Configuration cache for builds triggered from Github pull requests

Am I correct in thinking that the Gradle configuration cache can not be safely restored in Gradle runs using GitHub Actions, when the action is triggered by a PR from a forked repository?

I think this because:

I have seen that some GitHub repositories hardcode the encryption key instead of passing it as a secret (e.g., Save CC data on CI (#1121) · Laddie1994/LibChecker@179087f · GitHub) presumably to work around this problem. But I assume that this is a bad idea, precisely because the configuration cache may contain secrets that should not be exposed to arbitrary code being run on CI.

If all of the above is correct, is there a mechanism that can be used to enable the configuration cache for GitHub Actions workflows triggered by PRs?

All said is correct and I think the answer is no, unless you make sure that the configuration cache never contains any secrets besides the encryption key, then the hard-coding might be ok.

Thanks. Just filed docs: Note configuration cache can not be saved / restored in PR work… by nikclayton · Pull Request #134 · gradle/actions · GitHub to update the docs to make this explicit.