Upgrading pip by default

[adminy]

Description:
Its upgrading pip and I did not ask it to do that.

Action version:
v5

Platform:

• Ubuntu
• macOS
• Windows

Runner type:

• Hosted
• Self-hosted

Tools version:

3.9

Expected behavior:
Should not install pip.

Actual behavior:
Its installing pip by default

Run actions/setup-python@v5
  
Installed versions
  Version 3.9 was not found in the local cache
  Version 3.9 is available for downloading
  Download from "https://github.com/actions/python-versions/releases/download/3.9.[18](REDACTED#step:5:19)-5997508477/python-3.9.18-linux-[20](REDACTED#step:5:21).04-x64.tar.gz"
  Extract downloaded archive
  /usr/bin/tar xz --warning=no-unknown-keyword -C /runner/_work/_temp/8e[22](REDACTED#step:5:23)4dab-9ad4-44e5-a685-35a93189652e -f /runner/_work/_temp/ea87a57e-efed-4781-97be-b1f732890da7
  Execute installation script
  Check if Python hostedtoolcache folder exist...
  Creating Python hostedtoolcache folder...
  Create Python 3.9.18 folder
  Copy Python binaries to hostedtoolcache folder
  Create additional symlinks (Required for the UsePythonVersion Azure Pipelines task and the setup-python GitHub Action)
  Upgrading pip...
  Looking in links: /tmp/tmp3y6rkgbv
  Requirement already satisfied: setuptools in /opt/hostedtoolcache/Python/3.9.18/x64/lib/python3.9/site-packages (58.1.0)
  Requirement already satisfied: pip in /opt/hostedtoolcache/Python/3.9.18/x64/lib/python3.9/site-packages ([23](REDACTED#step:5:24).0.1)
  Collecting pip
  Downloading pip-23.3.2-py3-none-any.whl (2.1 MB)
  ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 2.1/2.1 MB 22.7 MB/s eta 0:00:00
  
  Installing collected packages: pip
  Successfully installed pip-23.3.2
  Create complete file
  Successfully set up CPython (3.9.18)

[HarithaVattikuti]

Hello @adminy
Thank you for creating this issue. We will investigate it and get back to you as soon as we have some feedback.

[nffdiogosilva]

Actually for me this would be the default behaviour expected. Normally pip whenever has a new version it warns you to update. Also it would help us address vulnerabilities found in pip.

@adminy, can you specify how you've setup your workflow? Which options did you set up? I'm only pointing to install python 3.8 and pip isn't being updated.

Would like to understand how to reproduce your output. Thank you.

[adminy]

    - name: Setup Python
      uses: actions/setup-python@v5
      with:
        python-version: 3.9

I understand that pip has to be up to date, but for me its more important to install python, since I just need python really. I don't care if pip is vunerable if it can shave an extra 7 seconds from the action to load python.

Seems to be checking setuptools and pip:

Version 3.9 was not found in the local cache
Version 3.9 is available for downloading
Download from "https://github.com/actions/python-versions/releases/download/3.9.18-5997508477/python-3.9.18-linux-20.04-x64.tar.gz"
Extract downloaded archive
/usr/bin/tar xz --warning=no-unknown-keyword --overwrite -C /runner/_work/_temp/31689208-3d0a-4cbd-8656-1a2c96b0d36e -f /runner/_work/_temp/592456ba-5748-4a30-9062-598bf12a7a62
Execute installation script
Check if Python hostedtoolcache folder exist...
Creating Python hostedtoolcache folder...
Create Python 3.9.18 folder
Copy Python binaries to hostedtoolcache folder
Create additional symlinks (Required for the UsePythonVersion Azure Pipelines task and the setup-python GitHub Action)
Upgrading pip...
Looking in links: /tmp/tmpbe6jzgku
Requirement already satisfied: setuptools in /opt/hostedtoolcache/Python/3.9.18/x64/lib/python3.9/site-packages (58.1.0)
Requirement already satisfied: pip in /opt/hostedtoolcache/Python/3.9.18/x64/lib/python3.9/site-packages (23.0.1)
Collecting pip
Downloading pip-23.3.2-py3-none-any.whl (2.1 MB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 2.1/2.1 MB 24.2 MB/s eta 0:00:00

Installing collected packages: pip
Successfully installed pip-23.3.2
Create complete file
Successfully set up CPython (3.9.18)

[priyagupta108]

Hello @adminy,
The setup-python action is designed to provide a desired Python environment. One of its duties is to make sure that Python environments come with certain built-in tools such as pip. It ensures that these installations are predefined with the Python environments for ease of use and functionality.
By default, pip is included as it comes bundled with the Python installations. Therefore, when a specific version of Python is installed, the corresponding version of pip bundled with it gets installed as well.
I understand your concerns about the time overhead due to the pip upgrade process. However, an upgrade to pip takes place when the setup-python action first configures a particular Python version. After the requested Python version is installed on your self-hosted runner initially, it's cached for future use. On subsequent runs with the identical version of Python, the action will directly retrieve the version from the cache, bypassing the installation process, the action should be faster since no pip update would be necessary.

Hope this clarifies :)

[priyagupta108]

Hello @adminy. For now I'm going to close the issue because this is expected behaviour of the action was described in the previous comment.
If you have any concerns feel free to ping us. Thank you :)

[adminy]

My Self hosted Runner wasn't caching anything for some reason. By fixing the caching problem I guess this isn't an issue anymore. I understand that this is necessary, thank you for the explanation!