Stop uploading local build scans of contributors

ben-manes / gradle-versions-plugin

Gradle plugin to discover dependency updates

Apache License 2.0

3.83k stars 200 forks source link

Stop uploading local build scans of contributors #735

Closed dreis2211 closed 1 year ago

dreis2211 commented 1 year ago

Hi,

I just wanted to contribute some stuff and noticed that the project is set up to always publish build scans. This should not happen as it might expose data.

Please use something like the following and only publish stuff in the CI environment.

gradleEnterprise {
    buildScan {
        publishAlwaysIf(System.getenv("CI"))
    }
}

Cheers, Christoph

ben-manes commented 1 year ago

Thanks for flagging. I switched over to what I have configured in Caffeine.

if (System.getenv("CI") == "true") {
  isUploadInBackground = false
  publishAlways()
} else {
  obfuscation.ipAddresses { addresses -> emptyList() }
}
if (System.getenv("GITHUB_ACTIONS") == "true") {
  obfuscation.username { name -> "github" }
}

dreis2211 commented 1 year ago

In case this is possible, please also delete any uploaded scans not coming from the CI environment.

ben-manes commented 1 year ago

We can't because this uses Gradle's community build scan, so only you have the links to your scans. Those public scans have a registration wall (via email to actual scan) to stop bots and are likely aged out fairly quickly.