{"id":12035554,"name":"google-github-actions/run-gemini-cli","ecosystem":"actions","description":"Invoke the Gemini CLI from a GitHub Action.","homepage":"https://github.com/google-gemini/gemini-cli","licenses":"apache-2.0","normalized_licenses":["Apache-2.0"],"repository_url":"https://github.com/google-github-actions/run-gemini-cli","keywords_array":["actions","ai","gcp","gemini","gemini-cli","github-actions","google-cloud","google-cloud-platform"],"namespace":"google-github-actions","versions_count":22,"first_release_published_at":"2025-08-04T17:54:26.000Z","latest_release_published_at":"2026-02-25T15:33:40.000Z","latest_release_number":"v0.1.21","last_synced_at":"2026-05-17T10:46:22.395Z","created_at":"2025-08-24T06:31:09.530Z","updated_at":"2026-05-17T10:46:22.396Z","registry_url":"https://github.com/google-github-actions/run-gemini-cli","install_command":null,"documentation_url":null,"metadata":{"name":"Run Gemini CLI","author":"Google LLC","description":"Invoke the Gemini CLI from a GitHub Action.","inputs":{"gcp_location":{"description":"The Google Cloud location.","required":false},"gcp_project_id":{"description":"The Google Cloud project ID.","required":false},"gcp_service_account":{"description":"The Google Cloud service account email.","required":false},"gcp_workload_identity_provider":{"description":"The Google Cloud Workload Identity Provider.","required":false},"gcp_token_format":{"description":"The token format for authentication. Set to \"access_token\" to generate access tokens (requires service account), or set to empty string for direct WIF. Can be \"access_token\" or \"id_token\".","required":false,"default":"access_token"},"gcp_access_token_scopes":{"description":"The access token scopes when using token_format \"access_token\". Comma-separated list of OAuth 2.0 scopes.","required":false,"default":"https://www.googleapis.com/auth/cloud-platform,https://www.googleapis.com/auth/userinfo.email,https://www.googleapis.com/auth/userinfo.profile"},"gemini_api_key":{"description":"The API key for the Gemini API.","required":false},"gemini_cli_version":{"description":"The version of the Gemini CLI to install. Can be \"latest\", \"preview\", \"nightly\", a specific version number, or a git branch, tag, or commit. For more information, see [Gemini CLI releases](https://github.com/google-gemini/gemini-cli/blob/main/docs/releases.md).","required":false,"default":"latest"},"gemini_debug":{"description":"Enable debug logging and output streaming.","required":false},"gemini_model":{"description":"The model to use with Gemini.","required":false},"google_api_key":{"description":"The Vertex AI API key to use with Gemini.","required":false},"prompt":{"description":"A string passed to the Gemini CLI's [`--prompt` argument](https://github.com/google-gemini/gemini-cli/blob/main/docs/get-started/configuration.md#command-line-arguments).","required":false,"default":"You are a helpful assistant."},"settings":{"description":"A JSON string written to `.gemini/settings.json` to configure the CLI's _project_ settings.\nFor more details, see the documentation on [settings files](https://github.com/google-gemini/gemini-cli/blob/main/docs/get-started/configuration.md#settings-files).","required":false},"use_gemini_code_assist":{"description":"Whether to use Code Assist for Gemini model access instead of the default Gemini API key.\nFor more information, see the [Gemini CLI documentation](https://github.com/google-gemini/gemini-cli/blob/main/docs/cli/authentication.md).","required":false,"default":"false"},"use_vertex_ai":{"description":"Whether to use Vertex AI for Gemini model access instead of the default Gemini API key.