How (and why) upgrade a GitHub workflow to use “Environment files”

Question

I have a GitHub action workflow file that is running fine, but recently warnings about ‘set-env’ and ‘add-path’ deprecation have been brought to my attention. The fix suggested by GitHub is to use “Environment Files”; I.e. pipe values into a file managed by a GITHUB_ENV file descriptor.

My question is : Is GitHub asking me to replace the “env” block of my workflow with a step containing commands of the form ‘echo “{name}={value}" >> $GITHUB_ENV’?

I have to also ask why this is necessary, since I think it is lame, but that is really beside the point.

Answer 1

From my experience using python with GitHub actions, this is an issue with actions/setup-python versions 1.1.1 and earlier. You probably have a line in your workflow that reads:

uses: actions/[email protected]

If you upgrade to version 2 of setup-python, there will be no warning. Just change the line above to the following:

uses: actions/setup-python@v2

In order to demonstrate, the log of my v1.1.1 workflow shows the warnings you mentioned, but the warnings are resolved by using version 2

Answer 2

I have to also ask why this is necessary

This was announced in early Oct. 2020 this month, and pointed to a moderate security vulnerability

The @actions/core npm module addPath and exportVariable functions communicate with the Actions Runner over stdout by generating a string in a specific format.
Workflows that log untrusted data to stdout may invoke these commands, resulting in the path or environment variables being modified without the intention of the workflow or action author.

For now, users should upgrade to @actions/core v1.2.6 or later, and replace any instance of the set-env or add-path commands in their workflows with the new Environment File Syntax.
Workflows and actions using the old commands or older versions of the toolkit will start to warn, then error out during workflow execution.

So:

echo "FOO=BAR" >> $GITHUB_ENV
echo "/Users/test/.nvm/versions/node/v12.18.3/bin" >> $GITHUB_PATH

That is why a GitHub Action like actions/setup-python has a recent PR 138 in order to uses Environment files to communicate with the Runner.

But if you are using any other workflow based on actions/core, you need to upgrade said actions/core version as soon as possible.