urllib3 `set-output` will be disabled soon in GitHub

The Fix

pip install urllib3==2.1.0

Based on closed urllib3/urllib3 issue #3160 · PR/commit linked

Production note: Most teams hit this during upgrades or environment changes. Roll out with a canary and smoke critical endpoints (health, OpenAPI/docs) before 100%.

Open PR/Commit

@@ -37,7 +37,7 @@ jobs:
         id: hash
         run: |
-          cd dist && echo "::set-output name=hashes::$(sha256sum * | base64 -w0)"
+          cd dist && echo "hashes=$(sha256sum * | base64 -w0)" >> $GITHUB_OUTPUT

fix.md

Option A — Upgrade to fixed release\npip install urllib3==2.1.0\nWhen NOT to use: This fix should not be used if the workflow does not utilize GitHub Actions.\n\n

Why This Fix Works in Production

Trigger: We're seeing this warning especially in our release GHA configuration, we should fix it up so that our releases continue to work:
Mechanism: The deprecated `set-output` command in GitHub Actions causes warnings in release configurations
Why the fix works: Replaces the deprecated `set-output` command in GitHub Actions with the newer `$GITHUB_OUTPUT` environment files, resolving warnings in the release configuration. (first fixed release: 2.1.0).

Production impact:

If left unfixed, the same config can fail only in production (env differences), causing startup failures or partial feature outages.

Why This Breaks in Prod

The deprecated `set-output` command in GitHub Actions causes warnings in release configurations
Production symptom (often without a traceback): We're seeing this warning especially in our release GHA configuration, we should fix it up so that our releases continue to work: https://github.blog/changelog/2022-10-11-github-actions-deprecating-save-state-and-set-output-commands/

Proof / Evidence

GitHub issue: #3160
Fix PR: https://github.com/urllib3/urllib3/pull/3175
First fixed release: 2.1.0
Reproduced locally: No (not executed)
Last verified: 2026-02-09
Confidence: 0.85
Did this fix it?: Yes (upstream fix exists)
Own content ratio: 0.76

Discussion

High-signal excerpts from the issue thread (symptoms, repros, edge-cases).

Jump to Sources Open on GitHub

“We're seeing this warning especially in our release GHA configuration, we should fix it up so that our releases continue to work: https://github.blog/changelog/2022-10-11-github-actions-deprecating-save-state-and-set-output-commands/”

Issue thread · issue description · source

Failure Signature (Search String)

We're seeing this warning especially in our release GHA configuration, we should fix it up so that our releases continue to work:

Copy-friendly signature

signature.txt

Failure Signature
-----------------
We're seeing this warning especially in our release GHA configuration, we should fix it up so that our releases continue to work: https://github.blog/changelog/2022-10-11-github-actions-deprecating-save-state-and-set-output-commands/

Error Message

Signature-only (no traceback captured)

error.txt

Error Message
-------------
We're seeing this warning especially in our release GHA configuration, we should fix it up so that our releases continue to work: https://github.blog/changelog/2022-10-11-github-actions-deprecating-save-state-and-set-output-commands/

What Broke

Warnings in GitHub Actions may lead to failed releases if not addressed.

Why It Broke

The deprecated `set-output` command in GitHub Actions causes warnings in release configurations

Fix Options (Details)

Option A — Upgrade to fixed release Safe default (recommended)

pip install urllib3==2.1.0

When NOT to use: This fix should not be used if the workflow does not utilize GitHub Actions.

Use when you can deploy the upstream fix. It is usually lower-risk than long-lived workarounds.

Option D — Guard side-effects with OnceOnly Guardrail for side-effects

Mitigate duplicate external side-effects under retries/timeouts/agent loops by gating the operation before calling external systems.

Place OnceOnly between your code/agent and real side-effects (Stripe, emails, CRM, APIs).
Use a stable key per side-effect (e.g., customer_id + action + idempotency_key).
Fail-safe: configure fail-open vs fail-closed based on blast radius and spend risk.

Show example snippet (optional)

onceonly.py

from onceonly import OnceOnly
import os

once = OnceOnly(api_key=os.environ["ONCEONLY_API_KEY"], fail_open=True)

# Stable idempotency key per real side-effect.
# Use a request id / job id / webhook delivery id / Stripe event id, etc.
event_id = "evt_..."  # replace
key = f"stripe:webhook:{event_id}"

res = once.check_lock(key=key, ttl=3600)
if res.duplicate:
    return {"status": "already_processed"}

# Safe to execute the side-effect exactly once.
handle_event(event_id)

See OnceOnly SDK

When NOT to use: Do not use this to hide logic bugs or data corruption. Use it to block duplicate external side-effects and enforce tool permissions/spend caps.

Fix reference: https://github.com/urllib3/urllib3/pull/3175

First fixed release: 2.1.0

Last verified: 2026-02-09. Validate in your environment.

When NOT to Use This Fix

This fix should not be used if the workflow does not utilize GitHub Actions.
Do not use this to hide logic bugs or data corruption. Use it to block duplicate external side-effects and enforce tool permissions/spend caps.

Did This Fix Work in Your Case?

Quick signal helps us prioritize which fixes to verify and improve.

Prevention

Add a CI check that diffs key outputs after upgrades (OpenAPI schema snapshots, JSON payload shapes, CLI output).
Upgrade behind a canary and run integration tests against the canary before 100% rollout.

Version Compatibility Table

Version	Status
2.1.0	Fixed

Related Issues

No related fixes found.

Cluster: urllib3:configuration-error urllib3 hub urllib3 best practices All hubs All clusters

Related clusters: Data consistency SSL handshake Other

Sources

We don’t republish the full GitHub discussion text. Use the links above for context.

urllib3 `set-output` will be disabled soon in GitHub Actions (Fix)