\nFor more information, see the [Gemini CLI documentation](https://github.com/google-gemini/gemini-cli/blob/main/docs/cli/authentication.md).","required":false,"default":"false"},"extensions":{"description":"A list of Gemini CLI extensions to install.","required":false},"upload_artifacts":{"description":"Whether to upload artifacts to the github action.","required":false,"default":"false"},"use_pnpm":{"description":"Whether or not to use pnpm instead of npm to install gemini-cli","required":false,"default":"false"},"workflow_name":{"description":"The GitHub workflow name, used for telemetry purposes.","required":false,"default":"${{ github.workflow }}"}},"outputs":{"summary":{"description":"The summarized output from the Gemini CLI execution.","value":"${{ steps.gemini_run.outputs.gemini_response }}"},"error":{"description":"The error output from the Gemini CLI execution, if any.","value":"${{ steps.gemini_run.outputs.gemini_errors }}"}},"runs":{"using":"composite","steps":[{"name":"Validate Inputs","id":"validate_inputs","shell":"bash","run":"set -exuo pipefail\n\n# Emit a clear warning in three places without failing the step\nwarn() {\n  local msg=\"$1\"\n  echo \"WARNING: ${msg}\" \u003e\u00262\n  echo \"::warning title=Input validation::${msg}\"\n  if [[ -n \"${GITHUB_STEP_SUMMARY:-}\" ]]; then\n    {\n      echo \"### Input validation warnings\"\n      echo\n      echo \"- ${msg}\"\n    } \u003e\u003e \"${GITHUB_STEP_SUMMARY}\"\n  fi\n}\n\n# Validate the count of authentication methods\nauth_methods=0\nif [[ \"${INPUT_GEMINI_API_KEY_PRESENT:-false}\" == \"true\" ]]; then ((++auth_methods)); fi\nif [[ \"${INPUT_GOOGLE_API_KEY_PRESENT:-false}\" == \"true\" ]]; then ((++auth_methods)); fi\nif [[ \"${INPUT_GCP_WORKLOAD_IDENTITY_PROVIDER_PRESENT:-false}\" == \"true\" ]]; then ((++auth_methods)); fi\n\nif [[ ${auth_methods} -eq 0 ]]; then\n  warn \"No authentication method provided. Please provide one of 'gemini_api_key', 'google_api_key', or 'gcp_workload_identity_provider'.\"\nfi\n\nif [[ ${auth_methods} -gt 1 ]]; then\n  warn \"Multiple authentication methods provided. Please use only one of 'gemini_api_key', 'google_api_key', or 'gcp_workload_identity_provider'.\"\nfi\n\n# Validate Workload Identity Federation inputs\nif [[ \"${INPUT_GCP_WORKLOAD_IDENTITY_PROVIDER_PRESENT:-false}\" == \"true\" ]]; then\n  if [[ \"${INPUT_GCP_PROJECT_ID_PRESENT:-false}\" != \"true\" ]]; then\n    warn \"When using Workload Identity Federation ('gcp_workload_identity_provider'), you must also provide 'gcp_project_id'.\"\n  fi\n  # Service account is required when using token_format (default behavior)\n  # Only optional when explicitly set to empty for direct WIF\n  if [[ \"${INPUT_GCP_TOKEN_FORMAT}\" != \"\" \u0026\u0026 \"${INPUT_GCP_SERVICE_ACCOUNT_PRESENT:-false}\" != \"true\" ]]; then\n    warn \"When using Workload Identity Federation with token generation ('gcp_token_format'), you must also provide 'gcp_service_account'. To use direct WIF without a service account, explicitly set 'gcp_token_format' to an empty string.\"\n  fi\n  if [[ \"${INPUT_USE_VERTEX_AI:-false}\" == \"${INPUT_USE_GEMINI_CODE_ASSIST:-false}\" ]]; then\n    warn \"When using Workload Identity Federation, you must set exactly one of 'use_vertex_ai' or 'use_gemini_code_assist' to 'true'.\"\n  fi\nfi\n\n# Validate Vertex AI API Key\nif [[ \"${INPUT_GOOGLE_API_KEY_PRESENT:-false}\" == \"true\" ]]; then\n  if [[ \"${INPUT_USE_VERTEX_AI:-false}\" != \"true\" ]]; then\n    warn \"When using 'google_api_key', you must set 'use_vertex_ai' to 'true'.\"\n  fi\n  if [[ \"${INPUT_USE_GEMINI_CODE_ASSIST:-false}\" == \"true\" ]]; then\n    warn \"When using 'google_api_key', 'use_gemini_code_assist' cannot be 'true'.\"\n  fi\nfi\n\n# Validate Gemini API Key\nif [[ \"${INPUT_GEMINI_API_KEY_PRESENT:-false}\" == \"true\" ]]; then\n  if [[ \"${INPUT_USE_VERTEX_AI:-false}\" == \"true\" || \"${INPUT_USE_GEMINI_CODE_ASSIST:-false}\" == \"true\" ]]; then\n    warn \"When using 'gemini_api_key', both 'use_vertex_ai' and 'use_gemini_code_assist' must be 'false'.