Am I correct in thinking that the Gradle configuration cache can not be safely restored in Gradle runs using GitHub Actions, when the action is triggered by a PR from a forked repository?
I think this because:
- Configure Gradle for GitHub Actions workflows - Gradle Community Site notes that the configuration cache should be encrypted, and the encryption key should be provided via the GitHub “secrets” mechanism
- Using secrets in GitHub Actions - GitHub Docs explains that GitHub secrets are not passed to runners when a workflow is triggered from a forked repository (e.g., when someone has forked the repository to send you a PR)
I have seen that some GitHub repositories hardcode the encryption key instead of passing it as a secret (e.g., Save CC data on CI (#1121) · Laddie1994/LibChecker@179087f · GitHub) presumably to work around this problem. But I assume that this is a bad idea, precisely because the configuration cache may contain secrets that should not be exposed to arbitrary code being run on CI.
If all of the above is correct, is there a mechanism that can be used to enable the configuration cache for GitHub Actions workflows triggered by PRs?