Best practices for configuring maven-publish credentials, and how do I skip configuring publications unless actually publishing?

We have a few projects that we publish to a local Nexus server, and I have some questions/confusion about what the best way to store credentials are. Some background on the specific problem I’m trying to solve:

  • We don’t have a central login, all devs have their own Nexus credentials
  • We currently ask that all developers store their credentials in ~/.gradle/ and access them that way
  • Most developers don’t ever publish to Maven and so shouldn’t care about this, but
  • They have to care, because during Configuration the build will fail if the requested properties don’t exist

There’s nothing fancy about our “publishing” closure:

publishing {
   publications {
       mavenJava(MavenPublication) {
           groupId ''
           artifactId "baz"
           version "$version"
           artifact sourceJar {
               classifier "sources"
    repositories {
        maven {
            credentials {
                username "${nexus_username}"
                password "${nexus_password}"
            url "***"

Basically I would like a way to integrate per-user credentials while also not requiring the credentials exist unless a “publish” task is explicitly requested. Is there a nice, clean way to handle this? I’m aware of on-demand configuration but I believe this operates at the build file level and not the task level, correct?

You can model the notion of an “optional” property like so

username project.hasProperty('nexus_username') ?'nexus_username') : ''

That makes way too much sense. Not sure why that didn’t cross my mind. Thanks Mark!