\"\n  fi\nfi","env":{"INPUT_GEMINI_API_KEY_PRESENT":"${{ inputs.gemini_api_key != '' }}","INPUT_GOOGLE_API_KEY_PRESENT":"${{ inputs.google_api_key != '' }}","INPUT_GCP_WORKLOAD_IDENTITY_PROVIDER_PRESENT":"${{ inputs.gcp_workload_identity_provider != '' }}","INPUT_GCP_PROJECT_ID_PRESENT":"${{ inputs.gcp_project_id != '' }}","INPUT_GCP_SERVICE_ACCOUNT_PRESENT":"${{ inputs.gcp_service_account != '' }}","INPUT_GCP_TOKEN_FORMAT":"${{ inputs.gcp_token_format }}","INPUT_USE_VERTEX_AI":"${{ inputs.use_vertex_ai }}","INPUT_USE_GEMINI_CODE_ASSIST":"${{ inputs.use_gemini_code_assist }}"}},{"name":"Sanitize workflow name","id":"sanitize_workflow_name","shell":"bash","run":"SANITIZED=$(echo \"${WORKFLOW_NAME}\" | sed 's/[^ a-zA-Z0-9-]//g' | xargs | tr ' ' '_' | tr '[:upper:]' '[:lower:]')\necho \"gh_workflow_name=$SANITIZED\" \u003e\u003e $GITHUB_OUTPUT\n","env":{"WORKFLOW_NAME":"${{ inputs.workflow_name }}"}},{"name":"Configure Gemini CLI","if":"${{ inputs.settings != '' }}","run":"mkdir -p .gemini/\necho \"${SETTINGS}\" \u003e \".gemini/settings.json\"","shell":"bash","env":{"SETTINGS":"${{ inputs.settings }}"}},{"name":"Install Custom Commands","shell":"bash","run":"set -euo pipefail\nmkdir -p .gemini/commands\ncp -r \"${GITHUB_ACTION_PATH}/.github/commands/\"* .gemini/commands/","env":{"GITHUB_ACTION_PATH":"${{ github.action_path }}"}},{"name":"Authenticate to Google Cloud","if":"${{ inputs.gcp_workload_identity_provider != '' }}","id":"auth","uses":"google-github-actions/auth@v3","with":{"project_id":"${{ inputs.gcp_project_id }}","workload_identity_provider":"${{ inputs.gcp_workload_identity_provider }}","service_account":"${{ inputs.gcp_service_account }}","token_format":"${{ inputs.gcp_token_format }}","access_token_scopes":"${{ inputs.gcp_access_token_scopes }}"}},{"name":"Install pnpm","if":"${{ inputs.use_pnpm == 'true' }}","uses":"pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061","with":{"version":10}},{"name":"Install Gemini CLI","id":"install","env":{"GEMINI_CLI_VERSION":"${{ inputs.gemini_cli_version }}","EXTENSIONS":"${{ inputs.extensions }}","USE_PNPM":"${{ inputs.use_pnpm }}"},"shell":"bash","run":"set -euo pipefail\n\nVERSION_INPUT=\"${GEMINI_CLI_VERSION:-latest}\"\n\nif [[ \"${VERSION_INPUT}\" == \"latest\" || \"${VERSION_INPUT}\" == \"preview\" || \"${VERSION_INPUT}\" == \"nightly\" || \"${VERSION_INPUT}\" =~ ^[0-9]+\\.[0-9]+\\.[0-9]+(-[a-zA-Z0-9\\.-]+)?(\\+[a-zA-Z0-9\\.-]+)?$ ]]; then\n  echo \"Installing Gemini CLI from npm: @google/gemini-cli@${VERSION_INPUT}\"\n  if [[ \"${USE_PNPM}\" == \"true\" ]]; then\n    pnpm add --silent --global @google/gemini-cli@\"${VERSION_INPUT}\"\n  else\n    npm install --silent --no-audit --prefer-offline --global @google/gemini-cli@\"${VERSION_INPUT}\"\n  fi\nelse\n  echo \"Installing Gemini CLI from GitHub: github:google-gemini/gemini-cli#${VERSION_INPUT}\"\n  git clone https://github.com/google-gemini/gemini-cli.git\n  cd gemini-cli\n  git checkout \"${VERSION_INPUT}\"\n  npm install\n  npm run bundle\n  npm install --silent --no-audit --prefer-offline --global .\nfi\necho \"Verifying installation:\"\nif command -v gemini \u003e/dev/null 2\u003e\u00261; then\n  gemini --version || echo \"Gemini CLI installed successfully (version command not available)\"\nelse\n  echo \"Error: Gemini CLI not found in PATH\"\n  exit 1\nfi\nif [[ -n \"${EXTENSIONS}\" ]]; then\n  echo \"Installing Gemini CLI extensions:\"\n  echo \"${EXTENSIONS}\" | jq -r '.[]' | while IFS= read -r extension; do\n    extension=$(echo \"${extension}\" | xargs)\n    if [[ -n \"${extension}\" ]]; then\n      echo \"Installing ${extension}...