Disable uploading Gradle build cache for PR

Motivation: We got a bug bounty report that `upload-build-cache` can leak GitHub secrets if an attacker modifies `gradlew` file. Modifications: - Remove `upload-build-cache` to resolve the vulnerbility. Result: - Fixed a vulnerbility in the Gradle Build cache job.
ikhoon · Sep 26, 2024 · 11a399c · 11a399c
1 parent bd5f6ab
commit 11a399c
Showing 1 changed file with 0 additions and 32 deletions.
diff --git a/.github/workflows/gradle-enterprise-postjob.yml b/.github/workflows/gradle-enterprise-postjob.yml
@@ -106,35 +106,3 @@ jobs:
         env:
           BUILD_SCANS: ${{ steps.upload-build-scans.outputs.BUILD_SCANS }}
           PR_NUMBER: ${{ steps.get-pr-number.outputs.PR_NUMBER }}
-
-  upload-build-cache:
-    if: github.repository == 'line/armeria'
-    runs-on: ${{ matrix.on }}
-    timeout-minutes: 120
-    strategy:
-      fail-fast: false
-      matrix:
-        on: [ ubuntu-latest, macos-12, windows-latest ]
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          ref: ${{ env.COMMIT_SHA }}
-
-      - id: setup-build-jdk
-        name: Set up build JDK ${{ env.BUILD_JDK_VERSION }}
-        uses: actions/setup-java@v4
-        with:
-          distribution: 'temurin'
-          java-version: ${{ env.BUILD_JDK_VERSION }}
-
-      - name: Setup Gradle
-        uses: gradle/actions/setup-gradle@v4
-
-      - name: Build with Gradle
-        run: |
-          ./gradlew --no-daemon --stacktrace --build-cache build \
-          --max-workers=2 --parallel \
-          -PbuildJdkVersion=${{ env.BUILD_JDK_VERSION }} \
-          -Pretry=true -PfailOnPassedAfterRetry=false \
-          -Porg.gradle.java.installations.paths=${{ steps.setup-build-jdk.outputs.path }}
-        shell: bash