Gemini CLI freezes at startup when in sandbox mode #337
Description
TL;DR
The Gemini CLI freezes on startup before actually doing anything.
Expected behavior
The Gemini CLI runs with the given prompt and acts accordingly.
Observed behavior
The run-gemini-cli GH action installs Gemini CLI, then it executes the Gemini CLI, which freezes forever (until killed by timeout). There is no output.
Action YAML
# Copyright The Conforma Contributors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# SPDX-License-Identifier: Apache-2.0
---
name: Release
on:
workflow_dispatch:
schedule:
- cron: '0 9 * * 3' # every Wednesday
permissions:
contents: read
env:
TRACKED_PATHS: "acceptance/ policy/"
jobs:
get_info:
runs-on: ubuntu-latest
outputs:
latest_tag: ${{ steps.get_info.outputs.latest_tag }}
latest_tag_sha: ${{ steps.get_info.outputs.latest_tag_sha }}
changed: ${{ steps.get_info.outputs.changed }}
next_version: ${{ steps.get_info.outputs.next_version }}
steps:
- name: Harden Runner
uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
with:
egress-policy: audit
disable-telemetry: true
- name: Checkout code
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
fetch-depth: 0
- name: Get info
id: get_info
run: |
set -e
git fetch --tags
source hack/derive-version.sh $TRACKED_PATHS
echo latest_tag=$LATEST_TAG | tee -a "$GITHUB_OUTPUT"
echo latest_tag_sha=$LATEST_TAG_SHA | tee -a "$GITHUB_OUTPUT"
echo changed=$HAVE_CHANGED | tee -a "$GITHUB_OUTPUT"
echo next_version=$NEXT_VERSION | tee -a "$GITHUB_OUTPUT"
generate_release_notes:
needs: get_info
if: needs.get_info.outputs.changed == 'true'
timeout-minutes: 15
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Harden Runner
uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
with:
egress-policy: audit
disable-telemetry: true
- name: Checkout
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
fetch-depth: 0
- name: Fetch tags
id: fetch_tags
run: |
git fetch --tags
- name: Generate release notes
uses: google-github-actions/run-gemini-cli@v0
with:
gemini_api_key: ${{ secrets.GEMINI_API_KEY }}
settings: |-
{
"sandbox": true,
"autoAccept": true
}
prompt: |
Make a release notes based on all notable changes since the tag
${{needs.get_info.outputs.latest_tag}}.
Categorize it nicely with emojis, output as Markdown.
For each change that you mention in the release notes:
- Summarize the change in one line
- Put jira link in the beginning of the line, if the change has a
jira link in the commit message
Include all changes that have jira link in the commit message.
Don't create a title for the release.
Preface the release notes with a brief summary of the release.
The summary should also refer to changes in policies and policy rules.
Also save the release notes in a file named "release-notes.md".
- name: Upload artifact
uses: actions/upload-artifact@v4
with:
name: release-notes
path: release-notes.md
if-no-files-found: error
create_release:
needs: [get_info, generate_release_notes]
if: ${{ needs.get_info.outputs.changed == 'true' && needs.generate_release_notes.result == 'success'}}
permissions:
contents: write
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
with:
egress-policy: audit
disable-telemetry: true
- name: Checkout
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
fetch-depth: 0
- name: Tag
run: |
set -e
git fetch --tags
git config --local user.email "action@github.com"
git config --local user.name "GitHub Action"
source hack/add-auto-tag.sh
git push -f --tags
- name: Download artifact
uses: actions/download-artifact@v5
with:
name: release-notes
- name: Create a release
uses: softprops/action-gh-release@72f2c25fcb47643c292f7107632f7a47c1df5cd8 # v2.3.2
with:
name: ${{ needs.get_info.outputs.next_version }}
tag_name: ${{ needs.get_info.outputs.next_version }}
body_path: "release-notes.md"
make_latest: false
generate_release_notes: falseLog output
https://github.com/conforma/policy/actions/runs/17971755842/job/51604646546
Additional information
The last time it worked was on Sep 10, 2025.
I've tested the workflow in another repository (with a timeout of 1 hour) and the issue is reproduced there as well.