setup-goose-action
GitHub Action to install and cache Goose AI agent for workflows
Setup Goose Action
A GitHub Action that installs and caches the Goose AI agent for CI/CD workflows. Goose is an open-source AI coding agent by Block. This composite action downloads the binary, caches it across runs, and adds it to PATH.
Available on the GitHub Marketplace
[!IMPORTANT]
Prompt Injection Risk: When AI analyzes user-controlled input (git diffs, code comments, commit messages), malicious actors can embed instructions to manipulate output. This applies to ANY AI tool, not just Goose or this action.For production use, see Security Patterns below for three defensive tiers (tool output analysis, manual approval, trusted-only execution).
Features
- Caching: Automatically caches the Goose binary for faster subsequent runs
- Version Pinning: Install specific Goose versions for reproducible builds
- Lightweight: Composite action with no external dependencies
Usage
# Recommended: Get latest v1.x updates automatically
- uses: clouatre-labs/setup-goose-action@v1
# Pin to exact version
- uses: clouatre-labs/[email protected]
# Custom Goose version
- uses: clouatre-labs/setup-goose-action@v1
with:
version: '1.13.0'
Current default Goose version: See action.yml
Prerequisites
Get an API key from your chosen provider: Supported Providers
Add it as a repository secret:
- Go to Settings > Secrets and variables > Actions
- Click New repository secret
- Name it (e.g.,
GEMINI_API_KEY,OPENAI_API_KEY,ANTHROPIC_API_KEY)
Configure in your workflow by mapping your secret to Goose's expected environment variable (see Security Patterns below)
Quick Start: Tier 1 (Maximum Security)
name: Secure AI Analysis
on: [pull_request]
permissions:
contents: read
jobs:
analyze:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v6
- name: Lint Code
run: pipx run ruff check --output-format=json . > lint-results.json || true
- name: Setup Goose CLI
uses: clouatre-labs/setup-goose-action@v1
- name: AI Analysis
env:
GOOGLE_API_KEY: ${{ secrets.GOOGLE_API_KEY }}
run: |
mkdir -p ~/.config/goose
cat > ~/.config/goose/config.yaml << 'EOF'
GOOSE_PROVIDER: google
GOOSE_MODEL: gemini-2.5-flash
keyring: false
EOF
echo "Summarize these linting issues:" > prompt.txt
cat lint-results.json >> prompt.txt
goose run --instructions prompt.txt --no-session --quiet > analysis.md
- name: Upload Analysis Artifact
uses: actions/upload-artifact@v5
with:
name: ai-analysis
path: analysis.md
Inputs
| Input | Description | Required | Default |
|---|---|---|---|
version |
Goose version to install | No | See action.yml |
Outputs
| Output | Description |
|---|---|
goose-version |
Installed Goose version |
goose-path |
Path to Goose binary directory |
Security Patterns
This action supports three security tiers for AI-augmented CI/CD:
- Tier 1 (Maximum Security): AI analyzes only tool output (JSON), never raw code. See workflow
- Tier 2: AI sees file stats, requires manual approval. See workflow
- Tier 3: Full diff analysis, trusted teams only. See workflow
Safe Pattern: AI analyzes tool output (ruff, trivy, semgrep), not raw code.
Unsafe Pattern: AI analyzes git diffs directly, which is vulnerable to prompt injection.
Read the full explanation: AI-Augmented CI/CD blog post
See SECURITY.md for reporting vulnerabilities.
Supported Platforms
| OS | Architecture | Status |
|---|---|---|
| Ubuntu | x64 | Supported |
| Ubuntu | arm64 | Supported |
| macOS | N/A | Not supported |
| Windows | N/A | Not supported |
Note: This action only supports Linux runners. macOS runners have a 10x billing multiplier on GitHub Actions, and Goose executes prompts and tool calls with nothing platform-specific.
How It Works
- Checks cache for Goose binary matching the specified version and platform
- If cache miss, downloads Goose binary from official GitHub releases
- Extracts binary to
~/.local/bin/goose - Adds binary location to
$GITHUB_PATH - Verifies installation with
goose --version
Troubleshooting
Binary not found after installation
Ensure you're using the action before attempting to run goose:
- uses: clouatre-labs/setup-goose-action@v1
- run: goose --version # This will work
Unsupported version
Check available versions at Goose Releases. Ensure the version exists and has pre-built binaries.
Contributing
See CONTRIBUTING.md for the full contribution guide, including commit signing requirements, coding standards, and the PR process.
License
MIT. See LICENSE.
Related
- AI-Augmented CI/CD: 3-tier security model for AI code review in CI/CD pipelines
- Goose: Official Goose repository
- Goose Documentation
- GitHub Actions Documentation
- Setup Kiro Action: Similar action for Kiro CLI (AWS-native, SIGV4 auth)
- Setup Q CLI Action: Similar action for Amazon Q Developer CLI
Acknowledgments
Built by clouatre-labs for the Goose community. Not officially affiliated with Block or the Goose project.
Reviews (0)
Sign in to leave a review.
Leave a reviewNo results found