Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Clarify handling of secrets and configuration cache #23948

Merged
merged 2 commits into from Feb 23, 2023
Merged

Clarify handling of secrets and configuration cache #23948

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
8fd3277
Add note about secrets and CC
ljacomet Dec 20, 2022
a730b01
Improve wording
ljacomet Feb 17, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
24 changes: 15 additions & 9 deletions subprojects/docs/src/docs/userguide/running-builds/configuration_cache.adoc
View file
Open in desktop
Expand Up @@ -956,21 +956,27 @@ include::sample[dir="snippets/valueProviders/fileContentsDo/kotlin",files="build
In general, you should avoid reading files at configuration time, to avoid invalidating configuration cache entries when the file content changes.
Instead, you can connect the `Provider` returned by link:{javadocPath}/org/gradle/api/provider/ProviderFactory.html#fileContents-org.gradle.api.file.RegularFile-[providers.fileContents()] to task properties.

[[config_cache:requirements:safe_credentials]]

=== Safe credentials

For security reasons, the configuration cache does not store credentials declared inline.

To use credentials in build scripts with the configuration cache, declare credentials with Gradle Properties. To learn more about using credentials with Gradle Properties, check out the example in the
<<declaring_repositories.adoc#sec:handling_credentials,credential handling documentation>>.

[[config_cache:not_yet_implemented]]
== Not yet implemented

Support for using configuration caching with certain Gradle features is not yet implemented.
Support for these features will be added in later Gradle releases.

[[config_cache:not_yet_implemented:secrets]]
=== Handling of credentials and secrets

The configuration cache has currently no option to hide secrets that are used as inputs.
It means that they end up in the serialized configuration cache entry.

This means that you should either:

* Secure access to configuration cache entries that may contain secrets, or
* Leverage `<<directory_layout.adoc#dir:gradle_user_home,GRADLE_USER_HOME>>/gradle.properties` for storing secrets.
The content of that file is not part of the configuration cache, only its fingerprint.
If you store secrets in that file, care must be taken to protect access to the file content.

See link:{gradle-issues}22618[gradle/gradle#22618].

[[config_cache:not_yet_implemented:sharing]]
=== Sharing the configuration cache

Expand Down