\"\n      echo \"Y\" | gemini extensions install \"${extension}\"\n    fi\n  done\nfi"},{"name":"Run Gemini CLI","id":"gemini_run","shell":"bash","run":"set -euo pipefail\n\n# Create a temporary directory for storing the output, and ensure it's\n# cleaned up later\nTEMP_STDOUT=\"$(mktemp -p \"${RUNNER_TEMP}\" gemini-out.XXXXXXXXXX)\"\nTEMP_STDERR=\"$(mktemp -p \"${RUNNER_TEMP}\" gemini-err.XXXXXXXXXX)\"\nfunction cleanup {\n  rm -f \"${TEMP_STDOUT}\" \"${TEMP_STDERR}\"\n}\ntrap cleanup EXIT\n\n# Keep track of whether we've failed\nFAILED=false\n\n# Run Gemini CLI with the provided prompt, using JSON output format\n# We capture stdout (JSON) to TEMP_STDOUT and stderr to TEMP_STDERR\nif [[ \"${GEMINI_DEBUG}\" = true ]]; then\n  echo \"::warning::Gemini CLI debug logging is enabled. This will stream responses, which could reveal sensitive information if processed with untrusted inputs.\"\n  echo \"::: Start Gemini CLI STDOUT :::\"\n  if ! gemini --debug --yolo --prompt \"${PROMPT}\" --output-format json 2\u003e \u003e(tee \"${TEMP_STDERR}\" \u003e\u00262) | tee \"${TEMP_STDOUT}\"; then\n    FAILED=true\n  fi\n  # Wait for async stderr logging to complete. This is because process substitution in Bash is async so let tee finish writing to ${TEMP_STDERR}\n  sleep 1\n  echo \"::: End Gemini CLI STDOUT :::\"\nelse\n  if ! gemini --yolo --prompt \"${PROMPT}\" --output-format json 2\u003e \"${TEMP_STDERR}\" 1\u003e \"${TEMP_STDOUT}\"; then\n    FAILED=true\n  fi\nfi\n\n# Create the artifacts directory and copy full logs\nmkdir -p gemini-artifacts\ncp \"${TEMP_STDOUT}\" gemini-artifacts/stdout.log\ncp \"${TEMP_STDERR}\" gemini-artifacts/stderr.log\nif [[ -f .gemini/telemetry.log ]]; then\n  cp .gemini/telemetry.log gemini-artifacts/telemetry.log\nelse\n  # Create an empty file so the artifact upload doesn't fail if telemetry is missing\n  touch gemini-artifacts/telemetry.log\nfi\n\n# Parse JSON output to extract response and errors\n# If output is not valid JSON, RESPONSE will be empty and we'll rely on stderr for errors\nRESPONSE=\"\"\nERROR_JSON=\"\"\nif jq -e . \"${TEMP_STDOUT}\" \u003e/dev/null 2\u003e\u00261; then\n   RESPONSE=$(jq -r '.response // \"\"' \"${TEMP_STDOUT}\")\nfi\nif jq -e . \"${TEMP_STDERR}\" \u003e/dev/null 2\u003e\u00261; then\n   ERROR_JSON=$(jq -c '.error // empty' \"${TEMP_STDERR}\")\nfi\n\nif { [[ -s \"${TEMP_STDERR}\" ]] \u0026\u0026 ! jq -e . \"${TEMP_STDERR}\" \u003e/dev/null 2\u003e\u00261; }; then\n  echo \"::warning::Gemini CLI stderr was not valid JSON\"\nfi\n\nif { [[ -s \"${TEMP_STDOUT}\" ]] \u0026\u0026 ! jq -e . \"${TEMP_STDOUT}\" \u003e/dev/null 2\u003e\u00261; }; then\n  echo \"::warning::Gemini CLI stdout was not valid JSON\"\nfi\n\n\n# Set the captured response as a step output, supporting multiline\necho \"gemini_response\u003c\u003cEOF\" \u003e\u003e \"${GITHUB_OUTPUT}\"\nif [[ -n \"${RESPONSE}\" ]]; then\n  echo \"${RESPONSE}\" \u003e\u003e \"${GITHUB_OUTPUT}\"\nelse\n  cat \"${TEMP_STDOUT}\" \u003e\u003e \"${GITHUB_OUTPUT}\"\nfi\necho \"EOF\" \u003e\u003e \"${GITHUB_OUTPUT}\"\n\n# Set the captured errors as a step output, supporting multiline\necho \"gemini_errors\u003c\u003cEOF\" \u003e\u003e \"${GITHUB_OUTPUT}\"\nif [[ -n \"${ERROR_JSON}\" ]]; then\n  echo \"${ERROR_JSON}\" \u003e\u003e \"${GITHUB_OUTPUT}\"\nelse\n  cat \"${TEMP_STDERR}\" \u003e\u003e \"${GITHUB_OUTPUT}\"\nfi\necho \"EOF\" \u003e\u003e \"${GITHUB_OUTPUT}\"\n\n# Generate Job Summary\nif [[ -n \"${GITHUB_STEP_SUMMARY:-}\" ]]; then\n  {\n    echo \"### Gemini CLI Execution\"\n    echo\n    echo \"#### Prompt\"\n    echo\n    echo \"\\`\\`\\`\"\n    echo \"${PROMPT}\"\n    echo \"\\`\\`\\`\"\n    echo\n    if [[ -n \"${RESPONSE}\" ]]; then\n       echo \"#### Response\"\n       echo\n       echo \"${RESPONSE}\"\n       echo\n    fi\n    if [[ -n \"${ERROR_JSON}\" ]]; then\n       echo \"#### Error\"\n       echo\n       echo \"\\`\\`\\`json\"\n       echo \"${ERROR_JSON}\"\n       echo \"\\`\\`\\`\"\n       echo\n    elif [[ \"${FAILED}\" == \"true\" ]]; then\n       echo \"#### Error Output\"\n       echo\n       echo \"\\`\\`\\`\"\n       cat \"${TEMP_STDERR}\"\n       