Action need to update to deal with CVE vulnerabilities

Question

Action need to update to deal with CVE vulnerabilities

Closed this issue 3 years ago · 16 comments

Per:
https://github.blog/changelog/2020-10-01-github-actions-deprecating-set-env-and-add-path-commands/

Answer 1 · 2020-11-09T20:23:28.000Z

@N-Usha or anyone from the team have any update on this? The deadline is now November 16th and this would break our workflows entirely

Answer 2 · 2020-11-11T22:13:15.000Z

#13 should solve this ifnwhen it gets merged.

Answer 3 · 2020-11-12T08:04:47.000Z

Thanks for approving @romil07, please could you also merge this and create a new release so that we can use it.

Answer 4 · 2020-11-16T14:53:37.000Z

@romil07 @kf6kjg After bumping our version in our workflows to v1.1 I'm still running into the set-env errors. Any ideas on this?

Update: Also went back down to v1 since I see they both were released with the same commit just to make sure it wasn't something funny and I see the same error

Answer 5 · 2020-11-16T15:30:53.000Z

@romil07 @kf6kjg After looking into this, it seems this library is also using an old version of azure-actions-webclient.

If that doesn't work, that library itself still has @actions/core as version ^1.1.3 in its own package.json, so I think to fully mitigate this the azure-actions-webclient package will need to be upgraded and released, then this library will have to consume that new change

Answer 6 · 2020-11-16T17:07:03.000Z

I was able to get this fixed in our fork. [EDIT: and it only needed the patch in #13 to do it, along with the following release strategy.] The release processes here are a little strange: the release branches, where the tag is placed, have to have the fully updated node_modules folder committed.

To build I did this:

Create new releases/v* branch or move the existing. I did the latter.
Execute the following:
```
npm ci
npm run build
git add -f node_modules AND_EVERYTHING_ELSE_THATS_UPDATED
```
Note that the above is from memory so YMMV: my bash history didn't store my actions for some reason and I didn't write them down.
Commit the added changes and push the branch.
Tag the branch with the relevant version tags.
Note that if you are creating v1.2.3 you'll need to make sure that the commit has the both v1 and v1.2 tags - even if you have to move the tags from their previous location. This is due to how GH Actions references versions: it only looks for the exact tag if that tag exists.

There are probably better strategies, but I was working off of reverse engineering the first release, not making it better.

Answer 7 · 2020-11-16T17:16:00.000Z

I see that you've got the tags and branch in place. However I also see that you've not yet committed the updated node_modules folder to the release branch. Until that happens it'll continue to use the old version of @actions/core and show the error.

Answer 8 · 2020-11-16T21:52:12.000Z

@romil07 Any updates on when the new release is going to be pushed? This is breaking all my pipelines now.

Answer 9 · 2020-11-17T07:24:42.000Z

@brianleppez I am working on this. Will do it today.

Answer 10 · 2020-11-17T07:37:18.000Z

@brianleppez @kf6kjg @dakota-maker-by @surfraz @N-Usha @gabriel-kohen-by
I have made the required changes. Can you please test again and let us know if any issues?

Answer 11 · 2020-11-17T08:27:41.000Z

@romil07 working now, thanks

Answer 12 · 2020-11-17T21:33:40.000Z

We're facing the same error, do you know if we need to explicitly update the Action to use v1.1, or will it pick it up automatically?

Answer 13 · 2020-11-17T21:37:40.000Z

@anpaz As long as your uses line ends with @v1 it should pick it up automatically. If you specified @v1.0 you'll have to change it explicitly.

Answer 14 · 2020-11-17T21:56:26.000Z

Thanks @romil07. Works like a charm

Answer 15 · 2020-11-18T22:10:34.000Z

thanks @romil07. It worked.

Answer 16 · 2021-05-05T08:45:43.000Z

Closing as this is fixed.