From d9de210177690c6d190c2b0fe5745442fc8549f3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?David=20Ord=C3=A1s?= <3125580+davorpa@users.noreply.github.com> Date: Wed, 22 Feb 2023 13:09:40 +0100 Subject: [PATCH 1/7] security: `set-output` cmd deprecated. Use `$GITHUB_OUTPUT` env file To avoid untrusted logged data to use `save-state` and `set-output` workflow commands without the intention of the workflow author we have introduced a new set of environment files to manage state and output. Starting 1st June 2023 workflows using `save-state` or `set-output` commands via stdout will fail with an error. https://github.blog/changelog/2022-10-11-github-actions-deprecating-save-state-and-set-output-commands/ --- .../awesomebot-gh-summary-action/action.yml | 2 +- .github/workflows/check-urls.yml | 4 ++-- .github/workflows/detect-conflicting-prs.yml | 6 +++-- .github/workflows/stale.yml | 24 ++++++++++++------- 4 files changed, 23 insertions(+), 13 deletions(-) diff --git a/.github/actions/awesomebot-gh-summary-action/action.yml b/.github/actions/awesomebot-gh-summary-action/action.yml index b1f340c688118..7ee5c79caa989 100644 --- a/.github/actions/awesomebot-gh-summary-action/action.yml +++ b/.github/actions/awesomebot-gh-summary-action/action.yml @@ -91,7 +91,7 @@ runs: $text = $text -replace "`n","%0A" $text = $text -replace "`r","%25" # set output - echo "::set-output name=text::$text" + echo "text=$text" >> $env:GITHUB_OUTPUT - name: Write output diff --git a/.github/workflows/check-urls.yml b/.github/workflows/check-urls.yml index c8625bb7c122b..bd3152530fd99 100644 --- a/.github/workflows/check-urls.yml +++ b/.github/workflows/check-urls.yml @@ -29,9 +29,9 @@ jobs: - name: Determine workflow parameters id: init-params run: | - echo "::set-output name=fetch_depth::0"; + echo "fetch_depth=0" >> $GITHUB_OUTPUT if [ "${{ github.event_name }}" == "pull_request" ]; then - echo "::set-output name=fetch_depth::0"; + echo "fetch_depth=0" >> $GITHUB_OUTPUT fi - uses: actions/checkout@v3 diff --git a/.github/workflows/detect-conflicting-prs.yml b/.github/workflows/detect-conflicting-prs.yml index 7a3dddc62d0cd..5a36c5d372f99 100644 --- a/.github/workflows/detect-conflicting-prs.yml +++ b/.github/workflows/detect-conflicting-prs.yml @@ -51,10 +51,12 @@ jobs: run: | echo "$INPUT_PRS" \ | jq --compact-output --raw-output 'to_entries | map({number: .key, dirty: .value})' \ - | sed -e 's/^/::set-output name=prs::/' + | sed -e 's/^/prs=/' \ + >> $GITHUB_OUTPUT echo "$INPUT_PRS" \ | jq --raw-output 'to_entries | length' \ - | sed -e 's/^/::set-output name=prs-len::/' + | sed -e 's/^/prs-len=/' \ + >> $GITHUB_OUTPUT env: INPUT_PRS: ${{ steps.pr-labeler.outputs.prDirtyStatuses }} diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 5772288bbe899..4a61320efc3ea 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -129,17 +129,21 @@ jobs: run: | echo $INPUT_ISSUES \ | jq --compact-output --raw-output 'del(.[] | .[to_entries[] | .key | select(startswith("_"))])' \ - | sed -e 's/^/::set-output name=issues::/' + | sed -e 's/^/issues=/' \ + >> $GITHUB_OUTPUT echo $INPUT_ISSUES \ | jq --raw-output '. | length' \ - | sed -e 's/^/::set-output name=issues-len::/' + | sed -e 's/^/issues-len=/' \ + >> $GITHUB_OUTPUT echo $INPUT_PRS \ | jq --compact-output --raw-output 'del(.[] | .[to_entries[] | .key | select(startswith("_"))])' \ - | sed -e 's/^/::set-output name=prs::/' + | sed -e 's/^/prs=/' \ + >> $GITHUB_OUTPUT echo $INPUT_PRS \ | jq --raw-output '. | length' \ - | sed -e 's/^/::set-output name=prs-len::/' + | sed -e 's/^/prs-len=/' \ + >> $GITHUB_OUTPUT env: INPUT_ISSUES: ${{ steps.stale-issues.outputs.staled-issues-prs }} INPUT_PRS: ${{ steps.stale-prs.outputs.staled-issues-prs }} @@ -148,17 +152,21 @@ jobs: run: | echo $INPUT_ISSUES \ | jq --compact-output --raw-output 'del(.[] | .