GitHub Actions: Deprecating save-state and set-output commands

24-July-2023 Update: Our telemetry shows significant usage of these commands so we have decided to postpone the removal. To learn more, visit the latest changelog post.

To avoid untrusted logged data to use save-stateand set-output workflow commands without the intention of the workflow author we have introduced a new set of environment files to manage state and output.

Starting today runner version 2.298.2 will begin to warn you if you use the save-state or set-output commands via stdout. We are monitoring telemetry for the usage of these commands and plan to fully disable them on 31st May 2023. Starting 1st June 2023 workflows using save-state or set-output commands via stdout will fail with an error. Our telemetry shows significant usage of these commands. Given the number of impacted customers we are postponing the removal.

Patching your actions and workflows

If you are using self-hosted runners make sure they are updated to version 2.297.0 or greater.

Action authors who are using the toolkit should update the @actions/core package to v1.10.0 or greater to get the updated saveState and setOutput functions.

Action and workflow authors who are using save-state or set-output via stdout should update to use the new environment files.

Examples

A workflow using save-state or set-output like the following

- name: Save state
run: echo "::save-state name={name}::{value}"

- name: Set output
run: echo "::set-output name={name}::{value}"

should be updated to write to the new GITHUB_STATE and GITHUB_OUTPUT environment files:

- name: Save state
run: echo "{name}={value}" >> $GITHUB_STATE

- name: Set output
run: echo "{name}={value}" >> $GITHUB_OUTPUT

Previously, the original publisher of a package in GitHub Packages had the owner attribute, which granted them admin privileges for the package. The current package admin role has the exact same privileges.

As of today the two roles with identical privileges are being merged and the admin role can be used as the ultimate authority. By default, both the original publisher and the organization owner will have admin privileges on that package.

In addition to uploading and downloading a package, admins can manage a package, read and write package metadata and grant package permissions.

As part of this change, the owner badge is no longer shown next to the package publisher's username.

Learn more about permissions for packages

See more

Enterprise owners can now configure whether repository administrators can enable or disable Dependabot alerts.

If you are owner of an enterprise with GitHub Advanced Security, you can now also set policies to allow or disallow repository administrators access to enablement for:

  • GitHub Advanced Security
  • Secret scanning

image

Learn more about enterprise policies for code security and send us your feedback

See more