set-output deprecation scared me nearly to death

[DaSchTour]

set-output is deprecated but there is no real migration guide, I have no idea what to do and I'm sacred that my actions will all break in the next days and I'll have to switch to another CI because I have no idea how to fix it.

• The changelog doesn't clearly state what and how to change.
• There is no timeline for how long the old method will work.
• The official documentation still shows set-output used for communication between actions.
• The warning doesn't say anything about the source of the error, so I can't tell if I have to change something or an action I use needs to be updated.

That's a really scary situation, as I have no idea how to proceed. Especially as there is actually no set-output in my yml and I would not expect this warning to show up.

[Kurt-von-Laven]

If set-output isn't present in your own workflows, then the issue is presumably coming from your dependencies. You can click on the link in the deprecation warning and/or search your workflow logs to determine which dependencies are calling set-output or other deprecated commands. You can use a tool like Renovate or Dependabot to automatically update those (or all) of your actions to their latest versions if possible or do the necessary upgrades by hand. If you still experience deprecation warnings, I would file an issue, or even better, open a pull request against the dependencies that continue to use deprecated commands. I agree that it would be prudent of GitHub to enhance the deprecation warning to blame the appropriate dependencies (since the link doesn't work in the case of composite actions) and update the rest of their documentation, but I suspect they were right to prioritize announcing this security risk promptly. In the meantime, the changelog does clearly state what to change and how to change it in my opinion, but I see the value in explicitly calling out the need to upgrade dependencies based on your feedback. As mentioned in that blog post:

We are monitoring telemetry for the usage of these commands and plan to fully disable them in the future.

I expect we will hear more specifics regarding GitHub's timeline based on the progress the community makes in squashing this security concern. This doesn't apply to you, @DaSchTour, but others following this thread can also see ScribeMD/docker-cache#208 for an example of replacing set-output with environment files in your own workflows. That is a Bash example; EnricoMi/publish-unit-test-result-action#360 is a Python example.

[DaSchTour]

Well, actually I couldn't find any use of set-output in my workflow or the used actions. That's making this even more scary.

But I'm not sure if workflow outputs also count as usage of set-output. That's the only possible reason. But it's not mentioned in the changelog.

[Kurt-von-Laven]

Do the actions you use have any dependencies? Did you find set-output in your workflow's logs? There is no such thing as a workflow output. Whether the output is for a job or a step doesn't matter though. What matters is whether a command or an environment file is used to set that output. That is why this topic isn't discussed in the changelog.

[DaSchTour]

Well, I just rechecked and I can't find any set-output in this workflow. The two actions that are used do not use set-output. Or somehow I couldn't find it.

name: Tags

on:
  workflow_call:
    outputs:
      head:
        description: 'HEAD SHA'
        value: ${{ jobs.tags.outputs.head }}
      base:
        description: 'Base SHA'
        value: ${{ jobs.tags.outputs.base }}

jobs:
  tags:
    name: Tags
    runs-on: ubuntu-latest
    outputs:
      base: ${{ steps.sha.outputs.base }}
      head: ${{ steps.sha.outputs.head }}
    steps:
      - uses: actions/checkout@v3
        with:
          fetch-depth: 0
      - uses: nrwl/nx-set-shas@v2
        id: sha
        with:
          main-branch-name: ${{ github.event.repository.default_branch }}

[Kurt-von-Laven]

nrwl/nx-set-shas calls core.setOutput. I recommend opening a pull request to bump @actions/core to a patched version (e.g., ^1.10.0) since they are using 1.9.1, which still uses set-output (although you are using @actions/core 1.4.0 by virtue of being on v2 of nrwl/nx-set-shas). I see now what you meant by a workflow output; I wasn't thinking of callable workflows. For future reference, I don't recommend relying on GitHub's search feature, which overlooks the set-output call in dist/index.js. I suggest using git grep instead.

[DaSchTour]

@Kurt-von-Laven thanks a lot for your help. I wished github would have written a bit more about this deprecation.

[melMass]

I have the same issues, deprecation notice everywhere.

@Kurt-von-Laven somehow 1.10.0 still outputs set-output and its setOutput function is not deprecated in code:

https://github.com/pnpm/action-setup/blob/cd2af74528f644555073f1e24557b269d7e03a8d/src/outputs/index.ts#L8

[Kurt-von-Laven]

It is correct that core.setOutput is not deprecated, because it should not be. Is it possible that you are using an outdated self-hosted runner that lacks the GITHUB_OUTPUT environment variable? core.setOutput falls back on set-command when GITHUB_OUTPUT is falsy. Please bear in mind that the alternatives to deprecating a discovered security vulnerability are significantly worse.