[to_entries[] | .key | select(startswith("_"))])' \ - | sed -e 's/^/::set-output name=issues::/' + | sed -e 's/^/issues=/' \ + >> $GITHUB_OUTPUT echo $INPUT_ISSUES \ | jq --raw-output '. | length' \ - | sed -e 's/^/::set-output name=issues-len::/' + | sed -e 's/^/issues-len=/' \ + >> $GITHUB_OUTPUT echo $INPUT_PRS \ | jq --compact-output --raw-output 'del(.[] | .[to_entries[] | .key | select(startswith("_"))])' \ - | sed -e 's/^/::set-output name=prs::/' + | sed -e 's/^/prs=/' \ + >> $GITHUB_OUTPUT echo $INPUT_PRS \ | jq --raw-output '. | length' \ - | sed -e 's/^/::set-output name=prs-len::/' + | sed -e 's/^/prs-len=/' \ + >> $GITHUB_OUTPUT env: INPUT_ISSUES: ${{ steps.stale-issues.outputs.closed-issues-prs }} INPUT_PRS: ${{ steps.stale-prs.outputs.closed-issues-prs }} From 175b24e85f6bd71116d6632d9459eb8d5263a22a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?David=20Ord=C3=A1s?= <3125580+davorpa@users.noreply.github.com> Date: Wed, 22 Feb 2023 13:44:10 +0100 Subject: [PATCH 2/7] chore: apply fix found at actions/stale#859 --- .github/workflows/stale.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 4a61320efc3ea..b55748275339a 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -81,7 +81,7 @@ jobs: stale-pr-label: " " - name: Print outputs for issues - run: echo ${{ join(steps.stale-issues.outputs.*, ',') }} + run: echo ${{ format('{0},{1}', toJSON(steps.stale-issues.outputs.staled-issues-prs), toJSON(steps.stale-issues.outputs.closed-issues-prs)) }} - name: Stale Pull Requests uses: actions/stale@v7 @@ -120,7 +120,7 @@ jobs: stale-issue-label: " " - name: Print outputs for PRs - run: echo ${{ join(steps.stale-prs.outputs.*, ',') }} + run: echo ${{ format('{0},{1}', toJSON(steps.stale-prs.outputs.staled-issues-prs), toJSON(steps.stale-prs.outputs.closed-issues-prs)) }} ## Removing private properties from each JSON object and compute array length ## TODO: Delete these set-* workarounds when resolve actions/stale#806 ? From bf16034cc3988b781ff50113abf743be569e049e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?David=20Ord=C3=A1s?= <3125580+davorpa@users.noreply.github.com> Date: Wed, 22 Feb 2023 13:49:32 +0100 Subject: [PATCH 3/7] test: fixing report escapes --- .github/actions/awesomebot-gh-summary-action/action.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/actions/awesomebot-gh-summary-action/action.yml b/.github/actions/awesomebot-gh-summary-action/action.yml index 7ee5c79caa989..7420574541153 100644 --- a/.github/actions/awesomebot-gh-summary-action/action.yml +++ b/.github/actions/awesomebot-gh-summary-action/action.yml @@ -87,9 +87,9 @@ runs: } # HACK to single line strings (https://trstringer.com/github-actions-multiline-strings/) - $text = $text -replace "`%","%25" - $text = $text -replace "`n","%0A" - $text = $text -replace "`r","%25" + #$text = $text -replace "`%","%25" + #$text = $text -replace "`n","%0A" + #$text = $text -replace "`r","%25" # set output echo "text=$text" >> $env:GITHUB_OUTPUT From a8db2914874ade6db70b51e1dcdc0ad5459a51d3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?David=20Ord=C3=A1s?= <3125580+davorpa@users.noreply.github.com> Date: Wed, 22 Feb 2023 14:10:54 +0100 Subject: [PATCH 4/7] test: fixing report escapes --- .../actions/awesomebot-gh-summary-action/action.yml | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/.github/actions/awesomebot-gh-summary-action/action.yml b/.github/actions/awesomebot-gh-summary-action/action.yml index 7420574541153..c441ebb66e856 100644 --- a/.github/actions/awesomebot-gh-summary-action/action.yml +++ b/.github/actions/awesomebot-gh-summary-action/action.yml @@ -86,12 +86,11 @@ runs: } } - # HACK to single line strings (https://trstringer.com/github-actions-multiline-strings/) - #$text = $text -replace "`%","%25" - #$text = $text -replace "`n","%0A" - #$text = $text -replace "`r","%25" - # set output - echo "text=$text" >> $env:GITHUB_OUTPUT + # set multiline output + # https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#multiline-strings + echo "text<<$EOF" >> $env:GITHUB_OUTPUT + echo "$text" >> $env:GITHUB_OUTPUT + echo "$EOF" >> $env:GITHUB_OUTPUT - name: Write output From c7349dc65f5479be25af497084856cfad534c40e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?David=20Ord=C3=A1s?