security: `set-output` cmd deprecated. Use `$GITHUB_OUTPUT` env file (#9287)

* security: `set-output` cmd deprecated. Use `$GITHUB_OUTPUT` env file

To avoid untrusted logged data to use `save-state` and `set-output` workflow commands without the intention of the workflow author we have introduced a new set of environment files to manage state and output.

Starting 1st June 2023 workflows using `save-state` or `set-output` commands via stdout will fail with an error.

https://github.blog/changelog/2022-10-11-github-actions-deprecating-save-state-and-set-output-commands/

* chore: apply fix found at actions/stale#859

* test: fixing report escapes

* test: fixing report escapes

* test: fixing report escapes

* test: fixing report escapes

* test: fixing report escapes
pull/7060/head
David Ordás 2 years ago committed by GitHub
parent bcd981828d
commit 44dd203d6c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
  1. 13
      .github/actions/awesomebot-gh-summary-action/action.yml
  2. 4
      .github/workflows/check-urls.yml
  3. 6
      .github/workflows/detect-conflicting-prs.yml
  4. 28
      .github/workflows/stale.yml

@ -86,12 +86,13 @@ runs:
} }
} }
# HACK to single line strings (https://trstringer.com/github-actions-multiline-strings/) # set multiline output (the way of prevent script injection is with random delimiters)
$text = $text -replace "`%","%25" # https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#multiline-strings
$text = $text -replace "`n","%0A" # https://github.com/orgs/community/discussions/26288#discussioncomment-3876281
$text = $text -replace "`r","%25" $delimiter = (openssl rand -hex 8) | Out-String
# set output echo "text<<$delimiter" >> $env:GITHUB_OUTPUT
echo "::set-output name=text::$text" echo "$text" >> $env:GITHUB_OUTPUT
echo "$delimiter" >> $env:GITHUB_OUTPUT
- name: Write output - name: Write output

@ -29,9 +29,9 @@ jobs:
- name: Determine workflow parameters - name: Determine workflow parameters
id: init-params id: init-params
run: | run: |
echo "::set-output name=fetch_depth::0"; echo "fetch_depth=0" >> $GITHUB_OUTPUT
if [ "${{ github.event_name }}" == "pull_request" ]; then if [ "${{ github.event_name }}" == "pull_request" ]; then
echo "::set-output name=fetch_depth::0"; echo "fetch_depth=0" >> $GITHUB_OUTPUT
fi fi
- uses: actions/checkout@v3 - uses: actions/checkout@v3

@ -51,10 +51,12 @@ jobs:
run: | run: |
echo "$INPUT_PRS" \ echo "$INPUT_PRS" \
| jq --compact-output --raw-output 'to_entries | map({number: .key, dirty: .value})' \ | jq --compact-output --raw-output 'to_entries | map({number: .key, dirty: .value})' \
| sed -e 's/^/::set-output name=prs::/' | sed -e 's/^/prs=/' \
>> $GITHUB_OUTPUT
echo "$INPUT_PRS" \ echo "$INPUT_PRS" \
| jq --raw-output 'to_entries | length' \ | jq --raw-output 'to_entries | length' \
| sed -e 's/^/::set-output name=prs-len::/' | sed -e 's/^/prs-len=/' \
>> $GITHUB_OUTPUT
env: env:
INPUT_PRS: ${{ steps.pr-labeler.outputs.prDirtyStatuses }} INPUT_PRS: ${{ steps.pr-labeler.outputs.prDirtyStatuses }}

