Disable gradle build cache on releases to mitigate supply chain risk (#8254)

jack-berg · web-flow · commit 6d522ebf87f1 · 2026-04-06T16:20:23.000-05:00
diff --git a/.github/workflows/build-daily.yml b/.github/workflows/build-daily.yml
@@ -34,7 +34,8 @@ jobs:
           SONATYPE_KEY: ${{ secrets.SONATYPE_KEY }}
           GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
           GPG_PASSWORD: ${{ secrets.GPG_PASSWORD }}
-          DEVELOCITY_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY }}
+          # disable gradle build cache, ensuring we're building from source to mitigate supply chain risk
+          DISABLE_REMOTE_BUILD_CACHE: true
 
   workflow-notification:
     permissions:
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -37,7 +37,8 @@ jobs:
           SONATYPE_KEY: ${{ secrets.SONATYPE_KEY }}
           GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
           GPG_PASSWORD: ${{ secrets.GPG_PASSWORD }}
-          DEVELOCITY_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY }}
+          # disable gradle build cache, ensuring we're building from source to mitigate supply chain risk
+          DISABLE_REMOTE_BUILD_CACHE: true
 
       - name: Set environment variables
         run: |
diff --git a/settings.gradle.kts b/settings.gradle.kts
@@ -75,6 +75,7 @@ include(":animal-sniffer-signature")
 val develocityServer = "https://develocity.opentelemetry.io"
 val isCI = System.getenv("CI") != null
 val develocityAccessKey = System.getenv("DEVELOCITY_ACCESS_KEY") ?: ""
+val disableRemoteBuildCache = System.getenv("DISABLE_REMOTE_BUILD_CACHE") != null
 
 develocity {
   if (develocityAccessKey.isNotEmpty()) {
@@ -110,6 +111,7 @@ develocity {
 buildCache {
   remote(HttpBuildCache::class) {
     url = uri("$develocityServer/cache/")
+    isEnabled = !disableRemoteBuildCache
     isPush = isCI && develocityAccessKey.isNotEmpty()
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -75,6 +75,7 @@ include(":animal-sniffer-signature")`
`75`	`75`	`val develocityServer = "https://develocity.opentelemetry.io"`
`76`	`76`	`val isCI = System.getenv("CI") != null`
`77`	`77`	`val develocityAccessKey = System.getenv("DEVELOCITY_ACCESS_KEY") ?: ""`
	`78`	`+val disableRemoteBuildCache = System.getenv("DISABLE_REMOTE_BUILD_CACHE") != null`
`78`	`79`
`79`	`80`	`develocity {`
`80`	`81`	`if (develocityAccessKey.isNotEmpty()) {`
`@@ -110,6 +111,7 @@ develocity {`
`110`	`111`	`buildCache {`
`111`	`112`	`remote(HttpBuildCache::class) {`
`112`	`113`	`url = uri("$develocityServer/cache/")`
	`114`	`+ isEnabled = !disableRemoteBuildCache`
`113`	`115`	`isPush = isCI && develocityAccessKey.isNotEmpty()`
`114`	`116`	`}`
`115`	`117`	`}`