: Tue, 20 Dec 2022 17:02:51 +0100 Subject: [PATCH 1/2] Add note about secrets and CC Issue #22937 --- .../running-builds/configuration_cache.adoc | 24 ++++++++++++------- 1 file changed, 15 insertions(+), 9 deletions(-) diff --git a/subprojects/docs/src/docs/userguide/running-builds/configuration_cache.adoc b/subprojects/docs/src/docs/userguide/running-builds/configuration_cache.adoc index f9bb92d78b4b..b35686911cfd 100644 --- a/subprojects/docs/src/docs/userguide/running-builds/configuration_cache.adoc +++ b/subprojects/docs/src/docs/userguide/running-builds/configuration_cache.adoc @@ -956,21 +956,27 @@ include::sample[dir="snippets/valueProviders/fileContentsDo/kotlin",files="build In general, you should avoid reading files at configuration time, to avoid invalidating configuration cache entries when the file content changes. Instead, you can connect the `Provider` returned by link:{javadocPath}/org/gradle/api/provider/ProviderFactory.html#fileContents-org.gradle.api.file.RegularFile-[providers.fileContents()] to task properties. -[[config_cache:requirements:safe_credentials]] - -=== Safe credentials - -For security reasons, the configuration cache does not store credentials declared inline. - -To use credentials in build scripts with the configuration cache, declare credentials with Gradle Properties. To learn more about using credentials with Gradle Properties, check out the example in the -<>. - [[config_cache:not_yet_implemented]] == Not yet implemented Support for using configuration caching with certain Gradle features is not yet implemented. Support for these features will be added in later Gradle releases. +[[config_cache:not_yet_implemented:secrets]] +=== Handling of credentials and secrets + +The configuration cache has currently no option to hide secrets that are used as inputs. +It means that they end up in the serialized configuration cache entry. + +This means that you should: + +* Either secure access to configuration cache entries that may contain secrets +* Or leverage `<>/gradle.properties` for storing secrets. +The content of that file is not part of the configuration cache, only its fingerprint. +If you store secrets in that file, care must be taken to protect access to the file content. + +See link:{gradle-issues}22618[gradle/gradle#22618]. + [[config_cache:not_yet_implemented:sharing]] === Sharing the configuration cache From a730b01ba784c9c5b35e4bf3f0a415d07bdafe7d Mon Sep 17 00:00:00 2001 From: Louis Jacomet Date: Fri, 17 Feb 2023 18:56:00 +0100 Subject: [PATCH 2/2] Improve wording Fixes #22937 --- .../docs/userguide/running-builds/configuration_cache.adoc | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/subprojects/docs/src/docs/userguide/running-builds/configuration_cache.adoc b/subprojects/docs/src/docs/userguide/running-builds/configuration_cache.adoc index b35686911cfd..8d38f9dfc330 100644 --- a/subprojects/docs/src/docs/userguide/running-builds/configuration_cache.adoc +++ b/subprojects/docs/src/docs/userguide/running-builds/configuration_cache.adoc @@ -968,10 +968,10 @@ Support for these features will be added in later Gradle releases. The configuration cache has currently no option to hide secrets that are used as inputs. It means that they end up in the serialized configuration cache entry. -This means that you should: +This means that you should either: -* Either secure access to configuration cache entries that may contain secrets -* Or leverage `<>/gradle.properties` for storing secrets. +* Secure access to configuration cache entries that may contain secrets, or +* Leverage `<>/gradle.properties` for storing secrets. The content of that file is not part of the configuration cache, only its fingerprint. If you store secrets in that file, care must be taken to protect access to the file content.