From 44dd203d6c60c36eb70f47c3afa9bb510ea25c62 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?David=20Ord=C3=A1s?= <3125580+davorpa@users.noreply.github.com> Date: Thu, 23 Feb 2023 16:06:07 +0100 Subject: [PATCH] security: `set-output` cmd deprecated. Use `$GITHUB_OUTPUT` env file (#9287) * security: `set-output` cmd deprecated. Use `$GITHUB_OUTPUT` env file To avoid untrusted logged data to use `save-state` and `set-output` workflow commands without the intention of the workflow author we have introduced a new set of environment files to manage state and output. Starting 1st June 2023 workflows using `save-state` or `set-output` commands via stdout will fail with an error. https://github.blog/changelog/2022-10-11-github-actions-deprecating-save-state-and-set-output-commands/ * chore: apply fix found at actions/stale#859 * test: fixing report escapes * test: fixing report escapes * test: fixing report escapes * test: fixing report escapes * test: fixing report escapes --- .../awesomebot-gh-summary-action/action.yml | 13 +++++---- .github/workflows/check-urls.yml | 4 +-- .github/workflows/detect-conflicting-prs.yml | 6 ++-- .github/workflows/stale.yml | 28 ++++++++++++------- 4 files changed, 31 insertions(+), 20 deletions(-) diff --git a/.github/actions/awesomebot-gh-summary-action/action.yml b/.github/actions/awesomebot-gh-summary-action/action.yml index b1f340c68..afdb72ec5 100644 --- a/.github/actions/awesomebot-gh-summary-action/action.yml +++ b/.github/actions/awesomebot-gh-summary-action/action.yml @@ -86,12 +86,13 @@ runs: } } - # HACK to single line strings (https://trstringer.com/github-actions-multiline-strings/) - $text = $text -replace "`%","%25" - $text = $text -replace "`n","%0A" - $text = $text -replace "`r","%25" - # set output - echo "::set-output name=text::$text" + # set multiline output (the way of prevent script injection is with random delimiters) + # https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#multiline-strings + # https://github.com/orgs/community/discussions/26288#discussioncomment-3876281 + $delimiter = (openssl rand -hex 8) | Out-String + echo "text<<$delimiter" >> $env:GITHUB_OUTPUT + echo "$text" >> $env:GITHUB_OUTPUT + echo "$delimiter" >> $env:GITHUB_OUTPUT - name: Write output diff --git a/.github/workflows/check-urls.yml b/.github/workflows/check-urls.yml index c8625bb7c..bd3152530 100644 --- a/.github/workflows/check-urls.yml +++ b/.github/workflows/check-urls.yml @@ -29,9 +29,9 @@ jobs: - name: Determine workflow parameters id: init-params run: | - echo "::set-output name=fetch_depth::0"; + echo "fetch_depth=0" >> $GITHUB_OUTPUT if [ "${{ github.event_name }}" == "pull_request" ]; then - echo "::set-output name=fetch_depth::0"; + echo "fetch_depth=0" >> $GITHUB_OUTPUT fi - uses: actions/checkout@v3 diff --git a/.github/workflows/detect-conflicting-prs.yml b/.github/workflows/detect-conflicting-prs.yml index 7a3dddc62..5a36c5d37 100644 --- a/.github/workflows/detect-conflicting-prs.yml +++ b/.github/workflows/detect-conflicting-prs.yml @@ -51,10 +51,12 @@ jobs: run: | echo "$INPUT_PRS" \ | jq --compact-output --raw-output 'to_entries | map({number: .key, dirty: .value})' \ - | sed -e 's/^/::set-output name=prs::/' + | sed -e 's/^/prs=/' \ + >> $GITHUB_OUTPUT echo "$INPUT_PRS" \ | jq --raw-output 'to_entries | length' \ - | sed -e 's/^/::set-output name=prs-len::/' + | sed -e 's/^/prs-len=/' \ + >> $GITHUB_OUTPUT env: INPUT_PRS: ${{ steps.pr-labeler.outputs.prDirtyStatuses }} diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 5772288bb..b55748275 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -81,7 +81,7 @@ jobs: stale-pr-label: " " - name: Print outputs for issues - run: echo ${{ join(steps.stale-issues.outputs.*, ',') }} + run: echo ${{ format('{0},{1}', toJSON(steps.stale-issues.outputs.staled-issues-prs), toJSON(steps.stale-issues.outputs.closed-issues-prs)) }} - name: Stale Pull Requests uses: actions/stale@v7 @@ -120,7 +120,7 @@ jobs: stale-issue-label: " " - name: Print outputs for PRs - run: echo ${{ join(steps.stale-prs.outputs.*, ',') }} + run: echo ${{ format('{0},{1}', toJSON(steps.stale-prs.outputs.staled-issues-prs), toJSON(steps.stale-prs.outputs.closed-issues-prs)) }} ## Removing private properties from each JSON object and compute array length ## TODO: Delete these set-* workarounds when resolve actions/stale#806 ? @@ -129,17 +129,21 @@ jobs: run: | echo $INPUT_ISSUES \ | jq --compact-output --raw-output 'del(.[] | .[to_entries[] | .key | select(startswith("_"))])' \ - | sed -e 's/^/::set-output name=issues::/' + | sed -e 's/^/issues=/' \ + >> $GITHUB_OUTPUT echo $INPUT_ISSUES \ | jq --raw-output '. | length' \ - | sed -e 's/^/::set-output name=issues-len::/' + | sed -e 's/^/issues-len=/' \ + >> $GITHUB_OUTPUT echo $INPUT_PRS \ | jq --compact-output --raw-output 'del(.[] | .[to_entries[] | .key | select(startswith("_"))])' \ - | sed -e 's/^/::set-output name=prs::/' + | sed -e 's/^/prs=/' \ + >> $GITHUB_OUTPUT echo $INPUT_PRS \ | jq --raw-output '. | length' \ - | sed -e 's/^/::set-output name=prs-len::/' + | sed -e 's/^/prs-len=/' \ + >> $GITHUB_OUTPUT env: INPUT_ISSUES: ${{ steps.stale-issues.outputs.staled-issues-prs }} INPUT_PRS: ${{ steps.stale-prs.outputs.staled-issues-prs }} @@ -148,17 +152,21 @@ jobs: run: | echo $INPUT_ISSUES \ | jq --compact-output --raw-output 'del(.[] | .[to_entries[] | .key | select(startswith("_"))])' \ - | sed -e 's/^/::set-output name=issues::/' + | sed -e 's/^/issues=/' \ + >> $GITHUB_OUTPUT echo $INPUT_ISSUES \ | jq --raw-output '. | length' \ - | sed -e 's/^/::set-output name=issues-len::/' + | sed -e 's/^/issues-len=/' \ + >> $GITHUB_OUTPUT echo $INPUT_PRS \ | jq --compact-output --raw-output 'del(.[] | .[to_entries[] | .key | select(startswith("_"))])' \ - | sed -e 's/^/::set-output name=prs::/' + | sed -e 's/^/prs=/' \ + >> $GITHUB_OUTPUT echo $INPUT_PRS \ | jq --raw-output '. | length' \ - | sed -e 's/^/::set-output name=prs-len::/' + | sed -e 's/^/prs-len=/' \ + >> $GITHUB_OUTPUT env: INPUT_ISSUES: ${{ steps.stale-issues.outputs.closed-issues-prs }} INPUT_PRS: ${{ steps.stale-prs.outputs.closed-issues-prs }}