Google Gemini CLI breaks CI

Google’s Gemini CLI problem is not just “there was a bug.” The real story is that the fix changes how the tool behaves in automation — and that can snap CI pipelines that were relying on the old default. In other words, Google closed a critical remote-code-execution path, but teams using Gemini in GitHub Actions or other headless jobs may have to rework their workflows too. (github.com) ### What actually broke? The issue sat in Gemini CLI’s trust model. In older versions, when the CLI ran in headless environments like CI, it automatically trusted the workspace folder for loading config and environment variables. That sounds convenient, but it created a dangerous path in untrusted contexts — like pull requests or other inputs an attacker could influence. GitHub’s advisory cl(github.com)on issue tied to workspace trust and tool allowlisting bypasses. (github.com) ### Why is CI the dangerous version? Because CI runs code without a human in the loop. If an agentic CLI auto-trusts the directory it is pointed at, then repo content, config files, or environment-loading behavior can become part of the attack surface. In a GitHub Actions job reviewing PRs, that matters a lot — the whole point is that the workflow may be touching data from people you do not (github.com)s the kind of environment this hardening targets. (github.com) ### What did Google change? Google shipped patched versions for both the CLI and the GitHub Action wrapper. The fixed versions are Gemini CLI 0.39.1 and 0.40.0-preview.3, plus run-gemini-cli 0.1.22. The release notes also point to the underlying code change as “secure.env loading and enforce workspace trust in headless mode,” which is basically the core of the fix. (github.com) failing now? Because the new behavior is stricter by design. In CI, the patched tool no longer assumes the workspace is trusted. If your workflow used to depend on loading project config or `.env` values automatically, that behavior can stop working after the upgrade. Google’s trust guidance says teams now need to decide whether the workflow handles trusted or untrust(github.com)t. (github.com) ### What do trusted workflows need to do? If a CI job only operates on trusted inputs — say, repo-owner code and prompts — Google’s guidance says you can explicitly set `GEMINI_TRUST_WORKSPACE=true`. That is the new opt-in. The important part is that trust is now something you declare, not something the CLI grants itself because it happens to be running headlessly. That is safer, but it also means old jobs may need manual edits before they work again. (github.com) ### What’s the bigger security lesson? Agentic developer tools are starting to live inside automation, not just on laptops. That changes the blast radius. A bug in a terminal assistant is bad enough; a bug in a terminal assistant wired into CI can turn a code-review bot or issue-triage workflow into an execution path. The Gemini case shows the awkward tr(github.com)the workflow feel smooth. (github.com) ### Why does this matter beyond Google? Because this pattern will keep repeating. AI coding agents want filesystem access, shell access, config access, and often secret-adjacent context. CI systems want determinism and isolation. Those goals do not fit together unless teams draw explicit trust boundaries, separate trusted from untrusted jobs, and keep a break-glass path for when a secur(github.com)tradeoff visible. (github.com) ### Bottom line The headline is “Google patched a critical Gemini CLI flaw.” But the more useful takeaway is this: if you embed an AI agent in CI, the security model is part of your build logic now. When that model changes, your pipeline changes with it. (github.com)