= <3125580+davorpa@users.noreply.github.com> Date: Wed, 22 Feb 2023 14:15:57 +0100 Subject: [PATCH 5/7] test: fixing report escapes --- .github/actions/awesomebot-gh-summary-action/action.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/.github/actions/awesomebot-gh-summary-action/action.yml b/.github/actions/awesomebot-gh-summary-action/action.yml index c441ebb66e856..d9b1db793adfc 100644 --- a/.github/actions/awesomebot-gh-summary-action/action.yml +++ b/.github/actions/awesomebot-gh-summary-action/action.yml @@ -86,8 +86,13 @@ runs: } } - # set multiline output + # set multiline output (the way of prevent script injection) # https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#multiline-strings + # https://github.com/orgs/community/discussions/26288#discussioncomment-3876281 + delimiter="$(openssl rand -hex 8)" + echo "1=$EOF" + echo "2=$env:EOF" + echo "3=$delimiter" echo "text<<$EOF" >> $env:GITHUB_OUTPUT echo "$text" >> $env:GITHUB_OUTPUT echo "$EOF" >> $env:GITHUB_OUTPUT From 57ad93d9f7f22fcc3b24d982e438c6da92b8f451 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?David=20Ord=C3=A1s?= <3125580+davorpa@users.noreply.github.com> Date: Wed, 22 Feb 2023 14:25:00 +0100 Subject: [PATCH 6/7] test: fixing report escapes --- .github/actions/awesomebot-gh-summary-action/action.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/actions/awesomebot-gh-summary-action/action.yml b/.github/actions/awesomebot-gh-summary-action/action.yml index d9b1db793adfc..c12f60de30507 100644 --- a/.github/actions/awesomebot-gh-summary-action/action.yml +++ b/.github/actions/awesomebot-gh-summary-action/action.yml @@ -89,13 +89,13 @@ runs: # set multiline output (the way of prevent script injection) # https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#multiline-strings # https://github.com/orgs/community/discussions/26288#discussioncomment-3876281 - delimiter="$(openssl rand -hex 8)" + $delimiter = (openssl rand -hex 8) | Out-String echo "1=$EOF" echo "2=$env:EOF" echo "3=$delimiter" - echo "text<<$EOF" >> $env:GITHUB_OUTPUT + echo "text<<$env:EOF" >> $env:GITHUB_OUTPUT echo "$text" >> $env:GITHUB_OUTPUT - echo "$EOF" >> $env:GITHUB_OUTPUT + echo "$env:EOF" >> $env:GITHUB_OUTPUT - name: Write output From 181034e2f6e1e769de6e647a7404383777f8bf65 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?David=20Ord=C3=A1s?= <3125580+davorpa@users.noreply.github.com> Date: Wed, 22 Feb 2023 14:28:27 +0100 Subject: [PATCH 7/7] test: fixing report escapes --- .github/actions/awesomebot-gh-summary-action/action.yml | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/.github/actions/awesomebot-gh-summary-action/action.yml b/.github/actions/awesomebot-gh-summary-action/action.yml index c12f60de30507..afdb72ec55d1d 100644 --- a/.github/actions/awesomebot-gh-summary-action/action.yml +++ b/.github/actions/awesomebot-gh-summary-action/action.yml @@ -86,16 +86,13 @@ runs: } } - # set multiline output (the way of prevent script injection) + # set multiline output (the way of prevent script injection is with random delimiters) # https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#multiline-strings # https://github.com/orgs/community/discussions/26288#discussioncomment-3876281 $delimiter = (openssl rand -hex 8) | Out-String - echo "1=$EOF" - echo "2=$env:EOF" - echo "3=$delimiter" - echo "text<<$env:EOF" >> $env:GITHUB_OUTPUT + echo "text<<$delimiter" >> $env:GITHUB_OUTPUT echo "$text" >> $env:GITHUB_OUTPUT - echo "$env:EOF" >> $env:GITHUB_OUTPUT + echo "$delimiter" >> $env:GITHUB_OUTPUT - name: Write output