Do not clear GRADLE_ENTERPRISE_ACCESS_KEY env var and output a deprecation warning

2025-04-22 02:39:19 +08:00 · 2024-05-17 11:44:42 +02:00 · 2024-05-17 11:44:42 +02:00 · 245e8e6b91
commit 245e8e6b91
parent 18bd508bcf
5 changed files with 35 additions and 14 deletions
--- a/.github/workflows/integ-test-inject-develocity.yml
+++ b/.github/workflows/integ-test-inject-develocity.yml
@ -157,5 +157,5 @@ jobs:
        run: gradle help
      - name: Check access key is blank (DEVELOCITY_ACCESS_KEY)
        run: "[ \"${DEVELOCITY_ACCESS_KEY}\" == \"\" ] || (echo 'DEVELOCITY_ACCESS_KEY has leaked!'; exit 1)"
-      - name: Check access key is blank (GRADLE_ENTERPRISE_ACCESS_KEY)
-        run: "[ \"${GRADLE_ENTERPRISE_ACCESS_KEY}\" == \"\" ] || (echo 'GRADLE_ENTERPRISE_ACCESS_KEY has leaked!'; exit 1)"
+      - name: Check access key is not blank (GRADLE_ENTERPRISE_ACCESS_KEY)
+        run: "[ \"${GRADLE_ENTERPRISE_ACCESS_KEY}\" != \"\" ] || (echo 'GRADLE_ENTERPRISE_ACCESS_KEY is still supported in v3!'; exit 1)"
--- a/docs/deprecation-upgrade-guide.md
+++ b/docs/deprecation-upgrade-guide.md
@ -1,9 +1,9 @@
 # Deprecation upgrade guide

-As these actions evolve, certain inputs, behaviour and usages are deprecated for removal. 
+As these actions evolve, certain inputs, behaviour and usages are deprecated for removal.
 Deprecated functionality will be fully supported during the current major release, and will be
-removed in the next major release. 
-Users will receive a deprecation warning when they rely on deprecated functionality, 
+removed in the next major release.
+Users will receive a deprecation warning when they rely on deprecated functionality,
 prompting them to update their workflows.

 ## The action `gradle/gradle-build-action` has been replaced by `gradle/actions/setup-gradle`
@ -25,10 +25,10 @@ with

 ## The action `gradle/wrapper-validation-action` has been replaced by `gradle/actions/wrapper-validation`

-To facilitate ongoing development, the `wrapper-validation-action` action implementation has been merged into 
+To facilitate ongoing development, the `wrapper-validation-action` action implementation has been merged into
 the https://github.com/gradle/actions repository, and the `gradle/wrapper-validation-action` has been replaced by the `gradle/actions/wrapper-validation` action.

-As of `v3.x`, the `gradle/wrapper-validation-action` and `gradle/actions/wrappper-validation` actions are 
+As of `v3.x`, the `gradle/wrapper-validation-action` and `gradle/actions/wrappper-validation` actions are
 functionally identical, and are released with the same versions.