echo \"\\`\\`\\`\"\n       echo\n    fi\n  } \u003e\u003e \"${GITHUB_STEP_SUMMARY}\"\nfi\n\nif [[ \"${FAILED}\" = true ]]; then\n  # If we have a structured error from JSON, use it for the error message\n  if [[ -n \"${ERROR_JSON}\" ]]; then\n     ERROR_MSG=$(jq -r '.message // .' \u003c\u003c\u003c \"${ERROR_JSON}\")\n     echo \"::error title=Gemini CLI execution failed::${ERROR_MSG}\"\n  fi\n  echo \"::: Start Gemini CLI STDERR :::\"\n  cat \"${TEMP_STDERR}\"\n  echo \"::: End Gemini CLI STDERR :::\"\n  exit 1\nfi","env":{"GEMINI_DEBUG":"${{ fromJSON(inputs.gemini_debug || false) }}","GEMINI_API_KEY":"${{ inputs.gemini_api_key }}","SURFACE":"GitHub","GOOGLE_CLOUD_PROJECT":"${{ inputs.gcp_project_id }}","GOOGLE_CLOUD_LOCATION":"${{ inputs.gcp_location }}","GOOGLE_GENAI_USE_VERTEXAI":"${{ inputs.use_vertex_ai }}","GOOGLE_API_KEY":"${{ inputs.google_api_key }}","GOOGLE_GENAI_USE_GCA":"${{ inputs.use_gemini_code_assist }}","GOOGLE_CLOUD_ACCESS_TOKEN":"${{steps.auth.outputs.access_token}}","PROMPT":"${{ inputs.prompt }}","GEMINI_MODEL":"${{ inputs.gemini_model }}","GH_WORKFLOW_NAME":"${{ steps.sanitize_workflow_name.outputs.gh_workflow_name }}"}},{"name":"Upload Gemini CLI outputs","if":"${{ inputs.upload_artifacts == 'true' }}","uses":"actions/upload-artifact@v6","with":{"name":"gemini-output","path":"gemini-artifacts/"}},{"name":"Upload Telemetry to Google Cloud","if":"${{ inputs.gcp_workload_identity_provider != '' }}","shell":"bash","run":"set -euo pipefail\n\n# If the telemetry log doesn't exist or is empty, do nothing.\nif [[ ! -s \".gemini/telemetry.log\" ]]; then\n  echo \"No telemetry log found, skipping upload.\"\n  exit 0\nfi\n\n# Generate the real config file from the template\nsed -e \"s#OTLP_GOOGLE_CLOUD_PROJECT#${OTLP_GOOGLE_CLOUD_PROJECT}#g\" \\\n    -e \"s#GITHUB_REPOSITORY_PLACEHOLDER#${GITHUB_REPOSITORY}#g\" \\\n    -e \"s#GITHUB_RUN_ID_PLACEHOLDER#${GITHUB_RUN_ID}#g\" \\\n  \"${GITHUB_ACTION_PATH}/scripts/collector-gcp.yaml.template\" \u003e \".gemini/collector-gcp.yaml\"\n\n# Ensure credentials file has the right permissions\nchmod 444 \"$GOOGLE_APPLICATION_CREDENTIALS\"\n\n# Run the collector in the background with a known name\ndocker run --rm --name gemini-telemetry-collector --network host \\\n  -v \"${GITHUB_WORKSPACE}:/github/workspace\" \\\n  -e \"GOOGLE_APPLICATION_CREDENTIALS=${GOOGLE_APPLICATION_CREDENTIALS/$GITHUB_WORKSPACE//github/workspace}\" \\\n  -w \"/github/workspace\" \\\n  otel/opentelemetry-collector-contrib:0.108.0 \\\n  --config /github/workspace/.gemini/collector-gcp.yaml \u0026\n\n# Wait for the collector to start up\necho \"Waiting for collector to initialize...\"\nsleep 10\n\n# Monitor the queue until it's empty or we time out\necho \"Monitoring exporter queue...\"\nATTEMPTS=0\nMAX_ATTEMPTS=12 # 12 * 5s = 60s timeout\nwhile true; do\n    # Use -f to fail silently if the server isn't ready yet\n    # Filter out the prometheus help/type comments before grabbing the value\n    QUEUE_SIZE=$(curl -sf http://localhost:8888/metrics | grep otelcol_exporter_queue_size | grep -v '^#' | awk '{print $2}' || echo \"-1\")\n\n    if [ \"$QUEUE_SIZE\" == \"0\" ]; then\n        echo \"Exporter queue is empty, all data processed.\"\n        break\n    fi\n\n    if [ \"$ATTEMPTS\" -ge \"$MAX_ATTEMPTS\" ]; then\n        echo \"::warning::Timed out waiting for exporter queue to empty. Proceeding with shutdown.\"\n        break\n    fi\n\n    echo \"Queue size: $QUEUE_SIZE, waiting...\"\n    sleep 5\n    ATTEMPTS=$((ATTEMPTS + 1))\ndone\n\n# Gracefully shut down the collector\necho \"Stopping collector...\"\ndocker stop gemini-telemetry-collector\necho \"Collector stopped.