#Prevent cache invalidation

Is it possible to tell dagger not to invalidate cache, for instance if I'm providing credentials like GITHUB_TOKEN or AWS credentials? So far I've tried using withEnvVariable, withSecretVariable, and withNewFile. I'm wondering if there is just a strategy to prevent a cache invalidation of the steps following it that I'm not thinking of.

I understand why this busts cache, because the env or file changes, just wondering if there is a way to tell dagger/buildkit "I know this changed, but trust me bro"

unsure if this is possible. @shrewd helm any clues?

Hm, withSecretVariable should definitely work: e.g. this example of a dagger module works as expected:

type Playground struct{}

func (m *Playground) TryCache(ctx context.Context) (string, error) {
    secret := dag.SetSecret("secret", "bar")

    return dag.Container().From("alpine").
        WithSecretVariable("MY_SECRET", secret).
        WithExec([]string{"/bin/sh", "-c", "sleep 10 && echo $MY_SECRET | base64"}).
        Stdout(ctx)
}

If I change the value of secret from bar to foo, the echo caches and keeps printing out bar in base64.

providing credentials as secrets is definitely the way to do this - you should avoid putting them in any other way, since secrets otherwise leak into the cache (which is in plaintext on your disk, and even worse if you're exporting your cache)