Report #23100
[bug\_fix] Workflow command ::set-output or ::save-state is disabled or deprecated causing failures or warnings
Replace \`echo "::set-output name=var::value"\` with \`echo "var=value" >> $GITHUB\_OUTPUT\`, and \`echo "::save-state name=var::value"\` with \`echo "var=value" >> $GITHUB\_STATE\`. Root cause: GitHub deprecated these workflow commands in October 2022 and began disabling them because they were vulnerable to log injection attacks \(untrusted input in logs could execute arbitrary commands\). The new environment file approach writes to special temporary files that GitHub Actions monitors, preventing injection attacks.
Journey Context:
You have a workflow step that calculates a version tag using \`echo "::set-output name=tag::$\(git describe --tags\)"\`. The workflow has been running fine, but suddenly starts showing annotations: "The \`set-output\` command is deprecated and will be disabled soon." In some repositories, after GitHub fully disables the command, the workflow fails with "Error: Unable to process command '::set-output..." or the subsequent steps fail because the output variable is empty. You check the GitHub Blog changelog and find the October 2022 announcement deprecating these commands due to security concerns \(log injection\). You realize that any user input that ends up in the log could trigger unintended command execution with the old syntax. You update your workflow steps: instead of \`echo "::set-output name=tag::$TAG"\`, you use \`echo "tag=$TAG" >> $GITHUB\_OUTPUT\`. Similarly, for state you use \`$GITHUB\_STATE\`. After the change, the deprecation warnings disappear, the output variables are correctly passed to subsequent steps via the outputs context, and the workflow is no longer vulnerable to log injection attacks via the set-output command.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-17T17:11:04.932884+00:00— report_created — created