deprecatedcommands

package
v0.4.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 26, 2026 License: MIT Imports: 8 Imported by: 0

README

deprecated-commands

Detects usage of deprecated GitHub Actions workflow commands and the ACTIONS_ALLOW_UNSECURE_COMMANDS environment variable.

Risk

GitHub deprecated the ::set-env, ::add-path, ::set-output, and ::save-state workflow commands in favor of environment files. The ::set-env and ::add-path commands have known security vulnerabilities: any process that can write to stdout can inject arbitrary environment variables or prepend entries to PATH, enabling code execution.

Setting ACTIONS_ALLOW_UNSECURE_COMMANDS: true re-enables the disabled ::set-env and ::add-path commands, exposing the workflow to these injection attacks.

[!NOTE] This rule detects deprecated commands in echo, printf, and print arguments by parsing the shell script with a bash parser. Commands output through other means (variable expansion, heredocs, other commands) are not detected.

Examples

Bad

on: push
jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - run: echo "::set-env name=FOO::bar"

on: push
jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - run: echo "::add-path::/usr/local/bin"

on: push
jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - run: echo "::set-output name=result::value"

on: push
jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - run: echo "::save-state name=pid::1234"

on: push
env:
  ACTIONS_ALLOW_UNSECURE_COMMANDS: true
jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - run: echo hello

Good

on: push
jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - run: echo "FOO=bar" >> "$GITHUB_ENV"

on: push
jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - run: echo "/usr/local/bin" >> "$GITHUB_PATH"

on: push
jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - run: echo "result=value" >> "$GITHUB_OUTPUT"

on: push
jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - run: echo "pid=1234" >> "$GITHUB_STATE"

Replacements

Deprecated Command Environment File
echo "::set-env name=NAME::VALUE" echo "NAME=VALUE" >> "$GITHUB_ENV"
echo "::add-path::PATH" echo "PATH" >> "$GITHUB_PATH"
echo "::set-output name=NAME::VALUE" echo "NAME=VALUE" >> "$GITHUB_OUTPUT"
echo "::save-state name=NAME::VALUE" echo "NAME=VALUE" >> "$GITHUB_STATE"

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type Rule 

type Rule struct{}

func (*Rule) CheckAction 

func (r *Rule) CheckAction(mapping workflow.ActionMapping) []*diagnostic.Error

func (*Rule) CheckWorkflow 

func (r *Rule) CheckWorkflow(mapping workflow.WorkflowMapping) []*diagnostic.Error

func (*Rule) Fix 

func (r *Rule) Fix() string

func (*Rule) ID 

func (r *Rule) ID() string

func (*Rule) Online 

func (r *Rule) Online() bool

func (*Rule) Required 

func (r *Rule) Required() bool

func (*Rule) Why 

func (r *Rule) Why() string

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.