A GitHub Action that installs and caches the Goose AI agent for CI/CD workflows. OpenSSF silver certified: fewer than 1% of open source projects reach this level.
Available on the GitHub Marketplace
Important
Prompt Injection Risk: When AI analyzes user-controlled input (git diffs, code comments, commit messages), malicious actors can embed instructions to manipulate output. This applies to ANY AI tool, not just Goose or this action.
For production use, see Security Patterns below for three defensive tiers (tool output analysis, manual approval, trusted-only execution).
- Caching: Automatically caches the Goose binary for faster subsequent runs
- Version Pinning: Install specific Goose versions for reproducible builds
- Lightweight: Composite action with no external dependencies
# Recommended: Get latest v1.x updates automatically
- uses: clouatre-labs/setup-goose-action@v1
# Pin to exact version (SHA recommended for supply chain integrity)
- uses: clouatre-labs/setup-goose-action@35f35c3a8f08aa333486693114938ec643bf8310 # v1.0.7
# Custom Goose version
- uses: clouatre-labs/setup-goose-action@v1
with:
version: '1.28.0'Current default Goose version: See action.yml
-
Get an API key from your chosen provider: Supported Providers
-
Add it as a repository secret:
- Go to Settings > Secrets and variables > Actions
- Click New repository secret
- Name it (e.g.,
GEMINI_API_KEY,OPENAI_API_KEY,ANTHROPIC_API_KEY)
-
Configure in your workflow by mapping your secret to Goose's expected environment variable (see Security Patterns below)
name: Secure AI Analysis
on: [pull_request]
permissions:
contents: read
jobs:
analyze:
runs-on: ubuntu-24.04
steps:
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
- name: Lint Code
run: pipx run ruff check --output-format=json . > lint-results.json || true
- name: Setup Goose CLI
uses: clouatre-labs/setup-goose-action@35f35c3a8f08aa333486693114938ec643bf8310 # v1.0.7
- name: AI Analysis
env:
OPENROUTER_API_KEY: ${{ secrets.OPENROUTER_API_KEY }}
run: |
mkdir -p ~/.config/goose
cat > ~/.config/goose/config.yaml << 'EOF'
GOOSE_PROVIDER: openrouter
GOOSE_MODEL: inception/mercury-2
keyring: false
EOF
echo "Summarize these linting issues:" > prompt.txt
cat lint-results.json >> prompt.txt
goose run --instructions prompt.txt --no-session --quiet > analysis.md
- name: Upload Analysis Artifact
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
with:
name: ai-analysis
path: analysis.md| Input | Description | Required | Default |
|---|---|---|---|
version |
Goose version to install | No | See action.yml |
| Output | Description |
|---|---|
goose-version |
Installed Goose version |
goose-path |
Path to Goose binary directory |
This action supports three security tiers for AI-augmented CI/CD:
- Tier 1 (Maximum Security): AI analyzes only tool output (JSON), never raw code. See workflow
- Tier 2: AI sees file stats, requires manual approval. See workflow
- Tier 3: Full diff analysis, trusted teams only. See workflow
Safe Pattern: AI analyzes tool output (ruff, trivy, semgrep), not raw code.
Unsafe Pattern: AI analyzes git diffs directly, which is vulnerable to prompt injection.
Read the full explanation: AI-Augmented CI/CD blog post
See SECURITY.md for reporting vulnerabilities.
| OS | Architecture | Status |
|---|---|---|
| Ubuntu | x64 | Supported |
| Ubuntu | arm64 | Supported |
| macOS | N/A | Not supported |
| Windows | N/A | Not supported |
Note: This action only supports Linux runners. macOS runners have a 10x billing multiplier on GitHub Actions, and Goose executes prompts and tool calls with nothing platform-specific.
- Checks cache for Goose binary matching the specified version and platform
- If cache miss, downloads Goose binary from official GitHub releases
- Extracts binary to
~/.local/bin/goose - Adds binary location to
$GITHUB_PATH - Verifies installation with
goose --version
Ensure you're using the action before attempting to run goose:
- uses: clouatre-labs/setup-goose-action@v1
- run: goose --version # This will workCheck available versions at Goose Releases. Ensure the version exists and has pre-built binaries.
See CONTRIBUTING.md for the full contribution guide, including commit signing requirements, coding standards, and the PR process.
Apache 2.0. See LICENSE.
- AI-Augmented CI/CD: 3-tier security model for AI code review in CI/CD pipelines
- Goose: Official Goose repository
- Goose Documentation
- GitHub Actions Documentation
- Setup Kiro Action: Similar action for Kiro CLI (AWS-native, SIGV4 auth)
- Setup Q CLI Action: Similar action for Amazon Q Developer CLI
Built by clouatre-labs for the Goose community. Not officially affiliated with Block or the Goose project.