DEVOPS
Nightly rescan of running staging images and rollback on new CVEs
On a nightly schedule, rescans every image currently running in staging against fresh vulnerability feeds and, if a newly disclosed Critical CVE appears, rolls the affected…
How it runs
The automated pipeline, trigger to output.
- TriggerNightly schedule fires
- ActionList + rescan running staging image digestsShell
- LogicBranch: any newly disclosed Critical CVE?
- ActionRoll staging service back to last clean tagShell
- ActionPurge Cloudflare cache for affected hostsCloudflare
- OutputPost rollback summary to SlackSlack
What it does
Catches CVEs disclosed *after* an image was already promoted. A scan that passed yesterday can fail tonight when a new advisory drops, so this re-evaluates the live staging fleet every night and reacts automatically.
When to use it
Use it when long-lived staging images sit untouched for days and you need ongoing assurance against newly published vulnerabilities, not just a one-time gate at promotion.
How it works
- 1A nightly schedule trigger kicks off the run.
- 2A shell step lists the image digests currently deployed to staging and rescans each against updated CVE databases.
- 3A logic branch isolates services whose images now carry a fresh Critical CVE that was absent at promotion time.
- 4For each affected service, an action rolls staging back to the last known-clean image tag.
- 5A Cloudflare action purges the edge cache for the rolled-back hostnames so stale responses are not served.
- 6A Slack message summarizes which services were rolled back, the new CVE IDs, and the safe tag restored.
Set it up
What you configure once, before turning it on.
- 1Connect ShellRun sandboxed commands inside the workspace.
- 2Connect CloudflareWorkers, Pages, R2, KV — the edge stack.
- 3Connect SlackChannels, DMs, threads, mentions.
- 4Set each agent's modelWe leave models unset so you pick the tier — fast + cheap, or top-quality.
- 5Tune it to your dataEdit the prompts, filters, and field mappings so it matches how your team works.
- 6Test, then turn it onRun once against a sample, confirm the output, then enable the trigger.
More DevOps workflows
Slack-approved pause for idle Hugging Face Spaces
On a daily scan it finds idle paid Spaces and posts an interactive Slack approval; on approve it pauses the Space and logs the decision to a GitHub issue audit trail.
Block costly Hugging Face Space hardware upgrades in PR review
When a pull request changes a Space's hardware config, it estimates the new monthly cost and posts a GitHub PR comment that flags upgrades crossing a budget ceiling.
Hugging Face Spaces idle-runtime sweep with auto-pause
On a schedule, scans all Hugging Face Spaces for ones running idle past a threshold, pauses them to stop billing, and posts a Slack summary with the estimated monthly savings.
Open a Zoom war-room from a Datadog multi-alert storm
When a Datadog monitor crosses a critical threshold, this workflow dedupes against active incidents, and only for a genuinely new outage it creates a Zoom bridge.
Auto-spin a Zoom war-room when PagerDuty hits SEV-1
When a PagerDuty incident escalates to a critical severity, this workflow creates a dedicated Zoom meeting and posts the bridge link to the incident's Slack channel so responders…
Spin up a war-room on demand from a Slack slash command
When an engineer runs a Slack command, this workflow creates a Zoom bridge, opens a tracking Sentry-linked incident, files a Linear issue for follow-up.
Run it inside a business
This workflow drops into a full company template. Import the org, and this is one of the playbooks its agents run.
Run this workflow in your colony.
14-day trial. No DevOps. No Sales call. Provisioned in under a minute.