2

I do publish an open source library to Maven Central. In order to do that the gradle.build file contains variable references to a gradle.properties file which contains secret information like usernames and passwords.

Of course the build.gradle needs to be published to the public git repository, the gradle.properties should not be published, due to containing all the personal information but without the properties file the build.gradle is not valid.

How are open source projects handling those sensitive data?

Hannes
  • 5,002
  • 8
  • 31
  • 60
  • I think this answer should help you : https://stackoverflow.com/a/12751665/6899896 : you should extract all personal information out of the project `gradle.properties` file, and keep these personal data in your User `gradle.properties` ( or inject these credentials as environment variable when executing your build script) – M.Ricciuti Nov 27 '18 at 08:18
  • @M.Ricciuti Thanks for the reference to another answer, but the problem with the most voted-up answer is, that the `gradle.build` as you check it out from the repository will fail due to missing values. I am not sure if this is acceptable. – Hannes Nov 27 '18 at 21:32
  • @M.Ricciuti Thanks a lot for this - works perfectly for me :-) – Hannes Nov 28 '18 at 05:58

1 Answers1

1

Here is a solution based on this answer, with the use of findProperty method to allow users to build your project without providing the publishing credentials (issue you mentioned in your comment above)

  • move credentials outside the project's gradle.properties and put them to your local user /.gradle/gradle.properties configuration file

  • in your publish task definition, use:

    authentication(userName: findProperty('mavenUser'), password: findProperty('mavenPassword'))

M.Ricciuti
  • 11,070
  • 2
  • 34
  • 54