Skip to content

clouatre-labs/setup-goose-action

Use this GitHub action with your project
Add this Action to an existing workflow or create a new one
View on Marketplace
BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

39 Commits
.github/workflows
.github/workflows
 
 
examples
examples
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
SECURITY.md
SECURITY.md
 
 
action.yml
action.yml
 
 
renovate.json
renovate.json
 
 

Repository files navigation

Setup Goose Action

Test Action GitHub Marketplace License: MIT Latest Release

GitHub Action to install and cache Goose AI agent for use in workflows.

Available on the GitHub Marketplace

Usage

# Recommended: Get latest v1.x updates automatically
- uses: clouatre-labs/setup-goose-action@v1

# Conservative: Pin to exact version
- uses: clouatre-labs/[email protected]

# Custom Goose version
- uses: clouatre-labs/setup-goose-action@v1
  with:
    version: '1.13.0'

Current default Goose version: See action.yml

Prerequisites

  1. Get an API key from your chosen provider: Supported Providers

  2. Add it as a repository secret:

    • Go to Settings → Secrets and variables → Actions
    • Click New repository secret
    • Name it (e.g., GEMINI_API_KEY, OPENAI_API_KEY, ANTHROPIC_API_KEY)

  3. Configure in your workflow - map your secret to Goose's expected environment variable (see examples below)

Important

Prompt Injection Risk: When AI analyzes user-controlled input (git diffs, code comments, commit messages), malicious actors can embed instructions to manipulate output. This applies to ANY AI tool, not just Goose or this action.

For production use, see examples/ for defensive patterns (tool output analysis, input sanitization, trusted-only execution).

Quick Start

name: Secure AI Analysis
on: [pull_request]

permissions:
  contents: read

jobs:
  analyze:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v6

      - name: Lint Code
        run: pipx run ruff check --output-format=json . > lint-results.json || true

      - name: Setup Goose CLI
        uses: clouatre-labs/setup-goose-action@v1

      - name: AI Analysis
        env:
          GOOGLE_API_KEY: ${{ secrets.GOOGLE_API_KEY }}
        run: |
          mkdir -p ~/.config/goose
          cat > ~/.config/goose/config.yaml << 'EOF'
          GOOSE_PROVIDER: google
          GOOSE_MODEL: gemini-2.5-flash
          keyring: false
          EOF
          
          echo "Summarize these linting issues:" > prompt.txt
          cat lint-results.json >> prompt.txt
          goose run --instructions prompt.txt --no-session --quiet > analysis.md

      - name: Upload Analysis Artifact
        uses: actions/upload-artifact@v5
        with:
          name: ai-analysis
          path: analysis.md

Inputs

Input Description Required Default
version Goose version to install No See action.yml

Outputs

Output Description
goose-version Installed Goose version
goose-path Path to Goose binary directory

Examples

Pin to Specific Version

- uses: clouatre-labs/setup-goose-action@v1
  with:
    version: '1.14.0'

Security

Safe Pattern: AI analyzes tool output (ruff, trivy, semgrep), not raw code.

Unsafe Pattern: AI analyzes git diffs directly → vulnerable to prompt injection.

See SECURITY.md for reporting vulnerabilities.
See examples/ for different security tiers.

Features

  • Caching: Automatically caches Goose binary for faster subsequent runs
  • Version Pinning: Install specific Goose versions for reproducible builds
  • Cross-Platform: Supports Linux (x64, arm64) and macOS (x64, arm64)
  • Lightweight: Composite action with no external dependencies

Supported Platforms

OS Architecture Status
Ubuntu x64 ✅ Supported
Ubuntu arm64 ✅ Supported
macOS x64 ✅ Supported
macOS arm64 ✅ Supported
Windows - ❌ Not supported

How It Works

  1. Checks cache for Goose binary matching the specified version and platform
  2. If cache miss, downloads Goose binary from official GitHub releases
  3. Extracts binary to ~/.local/bin/goose
  4. Adds binary location to $GITHUB_PATH
  5. Verifies installation with goose --version

Cache Key Format

goose-{version}-{os}-{arch}

Example: goose-1.12.1-Linux-X64

Troubleshooting

Binary not found after installation

Ensure you're using the action before attempting to run goose:

- uses: clouatre-labs/setup-goose-action@v1
- run: goose --version  # This will work

Unsupported version

Check available versions at Goose Releases. Ensure the version exists and has pre-built binaries.

Cache not working

The cache key includes OS and architecture. If you change runners or platforms, a new cache entry will be created. This is expected behavior.

Development

This is a composite action (YAML-based) with no compilation required.

Testing Locally

# Test in a workflow
git clone https://github.com/clouatre-labs/setup-goose-action
cd setup-goose-action

# Create a test workflow in .github/workflows/test.yml
# Push and verify the action works

Contributing

Contributions are welcome! Please open an issue or PR.

License

MIT - See LICENSE

Related

Acknowledgments

Built by clouatre-labs for the Goose community. Not officially affiliated with Block or the Goose project.

About

GitHub Action to install and cache Goose AI agent for workflows

github.com/block/goose

Topics

setup automation ai devtools actions ci-cd artificial-intelligence cicd goose cli-tool github-actions ai-agent composite-action

Resources

Readme

License

MIT license

Code of conduct

Code of conduct

Contributing

Contributing

Security policy

Security policy
Activity
Custom properties

Stars

3 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases 4

v1.0.4 - Automated version management Latest
Nov 15, 2025
+ 3 releases

Packages

No packages published

Contributors 4

  •  
  •  
  •  
  •