It’s pretty absurd for github to suggest that you should go through multiple steps to disable commands to log untrusted output. [1] Poor form to expect developers to understand and check for a new way that they need to sanitize their input rather than Github fixing it (possibly in a backwards incompatible way)

At a minimum they should provide a shell script (`show $XYZ`) and a js function that handles generating those tokens and enabling/disabling workflow commands for you.

[1] https://github.blog/changelog/2020-10-01-github-actions-depr...

IMO at the very least they should have an org-wide option in settings to disable command interpretation.

Yeah the ability to disable the insecure commands is crucial. That should be the first thing they should do.

Probably a lot of people aren’t even using this functionality in their workflows anyway.

I think the only one of these commands that I actually use is setting outputs, and I don’t even use that very often.

There should also be a way to see which commands have been triggered via stdout, so you can at least see what happened if something malicious happens.