Provide cache-encryption-key as action input

This makes it easier for users to enable config-cache saving in their workflow. Config-cache data will only be saved/restored when the key is provided, and the key is exported as `GRADLE_ENCRYPTION_KEY` for use in subsequent steps.
2024-10-18 19:51:18 +08:00 · 2023-12-20 19:02:27 -07:00 · 2023-12-20 19:02:27 -07:00 · a738af78ea
commit a738af78ea
parent ae24bf6608
3 changed files with 46 additions and 5 deletions
--- a/action.yml
+++ b/action.yml
@ -40,6 +40,13 @@ inputs:
    required: false
    default: false

+  cache-encryption-key:
+    description: |
+      A base64 encoded AES key used to encrypt the configuration-cache data. The key is exported as 'GRADLE_ENCRYPTION_KEY' for later steps. 
+      A suitable key can be generated with `openssl rand -base64 16`.
+      Configuration-cache data will not be saved/restored without an encryption key being provided.
+    required: false
+
  gradle-home-cache-includes:
    description: Paths within Gradle User Home to cache.
    required: false
--- a/src/cache-extract-entries.ts
+++ b/src/cache-extract-entries.ts
@ -1,5 +1,6 @@
 import path from 'path'
 import fs from 'fs'
+import crypto from 'crypto'
 import * as core from '@actions/core'
 import * as glob from '@actions/glob'

@ -351,14 +352,43 @@ export class ConfigurationCacheEntryExtractor extends AbstractEntryExtractor {
     * entry is not reusable.
     */
    async restore(listener: CacheListener): Promise<void> {
-        if (listener.fullyRestored) {
-            return super.restore(listener)
+        if (!listener.fullyRestored) {
+            core.info('Not restoring configuration-cache state, as Gradle User Home was not fully restored')
+            for (const cacheEntry of this.loadExtractedCacheEntries()) {
+                listener.entry(cacheEntry.pattern).markNotRestored('Gradle User Home not fully restored')
+            }
+            return
        }

-        core.info('Not restoring configuration-cache state, as Gradle User Home was not fully restored')
-        for (const cacheEntry of this.loadExtractedCacheEntries()) {
-            listener.entry(cacheEntry.pattern).markRequested('NOT_RESTORED')
+        if (!params.getCacheEncryptionKey()) {
+            core.info('Not restoring configuration-cache state, as no encryption key was provided')
+            for (const cacheEntry of this.loadExtractedCacheEntries()) {
+                listener.entry(cacheEntry.pattern).markNotRestored('No encryption key provided')
+            }
+            return
        }
+
+        const encryptionKey = this.getAESEncryptionKey()
+        core.exportVariable('GRADLE_ENCRYPTION_KEY', encryptionKey)
+        return await super.restore(listener)
+    }
+
+    async extract(listener: CacheListener): Promise<void> {
+        if (!params.getCacheEncryptionKey()) {
+            core.info('Not saving configuration-cache state, as no encryption key was provided')
+            for (const cacheEntry of this.getExtractedCacheEntryDefinitions()) {
+                listener.entry(cacheEntry.pattern).markNotSaved('No encryption key provided')
+            }
+            return
+        }
+
+        await super.extract(listener)
+    }
+
+    private getAESEncryptionKey(): string | undefined {
+        const secret = params.getCacheEncryptionKey()
+        const key = crypto.pbkdf2Sync(secret, '', 1000, 16, 'sha256')
+        return key.toString('base64')
    }

    /**
--- a/src/input-params.ts
+++ b/src/input-params.ts
@ -29,6 +29,10 @@ export function isCacheCleanupEnabled(): boolean {
    return getBooleanInput('gradle-home-cache-cleanup')
 }

+export function getCacheEncryptionKey(): string {
+    return core.getInput('cache-encryption-key')
+}
+
 export function getCacheIncludes(): string[] {
    return core.getMultilineInput('gradle-home-cache-includes')
 }