Dont read from cache in sensitive workflows

[damccorm]

Right now, there is some potential for cache poisoning from other workflows. We shouldn't read from the cache in workflows with access to sensitive credentials to avoid this risk

---

Thank you for your contribution! Follow this checklist to help us incorporate your contribution quickly and easily:

• Mention the appropriate issue in your description (for example: addresses #123), if applicable. This will automatically add a link to the pull request in the issue. If you would like the issue to automatically close on merging the pull request, comment fixes #<ISSUE NUMBER> instead.
• Update CHANGES.md with noteworthy changes.
• If this contribution is large, please file an Apache Individual Contributor License Agreement.

See the Contributor Guide for more tips on how to make review process smoother.

To check the build health, please visit https://github.com/apache/beam/blob/master/.test-infra/BUILD_STATUS.md

GitHub Actions Tests Status (on master branch)

See CI.md for more information about GitHub Actions CI or the workflows README to see a list of phrases to trigger workflows.

[damccorm]

R: @Abacn

[github-actions]

Stopping reviewer notifications for this pull request: review requested by someone other than the bot, ceding control

[Abacn]

LGTM for gradle enterprise cache.

there are two caches - gradle enterprise and github action caches. If setup-environment-action is used, the latter is always enabled:

beam/.github/actions/setup-environment-action/action.yml

Line 52 in bae6fcf

- name: Setup Gradle

(even disable-cache is set it only makes gradle cache read-only)

I kind of remember GHA cache is per workflow based, if so then it is fine leave it as is, good to double check.

[damccorm]

Good catch, I didn't realize we use the actions cache for this - I'll disable that since we leave around actions write permissions in places (which allows writing to the cache)