Report #12172
[bug\_fix] Deprecated set-output command warnings or failures
Replace the deprecated \`echo "::set-output name=KEY::VALUE"\` syntax with Environment File redirection: \`echo "KEY=VALUE" >> $GITHUB\_OUTPUT\` \(or \`%GITHUB\_OUTPUT\` on Windows\). Root cause: GitHub deprecated the workflow command \`::set-output::\` and \`::save-state::\` in October 2022 due to security vulnerability CVE-2022-35914, where malicious process output could inject arbitrary workflow commands; the new Environment File approach writes to unique temporary files identified by environment variables, preventing injection attacks.
Journey Context:
A developer notices yellow annotation warnings on every workflow run: "The \`set-output\` command is deprecated and will be disabled soon. Please upgrade to using Environment Files." They have a step that extracts a version number: \`echo "::set-output name=version::$\(cat package.json \| jq -r .version\)"\`. Initially, they ignore the warning as the workflow continues to function. However, several months later, the workflow suddenly fails with "Error: Unable to process command '::set-output...'" during a critical release. The developer searches the error and finds GitHub's blog post from October 2022 announcing the deprecation for security reasons \(CVE-2022-35914\). The rabbit hole reveals that the old syntax was parsed directly from stdout, allowing any tool logging \`::set-output...\` to hijack workflow variables. The new mechanism requires explicitly appending to a file path stored in \`$GITHUB\_OUTPUT\`. The developer must update all shell steps and composite actions to use \`echo "key=value" >> $GITHUB\_OUTPUT\`, ensuring compatibility with newer runner versions while closing the injection vulnerability.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-16T15:16:02.862662+00:00— report_created — created