\"","env":{"OTLP_GOOGLE_CLOUD_PROJECT":"${{ inputs.gcp_project_id }}","GITHUB_ACTION_PATH":"${{ github.action_path }}","GITHUB_REPOSITORY":"${{ github.repository }}","GITHUB_RUN_ID":"${{ github.run_id }}"}}]},"branding":{"icon":"terminal","color":"blue"},"default_branch":"main","path":null},"repo_metadata":{"id":308454858,"uuid":"1018098280","full_name":"google-github-actions/run-gemini-cli","owner":"google-github-actions","description":"A GitHub Action invoking the Gemini CLI.","archived":false,"fork":false,"pushed_at":"2025-11-07T13:12:56.000Z","size":446,"stargazers_count":1465,"open_issues_count":70,"forks_count":161,"subscribers_count":9,"default_branch":"main","last_synced_at":"2025-11-07T15:17:14.016Z","etag":null,"topics":["actions","ai","gcp","gemini","gemini-cli","github-actions","google-cloud","google-cloud-platform"],"latest_commit_sha":null,"homepage":"https://github.com/google-gemini/gemini-cli","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/google-github-actions.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-07-11T15:49:11.000Z","updated_at":"2025-11-07T13:13:00.000Z","dependencies_parsed_at":"2025-08-06T03:12:37.219Z","dependency_job_id":"c161d59f-dcf5-4a26-8f43-fce8026dfab9","html_url":"https://github.com/google-github-actions/run-gemini-cli","commit_stats":null,"previous_names":["google-github-actions/run-gemini-cli"],"tags_count":15,"template":false,"template_full_name":null,"purl":"pkg:github/google-github-actions/run-gemini-cli","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/google-github-actions%2Frun-gemini-cli","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/google-github-actions%2Frun-gemini-cli/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/google-github-actions%2Frun-gemini-cli/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/google-github-actions%2Frun-gemini-cli/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/google-github-actions","download_url":"https://codeload.github.com/google-github-actions/run-gemini-cli/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/google-github-actions%2Frun-gemini-cli/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":285359021,"owners_count":27158216,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-11-20T02:00:05.334Z","response_time":54,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"},"owner_record":{"login":"google-github-actions","name":"Google GitHub Actions","uuid":"71461757","kind":"organization","description":"Google Cloud integrations for the GitHub Actions Marketplace","email":null,"website":"https://opensource.google/projects/github-actions","location":null,"twitter":null,"company":null,"icon_url":"https://avatars.githubusercontent.com/u/71461757?v=4","repositories_count":20,"last_synced_at":"2023-03-05T03:20:08.066Z","metadata":{"has_sponsors_listing":false},"html_url":"https://github.com/google-github-actions","funding_links":[],"total_stars":null,"followers":null,"following":null,"created_at":"2022-11-15T05:06:31.708Z","updated_at":"2023-03-05T03:20:08.206Z","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/google-github-actions","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/google-github-actions/repositories"},"tags":[]},"repo_metadata_updated_at":"2026-02-11T15:08:02.194Z","dependent_packages_count":0,"downloads":null,"downloads_period":null,"dependent_repos_count":0,"rankings":{"downloads":null,"dependent_repos_count":28.243823511108346,"dependent_packages_count":0.0,"stargazers_count":null,"forks_count":null,"docker_downloads_count":null,"average":14.121911755554173},"purl":"pkg:githubactions/google-github-actions/run-gemini-cli","advisories":[{"uuid":"GSA_kwCzR0hTQS13cHFyLTZ2NzgtanI1Z84ABVxF","url":"https://github.com/advisories/GHSA-wpqr-6v78-jr5g","title":"Gemini CLI: Remote Code Execution via workspace trust and tool allowlisting bypasses","description":"# Summary\n\nGemini CLI (`@google/gemini-cli`) and the `run-gemini-cli` GitHub Action are being updated to harden workspace trust and tool allowlisting, in particular when used in untrusted environments like GitHub Actions. This update introduces a breaking change to how non-interactive (headless) environments handle folder trust, which may impact existing CI/CD workflows under specific conditions.