ENGINEERING
GitLab dependency MR auto-triage by affected-test blast radius
When a dependency-bump merge request opens in GitLab, it maps which tests and modules the changed packages actually touch, scores the blast radius.
How it runs
The automated pipeline, trigger to output.
- TriggerGitLab MR opened with dependency-bump labelGitLab
- ActionParse lockfile diff for bumped packages and semver deltaGitLab
- ActionResolve affected modules and covering tests from dependency graphPostgres
- LogicScore blast radius: safe vs needs-review
- ActionApply label and assign reviewer if riskyGitLab
- OutputPost affected-tests summary comment on the MRGitLab
What it does
Every dependency-bump MR (Renovate, Dependabot, or hand-pushed) gets an automatic blast-radius assessment instead of sitting in the review queue. The workflow figures out which source files import the bumped package, which test files cover those files, and turns that into a risk score and a GitLab label.
When to use it
Run this when a flood of automated dependency MRs is drowning your reviewers and you want the trivial ones (patch bumps to leaf dev-deps) to self-clear while the risky ones (a core runtime library used in 40 modules) get flagged loudly.
How it works
- 1A GitLab merge-request webhook fires when an MR with a dependency-bump label is opened or updated.
- 2The workflow reads the changed lockfile entries to extract each bumped package and its semver delta.
- 3It queries a Postgres dependency-graph table to resolve every internal module that imports each package, then maps those modules to their covering test files.
- 4A logic step scores blast radius from import count, semver jump, and whether any production entrypoint is in the path.
- 5Below threshold it applies a `dep:safe` label and approves; above threshold it applies `dep:needs-review` and assigns a human.
- 6A summary comment is posted back on the MR listing affected modules and tests.
Set it up
What you configure once, before turning it on.
- 1Connect GitLabRepos, MRs, pipelines, registry.
- 2Connect PostgresAny Postgres URL — query, write, migrate.
- 3Set each agent's modelWe leave models unset so you pick the tier — fast + cheap, or top-quality.
- 4Tune it to your dataEdit the prompts, filters, and field mappings so it matches how your team works.
- 5Test, then turn it onRun once against a sample, confirm the output, then enable the trigger.
More Engineering workflows
Gate breaking API PRs behind downstream consumer acknowledgement
When a PR introduces a breaking contract change, comments the impact summary back on the PR, applies a blocking label.
Publish a versioned API changelog to Confluence on each release tag
On a new semver release tag, gathers the contract changes since the last release and writes a clean.
Agent reviews model-license fit and suggests compliant swaps on the PR
When a PR adds a Hugging Face model, an agent reads the model card and license, judges fit against your commercial-use policy.
Upgrade Impact Router to Module Code Owners
Maps a dependency-bump PR's affected modules to their CODEOWNERS, then DMs each owner on Slack with only the changelog slice that touches code they own.
Re-Voice IVR Prompts on Phone-Tree Config Merge
When a phone-tree config change merges in GitHub, regenerates the ElevenLabs audio for any prompt whose script changed in the diff and opens a follow-up PR adding the new audio…
Upstream Release to Notion Upgrade Brief
When a watched package publishes a new release, fetches the release notes, maps them to the internal modules that depend on it.
Run it inside a business
This workflow drops into a full company template. Import the org, and this is one of the playbooks its agents run.
Run this workflow in your colony.
14-day trial. No DevOps. No Sales call. Provisioned in under a minute.