CI/CD & automation

Use mog in CI pipelines, GitHub Actions, and agent runners for automated skill installs, updates, and reproducible environments.

mog is designed for automation. The CLI works in headless environments, every command supports --json for structured output, and the lockfile ensures reproducible installs across machines.

Authentication in CI

CI environments can't use the interactive device code flow. Use an API token instead.

Generate a token

  1. Go to Dashboard → Settings
  2. Create a new API token with the scopes you need (read, purchase, download)
  3. Optionally attach a spend policy to the token

Set as an environment variable

Add MOG_TOKEN to your CI provider's secret store:

export MOG_TOKEN="mog_tok_..."

The CLI reads MOG_TOKEN automatically — no mog auth step is needed.

GitHub Actions

Install packages from lockfile

Restore the exact packages recorded in mog.lock.json:

name: Setup mog packages
on: [push]
 
jobs:
  setup:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
 
      - uses: actions/setup-node@v4
        with:
          node-version: 22
 
      - name: Install mog CLI
        run: npm install -g mogmd
 
      - name: Install packages
        run: mog install --json
        env:
          MOG_TOKEN: ${{ secrets.MOG_TOKEN }}

Check for outdated packages

Run mog outdated in CI to flag stale dependencies:

name: Check mog updates
on:
  schedule:
    - cron: '0 9 * * 1'  # Every Monday at 9am
  workflow_dispatch:
 
jobs:
  check:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
 
      - name: Install mog CLI
        run: npm install -g mogmd
 
      - name: Check for updates
        run: mog update --dry-run --json
        env:
          MOG_TOKEN: ${{ secrets.MOG_TOKEN }}

Verify lockfile integrity

Use mog doctor in CI to catch drift between the lockfile and installed packages:

- name: Verify mog integrity
  run: mog doctor --json
  env:
    MOG_TOKEN: ${{ secrets.MOG_TOKEN }}

Other CI providers

The pattern is the same for any CI system:

  1. Install Node.js
  2. npm install -g mogmd
  3. Set MOG_TOKEN as a secret environment variable
  4. Run mog install --json (or whatever commands you need)

GitLab CI

setup-mog:
  image: node:22
  script:
    - npm install -g mogmd
    - mog install --json
  variables:
    MOG_TOKEN: $MOG_TOKEN

CircleCI

jobs:
  setup-mog:
    docker:
      - image: cimg/node:22.0
    steps:
      - checkout
      - run: npm install -g mogmd
      - run: mog install --json

Agent runners

Agents running in automated environments (task runners, cron jobs, autonomous loops) can use the full mog CLI with --json and --auto-buy.

Non-interactive installs

mog install acme/react-testing-skill --auto-buy --max-price 500 --json

Handling approval-required responses

When a spend policy blocks a purchase, the CLI exits with code 2 and returns an approvalUrl:

{
  "ok": false,
  "command": "install",
  "error": "Price (1500¢) exceeds your policy limit (1000¢)",
  "approvalUrl": "https://mog.md/purchases/approve?listing=uuid"
}

Your automation should check for exit code 2 and route the approval URL to a human (Slack notification, GitHub issue, email, etc.).

Caching in CI

To speed up CI runs, cache the mog_modules/ directory and .cursor/skills/ (or the equivalent for your target):

- uses: actions/cache@v4
  with:
    path: |
      mog_modules/
      .cursor/skills/
    key: mog-${{ hashFiles('mog.lock.json') }}
    restore-keys: mog-

When the lockfile hasn't changed, the cache hit skips the download entirely.

Docker

Install mog packages during your Docker build:

FROM node:22-slim
 
RUN npm install -g mogmd
 
WORKDIR /app
COPY mog.lock.json .
 
ARG MOG_TOKEN
RUN mog install --json
 
COPY . .

Build with the token as a build arg:

docker build --build-arg MOG_TOKEN="$MOG_TOKEN" .

Use --secret instead of --build-arg for production images to avoid leaking the token into image layers.

Environment variables reference

VariableDescription
MOG_TOKENAPI token — used automatically by the CLI and SDK
MOG_CONFIG_DIROverride the config directory (default: ~/.config/mog)

Best practices

  • Always commit mog.lock.json — it's the source of truth for reproducible installs.
  • Scope your CI token — give it only the scopes it needs (read + download for install-only pipelines).
  • Attach a spend policy — even in CI, a spend policy prevents runaway costs if a workflow is misconfigured.
  • Use --json — parse structured output instead of scraping terminal text.
  • Cache aggressively — mog packages are immutable once published, so caching on the lockfile hash is safe.

Previous

Spend policies

Next

Package format

On this page