Finding deprecated set-output and save-state commands in GitHub Actions
A bash script to find usage of deprecated set-output and save-state commands as well as finding deprecated Node.js 12 actions in GitHub Actions workflows
Overview
You might have been noticing some of these warnings in your GitHub Actions workflows:
Warning: The
set-outputcommand is deprecated and will be disabled soon. Please upgrade to using Environment Files. For more information see: https://github.blog/changelog/2022-10-11-github-actions-deprecating-save-state-and-set-output-commands/
GitHub is disabling the The changelog post has been updated to note that telemetry shows that there is still high usage of the deprecated workflow commands and they won’t be disabled just yet.set-output and save-state commands in GitHub Actions on May 31, 2023, so it’s crunch time in ensuring your workflows are updated to use the new command syntax.
For actions that you are authoring, the fix is relatively simply.
Old:
1
2
3
4
5
- name: Save state
run: echo "::save-state name={name}::{value}"
- name: Set output
run: echo "::set-output name={name}::{value}"
New:
1
2
3
4
5
- name: Save state
run: echo "{name}={value}" >> $GITHUB_STATE
- name: Set output
run: echo "{name}={value}" >> $GITHUB_OUTPUT
You could simply perform a code search and update instances of set-output and save-state to the new syntax. However, this wouldn’t work for actions that you are consuming from the marketplace. For example, if you were using actions/stale@v5.2.0 in your workflows, you would see this warning in your workflow run logs.
Thanks to @teddyteh in this PR, this script now also searches for deprecated Node.js 12 actions. The fix is relatively simply here too, in the action.yml file, use 'node16' instead of 'node12':
1
2
3
runs:
using: 'node16'
main: 'main.js'
Finding Deprecation Warning Command Usage
I created a bash solution to audit a list of repositories for deprecated workflow commands. It checks through recent workflow runs (configurable) to see if there are any set-output, save-state, or Node.js 12 deprecation warnings in the workflow run logs. The outputs are stored to a specified CSV file and denotes if the deprecation message was found in the most recent workflow run or not. The reason why I’m searching through multiple workflow runs is that there is a possibility that certain actions aren’t run on every workflow run, such as a PR build, so I wanted to ensure proper coverage.
Usage
Repository: joshjohanning/github-actions-log-warning-checker
- Run
gh auth loginto authenticate with GitHub CLI - Run
./generate-repos.sh <org> > repos.csv- Modify list as needed
- Or create a list of repos in a csv file,
<org/<repo>, 1 per line, with a trailing empty line at the end of the file
- Run:
./github-actions-log-warning-checker.sh repos.csv output.csv
Example Output
1
2
3
4
repo,workflow_name,workflow_url,finding,found_in_latest_workflow_run
joshjohanning-org/actions-linter-testing,CI,https://github.com/joshjohanning-org/actions-linter-testing/blob/main/.github/workflows/blank.yml,Workflow command,no
joshjohanning-org/actions-linter-testing,new-workflow,https://github.com/joshjohanning-org/actions-linter-testing/blob/main/.github/workflows/new-file.yml,Workflow command,yes
joshjohanning-org/actions-linter-testing,node12,https://github.com/joshjohanning-org/actions-linter-testing/blob/main/.github/workflows/node12.yml,Node.js 12 action,yes
Sample repos.csv file to use for testing
You can use this repos.csv file for testing. It has a finding for a result for a deprecated Node.js 12 action as well as a deprecated workflow command.
1
2
3
joshjohanning-org/actions-linter-testing
joshjohanning-org/actions-linter-testing-clean
To do
- Find deprecated Node.js 12 actions (thanks to @teddyteh in this PR)
- Use annotations to be able to return workflow run log line links (for easier discoverability of which action is using the deprecated command(s))
Summary
As an Enterprise/Organization owner, this tool can be useful to find repositories that are using deprecated workflow commands. You can then reach out to the owners of the repositories to let them know that they need to update their workflows. This can also be useful for repository admins as well, and just feed in the list of repositories that you manage.
Going forward, make sure to set up dependabot.yml file to keep your actions up to date. This also applies for actions that are internal to your enterprise/organization, but with additional configuration required (see my post for more details!).
Also, check out another user’s solution to the problem I’m solving here!