 In a future major version (likely `v4.x`) we will stop releasing new versions of `gradle/wrapper-validation-action`:
@ -143,3 +143,8 @@ to this:
    build-scan-terms-of-use-agree: "yes"
 ```
 These deprecated build-scan parameters are scheduled to be removed in `setup-gradle@v4` and `dependency-submission@v4`.
+
+## The GRADLE_ENTERPRISE_ACCESS_KEY env var is deprecated
+Gradle Enterprise has been renamed to Develocity starting from Gradle plugin 3.17 and Develocity server 2024.1.
+In v4 release of the action, it will require setting the access key with the `develocity-access-key` input and Develocity 2024.1 at least to generate short-lived tokens.
+If those requirements are not met, the `GRADLE_ENTERPRISE_ACCESS_KEY` env var will be cleared out and build scan publication or other authenticated Develocity operations won't be possible.
--- a/docs/setup-gradle.md
+++ b/docs/setup-gradle.md
@ -747,8 +747,9 @@ This access key will be used during the action execution to get a short-lived to

 ### Short-lived access tokens
 Develocity access keys are long-lived, creating risks if they are leaked. To avoid this, users can use short-lived access tokens to authenticate with Develocity. Access tokens can be used wherever an access key would be used. Access tokens are only valid for the Develocity instance that created them.
-If a short-lived token fails to be retrieved (for example, if the Develocity server version is lower than `2024.1`), no access key will be set.
-In that case, Develocity authenticated operations like build cache read/write and build scan publication will fail without failing the build.
+If a short-lived token fails to be retrieved (for example, if the Develocity server version is lower than `2024.1`):
+ - if a `GRADLE_ENTERPRISE_ACCESS_KEY` env var has been set, we're falling back to it with a deprecation warning
+ - otherwise no access key env var will be set. In that case Develocity authenticated operations like build cache read/write and build scan publication will fail without failing the build.
 For more information on short-lived tokens, see [Develocity API documentation](https://docs.gradle.com/develocity/api-manual/#short_lived_access_tokens).

 ## Configuring Develocity injection
--- a/sources/src/configuration.ts
+++ b/sources/src/configuration.ts
@ -188,6 +188,9 @@ export enum JobSummaryOption {
 }

 export class BuildScanConfig {
+    static DevelocityAccessKeyEnvVar = 'DEVELOCITY_ACCESS_KEY'
+    static GradleEnterpriseAccessKeyEnvVar = 'GRADLE_ENTERPRISE_ACCESS_KEY'
+
    getBuildScanPublishEnabled(): boolean {
        return getBooleanInput('build-scan-publish') && this.verifyTermsOfUseAgreement()
    }
@ -203,8 +206,8 @@ export class BuildScanConfig {
    getDevelocityAccessKey(): string {
        return (
            core.getInput('develocity-access-key') ||
-            process.env['DEVELOCITY_ACCESS_KEY'] ||
-            process.env['GRADLE_ENTERPRISE_ACCESS_KEY'] ||
+            process.env[BuildScanConfig.DevelocityAccessKeyEnvVar] ||
+            process.env[BuildScanConfig.GradleEnterpriseAccessKeyEnvVar] ||
            ''
        )
    }
--- a/sources/src/develocity/short-lived-token.ts
+++ b/sources/src/develocity/short-lived-token.ts
@ -1,5 +1,7 @@
 import * as httpm from 'typed-rest-client/HttpClient'
 import * as core from '@actions/core'
+import {BuildScanConfig} from '../configuration'
+import {recordDeprecation} from '../deprecation-collector'

 export async function setupToken(
    develocityAccessKey: string,
@ -18,17 +20,27 @@ export async function setupToken(
                exportAccessKeyEnvVars(token)
            } else {
                // In case of not being able to generate a token we set the env variable to empty to avoid leaks
-                exportAccessKeyEnvVars('')
+                clearAccessKeyEnvVarsWithDeprecationWarning()
            }
        } catch (e) {
-            exportAccessKeyEnvVars('')
+            clearAccessKeyEnvVarsWithDeprecationWarning()
            core.warning(`Failed to fetch short-lived token, reason: ${e}`)
        }
    }
 }

 function exportAccessKeyEnvVars(value: string): void {
-    ;['DEVELOCITY_ACCESS_KEY', 'GRADLE_ENTERPRISE_ACCESS_KEY'].forEach(key => core.exportVariable(key, value))
+    ;[BuildScanConfig.DevelocityAccessKeyEnvVar, BuildScanConfig.GradleEnterpriseAccessKeyEnvVar].forEach(key =>
+        core.exportVariable(key, value)
+    )
+}
+
+function clearAccessKeyEnvVarsWithDeprecationWarning(): void {
+    if (process.env[BuildScanConfig.GradleEnterpriseAccessKeyEnvVar]) {
+        // We do not clear the GRADLE_ENTERPRISE_ACCESS_KEY env var in v3, to let the users upgrade to DV 2024.1
+        recordDeprecation(`The ${BuildScanConfig.GradleEnterpriseAccessKeyEnvVar} env var is deprecated`)
+    }
+    core.exportVariable(BuildScanConfig.DevelocityAccessKeyEnvVar, '')
 }

 export async function getToken(