@ -81,7 +81,7 @@ jobs:
stale-pr-label: " " stale-pr-label: " "
- name: Print outputs for issues - name: Print outputs for issues
run: echo ${{ join(steps.stale-issues.outputs.*, ',') }} run: echo ${{ format('{0},{1}', toJSON(steps.stale-issues.outputs.staled-issues-prs), toJSON(steps.stale-issues.outputs.closed-issues-prs)) }}
- name: Stale Pull Requests - name: Stale Pull Requests
uses: actions/stale@v7 uses: actions/stale@v7
@ -120,7 +120,7 @@ jobs:
stale-issue-label: " " stale-issue-label: " "
- name: Print outputs for PRs - name: Print outputs for PRs
run: echo ${{ join(steps.stale-prs.outputs.*, ',') }} run: echo ${{ format('{0},{1}', toJSON(steps.stale-prs.outputs.staled-issues-prs), toJSON(steps.stale-prs.outputs.closed-issues-prs)) }}
## Removing private properties from each JSON object and compute array length ## Removing private properties from each JSON object and compute array length
## TODO: Delete these set-* workarounds when resolve actions/stale#806 ? ## TODO: Delete these set-* workarounds when resolve actions/stale#806 ?
@ -129,17 +129,21 @@ jobs:
run: | run: |
echo $INPUT_ISSUES \ echo $INPUT_ISSUES \
| jq --compact-output --raw-output 'del(.[] | .[to_entries[] | .key | select(startswith("_"))])' \ | jq --compact-output --raw-output 'del(.[] | .[to_entries[] | .key | select(startswith("_"))])' \
| sed -e 's/^/::set-output name=issues::/' | sed -e 's/^/issues=/' \
>> $GITHUB_OUTPUT
echo $INPUT_ISSUES \ echo $INPUT_ISSUES \
| jq --raw-output '. | length' \ | jq --raw-output '. | length' \
| sed -e 's/^/::set-output name=issues-len::/' | sed -e 's/^/issues-len=/' \
>> $GITHUB_OUTPUT
echo $INPUT_PRS \ echo $INPUT_PRS \
| jq --compact-output --raw-output 'del(.[] | .[to_entries[] | .key | select(startswith("_"))])' \ | jq --compact-output --raw-output 'del(.[] | .[to_entries[] | .key | select(startswith("_"))])' \
| sed -e 's/^/::set-output name=prs::/' | sed -e 's/^/prs=/' \
>> $GITHUB_OUTPUT
echo $INPUT_PRS \ echo $INPUT_PRS \
| jq --raw-output '. | length' \ | jq --raw-output '. | length' \
| sed -e 's/^/::set-output name=prs-len::/' | sed -e 's/^/prs-len=/' \
>> $GITHUB_OUTPUT
env: env:
INPUT_ISSUES: ${{ steps.stale-issues.outputs.staled-issues-prs }} INPUT_ISSUES: ${{ steps.stale-issues.outputs.staled-issues-prs }}
INPUT_PRS: ${{ steps.stale-prs.outputs.staled-issues-prs }} INPUT_PRS: ${{ steps.stale-prs.outputs.staled-issues-prs }}
@ -148,17 +152,21 @@ jobs:
run: | run: |
echo $INPUT_ISSUES \ echo $INPUT_ISSUES \
| jq --compact-output --raw-output 'del(.[] | .[to_entries[] | .key | select(startswith("_"))])' \ | jq --compact-output --raw-output 'del(.[] | .[to_entries[] | .key | select(startswith("_"))])' \
| sed -e 's/^/::set-output name=issues::/' | sed -e 's/^/issues=/' \
>> $GITHUB_OUTPUT
echo $INPUT_ISSUES \ echo $INPUT_ISSUES \
| jq --raw-output '. | length' \ | jq --raw-output '. | length' \
| sed -e 's/^/::set-output name=issues-len::/' | sed -e 's/^/issues-len=/' \
>> $GITHUB_OUTPUT
echo $INPUT_PRS \ echo $INPUT_PRS \
| jq --compact-output --raw-output 'del(.[] | .[to_entries[] | .key | select(startswith("_"))])' \ | jq --compact-output --raw-output 'del(.[] | .[to_entries[] | .key | select(startswith("_"))])' \
| sed -e 's/^/::set-output name=prs::/' | sed -e 's/^/prs=/' \
>> $GITHUB_OUTPUT
echo $INPUT_PRS \ echo $INPUT_PRS \
| jq --raw-output '. | length' \ | jq --raw-output '. | length' \
| sed -e 's/^/::set-output name=prs-len::/' | sed -e 's/^/prs-len=/' \
>> $GITHUB_OUTPUT
env: env:
INPUT_ISSUES: ${{ steps.stale-issues.outputs.closed-issues-prs }} INPUT_ISSUES: ${{ steps.stale-issues.outputs.closed-issues-prs }}
INPUT_PRS: ${{ steps.stale-prs.outputs.closed-issues-prs }} INPUT_PRS: ${{ steps.stale-prs.outputs.closed-issues-prs }}

Loading…
Cancel
Save