On October 1, 2020, we published a CVE outlining a vulnerability in the set-env and add-path workflow commands feature of GitHub Actions, and announced that we would be deprecating those features. In addition, we began flagging to customers in their Actions logs about the coming deprecation and provided guidance on how to migrate to the replacement functionality.
Specific vulnerabilities introduced by these commands have been patched, but in order to completely close the attack vector we need to disable the set-env and add-path workflow commands.
Security and transparency are essential to maintaining your trust. Therefore, while our investigations show no evidence at this time of this vulnerability being exploited, out of an abundance of caution, we will disable those commands and start failing workflow runs that use them on November 16, 2020.
For details on how to use the new functionality and prevent your workflows from breaking please see https://github.blog/changelog/2020-10-01-github-actions-deprecating-set-env-and-add-path-commands/.
Update 11/19/2020: Version [v2.274.2](https://github.com/actions/runner/releases/tag/v2.274.2) of the GitHub Actions runner removes support for these commands and has been rolled out across GitHub.