-
-
Notifications
You must be signed in to change notification settings - Fork 492
Migrate workflows from deprecated set-output commands
#1604
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The number of deprecated set-output warnings are significantly less than for other builds. 🎉 But there are still a few warnings. Do you happen to know where they're coming from? I found the same set of ::set-output calls you have already changed, so I could not figure out why there are still warnings. Thanks!
A few examples:
Screen Shot 2022年11月03日 at 15 23 04
Screen Shot 2022年11月03日 at 15 23 08
there are still a few warnings. Do you happen to know where they're coming from?
@kittaakos In addition to use directly in workflows, the commands are also used by the setOutput function of older versions of the GitHub Actions Toolkit
So actions used in the workflows can also produce these warnings. Those warnings are resolved by updating to newer versions of the actions which have updated their @actions/core dependency to 1.10.0 or newer.
I triggered the workflow again after merging the first set of action bump PRs from Dependabot and there are no more warnings about use of set-output commands in the workflow run summary pages:
https://github.com/arduino/arduino-ide/actions/runs/3389582993
https://github.com/arduino/arduino-ide/actions/runs/3389582968
So I think we are all set now.
There are still some outdated actions because the Dependabot only submits 5 PRs at a time by default, but it looks like those actions only produce the Node.js 12 deprecation warnings.
GitHub Actions provides the capability for workflow authors to use the capabilities of the GitHub Actions ToolKit package directly in the `run` keys of workflows via "workflow commands". One such command is `set-output`, which allows data to be passed out of a workflow step as an output. It has been determined that this command has potential to be a security risk in some applications. For this reason, GitHub has deprecated the command and a warning of this is shown in the workflow run summary page of any workflow using it: The `set-output` command is deprecated and will be disabled soon. Please upgrade to using Environment Files. For more information see: https://github.blog/changelog/2022-10-11-github-actions-deprecating-save-state-and-set-output-commands/ The identical capability is now provided in a safer form via the GitHub Actions "environment files" system. Migrating the use of the deprecated workflow commands to use the `GITHUB_OUTPUT` environment file instead fixes any potential vulnerabilities in the workflows, resolves the warnings, and avoids the eventual complete breakage of the workflows that would result from GitHub's planned removal of the `set-output` workflow command 2023年05月31日.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So I think we are all set now.
Yes, we are. Thank you! After you've merged #1605, I've understood where the other warnings are coming from.
Motivation
GitHub Actions provides the capability for workflow authors to use the capabilities of the GitHub Actions ToolKit package directly in the
runkeys of workflows via "workflow commands". One such command isset-output, which allows data to be passed out of a workflow step as an output.It has been determined that this command has potential to be a security risk in some applications. For this reason, GitHub has deprecated the command and a warning of this is shown in the workflow run summary page of any workflow using it:
The
set-outputcommand is deprecated and will be disabled soon. Please upgrade to using Environment Files. For more information see: https://github.blog/changelog/2022-10-11-github-actions-deprecating-save-state-and-set-output-commands/The identical capability is now provided in a safer form via the GitHub Actions "environment files" system.
Change description
Migrate the use of the deprecated workflow commands to use the
GITHUB_OUTPUTenvironment file to fix any potential vulnerabilities in the workflows, resolve the warnings, and avoid the eventual complete breakage of the workflows that would result from GitHub's planned removal of theset-outputworkflow command 2023年05月31日.Other information
Upstream migration of the "template" workflows: arduino/tooling-project-assets#281
Equivalent migration for Arduino CLI repository: arduino/arduino-cli#1940
Reviewer checklist