Nodejs 12 deprecated, upgrade to Nodejs 16.

[derekmurawsky]

Scanning with the github action, I got the following annotation.

Scan the target with ZAP Baseline X

Node.js 12 actions are deprecated. Please update the following actions to use Node.js 16: zaproxy/action-baseline@v0.7.0. For more information see: https://github.blog/changelog/2022-09-22-github-actions-all-actions-will-begin-running-on-node16-instead-of-node12/.

Please upgrade this action to the newer version.

[kingthorin]

Please contact GitHub, they're displaying that annotation on basically every action/workflow run. It has nothing to do with this action. I see it all over the place all the time.

Duplicate of zaproxy/action-baseline#83

[derekmurawsky]

Maybe I'm missing something, @kingthorin but those changes were made 6 months ago, but the last release was 0.7.0, which was released on May 23, 2022, which is 9 months ago. Perhaps the new release wasn't cut, so there isn't a newer action available for us to reference?

[thc202]

Actions can be used without a tag or release, you can use the commit or the branch (commit is safer).

[derekmurawsky]

Thanks @thc202 , I'm aware of that capability, however I was following the docs which specify using a release ID, and referenced the current release. I assumed that was what we were supposed to do, and I think that's what most folks reading the docs would assume as well. I'll switch to using the commit ID for now, but suggest updating the docks, or cutting actual releases.

[kingthorin]

That's fair, thanks for following up.

[thc202]

Which docs?

[kingthorin]

I'm guessing just the repo README

[thc202]

In the readme it's an example usage.

[kingthorin]

Agreed 😀

[houserx-jmcc]

I'm not sure I follow why a new release is being avoided. When browsing Actions in the Marketplace, Github makes it pretty clear that using Releases is an ideal way to target versions - the big green button "Use latest version" defaults to your latest release, which will very soon be pointed towards a broken version.

A lack of current releases also makes it harder to use something like dependabot to stay on top of new action releases.