\n\n# Details\n\nFolder Trust in Headless Mode\n\nIn previous versions, Gemini CLI running in CI environments (headless mode) automatically trusted workspace folders for the purpose of loading configuration and environment variables. This is potentially risky in situations where Gemini CLI runs on untrusted folders in headless mode (e.g. CI workflows that review user-submitted pull requests). If used with untrusted directory contents, this could lead to remote code execution via malicious environment variables in the local `.gemini/` directory.\n\nTo ensure consistency and user control, the latest update aligns headless mode behavior with interactive mode, requiring folders to be explicitly trusted before configuration files (such as `.env`) are processed.\n\nAs a result of this change, GitHub Actions and other automated pipelines that rely on the previous automatic trust behavior will fail to load workspace-specific settings until they are updated to use explicit trust mechanisms.\n\nTool Allowlisting under \\--yolo\n\nIn previous versions, when Gemini CLI was configured to run in `--yolo` mode, it would ignore any fine grained tool allowlist in `~/.gemini/settings.json` (e.g. `run_shell_command(echo)` would allow any command). This is potentially risky in situations where Gemini CLI runs on untrusted inputs with `--yolo` (e.g. CI workflows that triage user-submitted GitHub issues where we recommend a strict allowlist). If used with untrusted content and a tool allowlist that permits `run_shell_command`, this could lead to remote code execution via prompt injection.\n\nIn version `0.39.1`, the Gemini CLI policy engine now evaluates tool allowlisting under `--yolo` mode, which is useful for CI workflows that allowlist a few safe commands to run when processing untrusted inputs. As a result, some workflows that previously depended on this behavior may fail silently unless tool allowlists are modified to fit the task.\n\n# Impact\n\nThis impact is limited to workflows using Gemini CLI in headless mode. Any use of Gemini CLI in headless mode without folder trust will require manual review to correctly configure folder trust. **This affects all Gemini CLI GitHub Actions.** Users must review their workflows, and take one of two approaches:\n\n1\\. If the workflow runs on trusted inputs (e.g. reviewing PRs from trusted collaborators), set `GEMINI_TRUST_WORKSPACE: 'true'` in your workflow.\n\n2\\. If the workflow runs on untrusted inputs, review our guidance in [google-github-actions/run-gemini-cli](https://github.com/google-github-actions/run-gemini-cli) to harden your workflow against malicious content, and set the environment variable.\n\n# Patches\n\nThe folder trust and tool allowlisting mitigations are available in `@google/gemini-cli` version `0.39.1` and `0.40.0-preview.3`.  By default, the `run-gemini-cli` GitHub Action will receive and run the latest version of `gemini-cli`. However, if your workflow specifies a version of `gemini-cli` by setting the [gemini\\_cli\\_version](https://github.com/google-github-actions/run-gemini-cli#user-content-__input_gemini_cli_version), you are encouraged to upgrade to one of the patched versions and audit the workflow settings that use Gemini CLI.\n\n# Credits\n\nGemini thanks the following security researchers for reporting this issue through the Vulnerability Rewards Program (g.co/vulnz):\n\n* Elad Meged, Novee Security\n* Dan Lisichkin, Pillar Security research team","origin":"UNSPECIFIED","severity":"CRITICAL","published_at":"2026-04-24T19:30:01.