ENGINEERING
Transitive Lockfile Diff Blast-Radius Mapper (GitHub)
Reads the full lockfile diff of a bump PR to surface every transitive dependency that changed, not just the headline package.
How it runs
The automated pipeline, trigger to output.
- TriggerGitHub bump PR webhookGitHub
- ActionParse lockfile diff into changed-package listShell
- ActionResolve transitives to direct deps + call sitesShell
- LogicGroup + flag major-version crossings
- OutputPost transitive blast-radius table on PRGitHub
What it does
A bump PR titled "update axios" can quietly move a dozen transitive packages in the lockfile. This workflow diffs the committed lockfile, lists every added, removed, or version-changed dependency including transitives, and for each one traces which direct dependency and which call sites bring it into your tree. It posts a single comment showing the true surface of the change.
When to use it
Use it when supply-chain risk lives in the transitive graph and your reviewers only read the PR title. Especially valuable after a known transitive CVE, when you need to know fast whether a bump pulls the fixed or the vulnerable version.
How it works
- 1A GitHub PR webhook fires on a bump branch.
- 2A shell step parses the lockfile diff into a structured list of changed packages with old/new versions and direct-vs-transitive classification.
- 3A shell step resolves each transitive change to the direct dependency and call sites that import its parent.
- 4A logic step groups changes and flags any version that crosses a major boundary.
- 5The workflow posts the full transitive blast-radius table as a GitHub PR comment.
Set it up
What you configure once, before turning it on.
- 1Connect GitHubRepos, issues, pull requests, actions.
- 2Connect ShellRun sandboxed commands inside the workspace.
- 3Set each agent's modelWe leave models unset so you pick the tier — fast + cheap, or top-quality.
- 4Tune it to your dataEdit the prompts, filters, and field mappings so it matches how your team works.
- 5Test, then turn it onRun once against a sample, confirm the output, then enable the trigger.
More Engineering workflows
Upgrade Impact Router to Module Code Owners
Maps a dependency-bump PR's affected modules to their CODEOWNERS, then DMs each owner on Slack with only the changelog slice that touches code they own.
Re-Voice IVR Prompts on Phone-Tree Config Merge
When a phone-tree config change merges in GitHub, regenerates the ElevenLabs audio for any prompt whose script changed in the diff and opens a follow-up PR adding the new audio…
Agent reviews model-license fit and suggests compliant swaps on the PR
When a PR adds a Hugging Face model, an agent reads the model card and license, judges fit against your commercial-use policy.
Scan for deprecated endpoints and email consumers a weekly sunset countdown
On a weekly schedule, scans the OpenAPI spec for endpoints marked deprecated with a sunset date, and emails each consuming team a countdown of how many days remain before removal.
Publish a versioned API changelog to Confluence on each release tag
On a new semver release tag, gathers the contract changes since the last release and writes a clean.
Gate breaking API PRs behind downstream consumer acknowledgement
When a PR introduces a breaking contract change, comments the impact summary back on the PR, applies a blocking label.
Run it inside a business
This workflow drops into a full company template. Import the org, and this is one of the playbooks its agents run.
Run this workflow in your colony.
14-day trial. No DevOps. No Sales call. Provisioned in under a minute.