nbgv is broken with now that the add-path command is disabled

[jamesmcguirepro]

Error: Unable to process command '::add-path::C:\Users\runneradmin\.dotnet\tools' successfully.
Error: The `add-path` command is disabled. Please upgrade to using Environment Files or opt into unsecure command execution by setting the `ACTIONS_ALLOW_UNSECURE_COMMANDS` environment variable to `true`. For more information see: https://github.blog/changelog/2020-10-01-github-actions-deprecating-set-env-and-add-path-commands/

[AArnott]

Duplicate of #32

Please attach links to your GitHub workflow executions so we can investigate the logs and find out why the existing fix for this isn't resolving it for your case.

[jamesmcguirepro]

Unfortunately, it's a private repo. I did attach the output of the command. Here's how we are calling it:

      # Use Nerdbank.GitVersioning to set version variables: https:/dotnet/nbgv
      - name: Use Nerdbank.GitVersioning to set version variables
        uses: dotnet/[email protected]
        with:
          setAllVars: true

I think #32 and dotnet/Nerdbank.GitVersioning#516 fixed the calls to the set-env command.

However, add-path is a separate command.

I don't know typescript very well, but if I had to guess, this could be a cause: https:/dotnet/nbgv/blob/master/src/main.ts#L21

[AArnott]

Thanks, @jamesmcguirepro. I'm glad to hear set-env is fixed. Regarding add-path, that code you found is calling through the github actions NPM package which is updated and I confirmed will avoid the console logging command. Are you saying the problem still repros even after this issue was closed a few hours ago?

[jamesmcguirepro]

Just repro'd it a few minutes ago. I have also been using ACTIONS_ALLOW_UNSECURE_COMMANDS: true as a workaround for now.

Run dotnet/[email protected]
"C:\Program Files\dotnet\dotnet.exe" tool install -g nbgv

Welcome to .NET Core 3.1!
---------------------
SDK Version: 3.1.403

Telemetry
---------
The .NET Core tools collect usage data in order to help us improve your experience. The data is anonymous. It is collected by Microsoft and shared with the community. You can opt-out of telemetry by setting the DOTNET_CLI_TELEMETRY_OPTOUT environment variable to '1' or 'true' using your favorite shell.

Read more about .NET Core CLI Tools telemetry: https://aka.ms/dotnet-cli-telemetry

----------------
Explore documentation: https://aka.ms/dotnet-docs
Report issues and find source on GitHub: https:/dotnet/core
Find out what's new: https://aka.ms/dotnet-whats-new
Learn about the installed HTTPS developer cert: https://aka.ms/aspnet-core-https
Use 'dotnet --help' to see available commands or visit: https://aka.ms/dotnet-cli-docs
Write your first app: https://aka.ms/first-net-core-app
--------------------------------------------------------------------------------------
You can invoke the tool using the following command: nbgv
Tool 'nbgv' (version '3.3.37') was successfully installed.
Error: Unable to process command '::add-path::C:\Users\runneradmin\.dotnet\tools' successfully.
Error: The `add-path` command is disabled. Please upgrade to using Environment Files or opt into unsecure command execution by setting the `ACTIONS_ALLOW_UNSECURE_COMMANDS` environment variable to `true`. For more information see: https://github.blog/changelog/2020-10-01-github-actions-deprecating-set-env-and-add-path-commands/
C:\Users\runneradmin\.dotnet\tools\nbgv.exe get-version -f json -p .

[AArnott]

Hang on. You've pinned the pre-fixed version of the Github Action. You have this in your log, @jamesmcguirepro:

Run dotnet/[email protected]

Please either use @master or @v0.4.0.

[wjrogers]

FWIW, the GitHub Actions documentation strongly encourages pinning actions to a release tag. I also did not realize this action had been fixed because I was using the latest release (which is still v0.3.1 the moment). Do you have any plans to adopt the "floating major version tag" convention?

[AArnott]

Great. I'm glad you're unblocked.

I don't think "floating major version tag" is a thing. Git does not do well with tags that ever get redefined. Rather, I suspect you're referring to servicing branches. And yes, I usually do that but haven't started that till now.

I've pushed v0.4 as a branch so you can use dotnet/[email protected] if you want to 'float up' with any servicing fixes made to the 0.4 release. Pinning to the v0.4.0 tag is still possible, but no servicing can happen on a tag.

[wjrogers]

@AArnott https://docs.github.com/en/free-pro-team@latest/actions/creating-actions/about-actions#using-tags-for-release-management

Move the major version tag (such as v1, v2) to point to the Git ref of the current release.

GitHub's official docs recommend moving major version tags with each release. I'm not sure what I think about it, personally, but it's what all the official actions are doing. As a user, it does make it easier to track bug fixes. 🤷‍♂️

[AArnott]

I don't know how they get away with that, since git clones do not fetch tags they already have, so moving tags is a very broken idea (at least last I checked). Anyway, from a GitHub Action consumer's perspective, tag vs. branch is equivalent, so I'll be using the git concept that reflects things that move (branches) rather than tags.

[AArnott]

Thanks for sharing that doc though. I'll reach out to the github folks to ask why they're recommending that.

[AArnott]

@wjrogers FYI I filed some feedback and sent this PR to fix the docs. It'll be interesting to see how they respond to it.

I did a quick test, and current versions of git still do not download tags they already know about, so indeed redefining a tag is a recipe for great confusion amongst many git clone users.

[j2ghz]

I think this issue should be kept open until solved. Today I clicked on "Use latest version" on https:/marketplace/actions/nerdbank-gitversioning and got a version that doesn't work.

Furthermore, 0.4.0 is not listed there, but when specified manually it works:

[AArnott]

@j2ghz I'm glad v0.4 is working for you. I can't publish new versions to the marketplace now, but thank you for pointing out that I missed it. I've reached out to the .NET Foundation folks to accept a github agreement so that I can publish new versions there again.