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":10.0,"cvss_vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H","references":["https://github.com/google-github-actions/run-gemini-cli/security/advisories/GHSA-wpqr-6v78-jr5g","https://github.com/advisories/GHSA-wpqr-6v78-jr5g"],"source_kind":"github","identifiers":["GHSA-wpqr-6v78-jr5g"],"repository_url":null,"blast_radius":0.0,"created_at":"2026-04-24T20:00:08.687Z","updated_at":"2026-04-29T15:00:11.313Z","epss_percentage":null,"epss_percentile":null,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS13cHFyLTZ2NzgtanI1Z84ABVxF","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS13cHFyLTZ2NzgtanI1Z84ABVxF","packages":[{"ecosystem":"actions","package_name":"google-github-actions/run-gemini-cli","versions":[{"first_patched_version":"0.1.22","vulnerable_version_range":"\u003c 0.1.22"}],"purl":null},{"ecosystem":"npm","package_name":"@google/gemini-cli","versions":[{"first_patched_version":"0.40.0-preview.3","vulnerable_version_range":"= 0.40.0-preview.2"},{"first_patched_version":"0.39.1","vulnerable_version_range":"\u003c 0.39.1"}],"purl":"pkg:npm/%40google%2Fgemini-cli"}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS13cHFyLTZ2NzgtanI1Z84ABVxF/related_packages","related_advisories":[]}],"docker_usage_url":"https://docker.ecosyste.ms/usage/actions/google-github-actions/run-gemini-cli","docker_dependents_count":null,"docker_downloads_count":null,"usage_url":"https://repos.ecosyste.ms/usage/actions/google-github-actions/run-gemini-cli","dependent_repositories_url":"https://repos.ecosyste.ms/api/v1/usage/actions/google-github-actions/run-gemini-cli/dependencies","status":null,"funding_links":[],"critical":null,"issue_metadata":{"last_synced_at":"2025-11-14T11:10:08.789Z","issues_count":72,"pull_requests_count":91,"avg_time_to_close_issue":564522.4642857143,"avg_time_to_close_pull_request":113076.06349206349,"issues_closed_count":28,"pull_requests_closed_count":63,"pull_request_authors_count":19,"issue_authors_count":33,"avg_comments_per_issue":0.7361111111111112,"avg_comments_per_pull_request":1.010989010989011,"merged_pull_requests_count":48,"bot_issues_count":0,"bot_pull_requests_count":0,"past_year_issues_count":72,"past_year_pull_requests_count":91,"past_year_avg_time_to_close_issue":564522.4642857143,"past_year_avg_time_to_close_pull_request":113076.06349206349,"past_year_issues_closed_count":28,"past_year_pull_requests_closed_count":63,"past_year_pull_request_authors_count":19,"past_year_issue_authors_count":33,"past_year_avg_comments_per_issue":0.7361111111111112,"past_year_avg_comments_per_pull_request":1.010989010989011,"past_year_bot_issues_count":0,"past_year_bot_pull_requests_count":0,"past_year_merged_pull_requests_count":48,"issues_url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/repositories/google-github-actions%2Frun-gemini-cli/issues","maintainers":[{"login":"sethvargo","count":14,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/sethvargo"}],"active_maintainers":[{"login":"sethvargo","count":14,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/sethvargo"}]},"versions_url":"https://packages.ecosyste.ms/api/v1/registries/github%20actions/packages/google-github-actions%2Frun-gemini-cli/versions","version_numbers_url":"https://packages.ecosyste.ms/api/v1/registries/github%20actions/packages/google-github-actions%2Frun-gemini-cli/version_numbers","latest_version_url":"https://packages.ecosyste.ms/api/v1/registries/github%20actions/packages/google-github-actions%2Frun-gemini-cli/latest_version","dependent_packages_url":"https://packages.ecosyste.ms/api/v1/registries/github%20actions/packages/google-github-actions%2Frun-gemini-cli/dependent_packages","related_packages_url":"https://packages.ecosyste.ms/api/v1/registries/github%20actions/packages/google-github-actions%2Frun-gemini-cli/related_packages","codemeta_url":"https://packages.ecosyste.ms/api/v1/registries/github%20actions/packages/google-github-actions%2Frun-gemini-cli/codemeta","maintainers":[]}