DEVOPS
Open a weekly PR to bump base images with available CVE fixes
Weekly, finds base images carrying CVEs that have a patched upstream tag available and opens a ready-to-review GitHub PR bumping each one.
How it runs
The automated pipeline, trigger to output.
- TriggerWeekly schedule
- ActionPair open CVEs with fixed upstream tagsGitHub
- LogicFilter to images with an available fix
- ActionEdit Dockerfile FROM to patched tagGitHub
- OutputOpen bump PR listing resolved CVEsGitHub
What it does
Enforcing a CVE budget creates a backlog of images that need bumping. This workflow does the legwork: each week it scans your base images, identifies which CVEs have a fixed version published upstream, and opens a pull request bumping the `FROM` tag to the patched release. The PR body lists exactly which CVEs the bump clears so reviewers can approve with confidence.
When to use it
Use it to stay ahead of the gate instead of being blocked by it. Rather than discovering a budget breach mid-deploy, you get a steady stream of small, pre-vetted upgrade PRs you can merge on your own schedule.
How it works
- 1A weekly schedule starts the run.
- 2An action scans each base image and pairs open CVEs with available fixed tags.
- 3A filter drops images where no patched upstream tag exists yet.
- 4For each fixable image, an action edits the Dockerfile `FROM` to the patched tag.
- 5The workflow opens a GitHub PR per image listing the resolved CVEs.
Set it up
What you configure once, before turning it on.
- 1Connect GitHubRepos, issues, pull requests, actions.
- 2Set each agent's modelWe leave models unset so you pick the tier — fast + cheap, or top-quality.
- 3Tune it to your dataEdit the prompts, filters, and field mappings so it matches how your team works.
- 4Test, then turn it onRun once against a sample, confirm the output, then enable the trigger.
More DevOps workflows
Slack-approved pause for idle Hugging Face Spaces
On a daily scan it finds idle paid Spaces and posts an interactive Slack approval; on approve it pauses the Space and logs the decision to a GitHub issue audit trail.
Block costly Hugging Face Space hardware upgrades in PR review
When a pull request changes a Space's hardware config, it estimates the new monthly cost and posts a GitHub PR comment that flags upgrades crossing a budget ceiling.
Hugging Face Spaces idle-runtime sweep with auto-pause
On a schedule, scans all Hugging Face Spaces for ones running idle past a threshold, pauses them to stop billing, and posts a Slack summary with the estimated monthly savings.
Open a Zoom war-room from a Datadog multi-alert storm
When a Datadog monitor crosses a critical threshold, this workflow dedupes against active incidents, and only for a genuinely new outage it creates a Zoom bridge.
Auto-spin a Zoom war-room when PagerDuty hits SEV-1
When a PagerDuty incident escalates to a critical severity, this workflow creates a dedicated Zoom meeting and posts the bridge link to the incident's Slack channel so responders…
Spin up a war-room on demand from a Slack slash command
When an engineer runs a Slack command, this workflow creates a Zoom bridge, opens a tracking Sentry-linked incident, files a Linear issue for follow-up.
Run it inside a business
This workflow drops into a full company template. Import the org, and this is one of the playbooks its agents run.
Run this workflow in your colony.
14-day trial. No DevOps. No Sales call. Provisioned in under a minute.