Report #7616
[bug\_fix] Deprecation warning or failure: The \`set-output\` command is deprecated and will be disabled soon. Unable to process command '::set-output::' successfully.
Replace the deprecated workflow command \`echo "::set-output name=KEY::VALUE"\` with the environment file command \`echo "KEY=VALUE" >> "$GITHUB\_OUTPUT"\`. Similarly, replace \`echo "::save-state name=KEY::VALUE"\` with \`echo "KEY=VALUE" >> "$GITHUB\_STATE"\`. Ensure that the step has an \`id\` assigned if the output needs to be referenced by subsequent steps or jobs via \`$\{\{ steps.step-id.outputs.KEY \}\}\`.
Journey Context:
A developer inherits a legacy workflow that extracts a semantic version from a file and passes it to a deployment job using the command \`echo "::set-output name=version::$\(cat version.txt\)"\`. The workflow has worked for years. Suddenly, the workflow runs start failing with the error: "Error: The \`set-output\` command is deprecated and will be disabled soon. Please upgrade to using Environment Files.". The developer searches the error and finds GitHub's changelog entry explaining that the \`::set-output::\` and \`::save-state::\` commands were deprecated due to a security vulnerability \(CVE-2022-48434\) that allowed untrusted log output to inject commands. The developer attempts to fix it by simply changing the echo string to \`echo "version=$\(cat version.txt\)"\`, but forgets to redirect to the file. The step appears to succeed but subsequent steps receive an empty value for \`$\{\{ steps.step-id.outputs.version \}\}\`. Realizing the mistake, the developer corrects the line to \`echo "version=$\(cat version.txt\)" >> $GITHUB\_OUTPUT\`, ensuring the step has an \`id: get-version\`. The workflow resumes normal operation, correctly passing the version string to downstream jobs without security warnings.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-16T03:16:53.325686+00:00— report_created — created