A moderate security vulnerability has been identified in the GitHub Actions runner that can allow environment variable and path injection in workflows that log untrusted data to stdout. This can result in environment variables being introduced or modified without the intention of the workflow author. To address this issue we have introduced a new set of files to manage environment and path updates in workflows.
Patching your actions and workflows
If you are using self-hosted runners make sure they are updated to version 2.273.1 or greater.
Action authors who are using the toolkit should update the
@actions/core package to
v1.2.6 or greater to get the updated
Action and workflow authors who are setting environment variables via stdout should update any usage of the
add-path workflow commands to use the new environment files.
Starting today runner version 2.273.5 will begin to warn you if you use the
set-env commands. We are monitoring telemetry for the usage of these commands and plan to fully disable them in the future.