GHA Deprecation: "add-path" and "set-env"

[mrmundt]

GitHub Actions is deprecating set-env and add-path due to a security risk: https://github.blog/changelog/2020-10-01-github-actions-deprecating-set-env-and-add-path-commands/

Currently, the `setup-miniconda' action has these lines:

$ grep setup-miniconda/ -nre "set-env"
setup-miniconda//dist/delete/index.js:577: *   ::set-env name=MY_VAR::some value
setup-miniconda//dist/delete/index.js:700:        command_1.issueCommand('set-env', { name }, convertedVal);
setup-miniconda//dist/setup/index.js:17524: *   ::set-env name=MY_VAR::some value
setup-miniconda//dist/setup/index.js:20008:        command_1.issueCommand('set-env', { name }, convertedVal);
$ grep setup-miniconda/ -nre "add-path"
setup-miniconda//dist/delete/index.js:722:        command_1.issueCommand('add-path', {}, inputPath);
setup-miniconda//dist/setup/index.js:20030:        command_1.issueCommand('add-path', {}, inputPath);

Which cause this warning when using it in a GHA workflow:

The `add-path` command is deprecated and will be disabled soon. Please upgrade to using Environment Files. For more information see: https://github.blog/changelog/2020-10-01-github-actions-deprecating-set-env-and-add-path-commands/
The `set-env` command is deprecated and will be disabled soon. Please upgrade to using Environment Files. For more information see: https://github.blog/changelog/2020-10-01-github-actions-deprecating-set-env-and-add-path-commands/

[bollwyvl]

Looks like this is a duplicate of #78. #79 fixed this, we'll be doing a release soon!

[mrmundt]

Great! Sorry, I only searched open PRs before submitting this.

[bollwyvl]

No worries. We're working on a CHANGELOG (#85) as part of the next release, so it should be clearer in the future!

[mrmundt]

Checking in. Do you have an ETA for the new release?

[goanpeca]

@bollwyvl sorry this has been a busy/weird month. Just to catch up. We just need to merge the changelog PR work to cut a new release?

Let me know, so we can get this out soon!

Cheers

[bollwyvl]

think so! If you can review the changelog so we can steal some of that sweet, sweet tribal knowledge from your brain... i'll rekick it anyway, just to see how we're doing...

[henryiii]

Don't forget this! ;) (Google has released the details of the exploit, so it's pretty high priority for GH to shut it down, I believe)

[goanpeca]

So can we close this now @bollwyvl 🙃 ?

[bollwyvl]

I had been testing with 16930e6 with no warnings, so i'd say we're good!

[henryiii]

Ouch, the version bumped to 2, so @v1 won't pick this up! I'm moving to using dependabot and exact versions for non-official actions (since not all projects keep the "vX" tag up), but not everywhere yet. Was there something backward incompatible that was added? Changelog only lists this changed warning and the addition of explicit envs.

(Not a complaint, just a question :) Thanks for the release!)

[dhimmel]

Ouch, the version bumped to 2, so @v1 won't pick this up!

Also wondering whether this could be backported to v1 (or just tagged with v1 since its back compat). We use this action in Manubot, where a large number of users have cloned our CI script, and don't update that frequently. See manubot/rootstock#388.

v2 was just released, so there is going to be a one week time from when conda-incubator/setup-miniconda@v1 was the latest version till when it stops working:

The set-env command is deprecated and will be disabled on November 16th.

In Manubot's case, users also have to upgrade due to an unrelated issue, so it's not essential for us. But might be for others?

[goanpeca]

@bollwyvl thoughts?