`setup-python` pip upgrade triggers root user warning on self-hosted runners

[xgboosted]

Problem

On root-user self-hosted runners (e.g. Hetzner Cloud), setup-python internally upgrades pip against the system Python outside any venv:

// src/find-python.ts — installPip()
`${pythonLocation}/python -m pip install --upgrade pip --disable-pip-version-check`

This produces on every run:

WARNING: Running pip as the 'root' user can result in broken permissions...
Use the --root-user-action option if you know what you are doing.

The warning cannot be suppressed from the workflow side because setup-python spawns the pip subprocess via a Node.js child process with a controlled environment that does not reliably inherit the job-level PIP_ROOT_USER_ACTION env var or /etc/pip.conf.

Proposed Fix

Add --root-user-action=ignore to the pip upgrade call in src/find-python.ts:

await exec.exec(`${pythonLocation}/python`, [
  '-m', 'pip', 'install', '--upgrade', 'pip',
  '--root-user-action=ignore',
  '--disable-pip-version-check',
  '--no-warn-script-location'
]);

This is a non-breaking, no-op change on non-root runners.

Reproduction

jobs:
  test:
    runs-on: self-hosted  # root user (e.g. Hetzner Cloud ephemeral runner)
    steps:
      - uses: actions/setup-python@v6
        with:
          python-version: '3.12'

Log output:

Upgrading pip...
WARNING: Running pip as the 'root' user...
Successfully installed pip-26.0.1

Environment

setup-python	v6
Runner OS	Ubuntu 24.04
Runner user	root
Python version	3.12

[mahabaleshwars]

Hi @xgboosted,
Thank you for creating this issue. We will investigate it and provide feedback as soon as we have some updates.

[priyagupta108]

Hi @xgboosted, thank you for the detailed report.
The warning does not originate from src/find-python.ts. The installPip() function in find-python.ts only runs when the pip-version: input is explicitly set. The "Upgrading pip..." line in your log is printed by the setup.sh script bundled inside the pre-built Python tarball from actions/python-versions, which runs during Python installation.

The warning comes from ensurepip’s internal pip subprocess. Suppression attempts like PIP_ROOT_USER_ACTION, --root-user-action=ignore, or /etc/pip.conf do not help here because ensurepip strips PIP_* environment variables and ignores pip.conf before spawning pip by design. You can see this in CPython’s ensurepip/__init__.py#L98-L107.

Hope this clarifies the situation.

[leofang]

@priyagupta108 yes, you're right about ensurepip being the real cause. It took us quite a while to figure this out (NVIDIA/cuda-python#1879 (comment)).

I think actions/python-versions#369 would be the correct fix (to avoid calling ensurepip when possible). Could you help get it cross the finish line? 🙂

[xgboosted]

@priyagupta108 Can the suggestion made by @leofang be prioritized?

actions/python-versions#369

[priyagupta108]

Hello @xgboosted @leofang,
Thank you for your response. We’ve opened another PR actions/python-versions#392 with an alternative approach to address the warning from the setup-python side by avoiding ensurepip when possible.
Please take a look when you have a chance, and let us know if there’s anything we should adjust.

[xgboosted]

@priyagupta108, I left a review comment in the PR, please check it out and apply the fix to merge the PR.

[priyagupta108]

@xgboosted,
Thanks for the thorough review! You're absolutely right, this is a valid concern. I've addressed it in the latest commit by adding an explicit $LASTEXITCODE check after ensurepip, so its failure surfaces with a dedicated error message rather than being misattributed to the pip install step. Please take another look when you get a chance.