DEVOPS
Base-Image CVE Re-Tag Watcher with Auto Rebuild PRs
Watches the upstream base images your Dockerfiles pin to, and when a pinned digest is re-tagged to patch a CVE it opens a GitHub PR that bumps the digest and rebuilds the image.
How it runs
The automated pipeline, trigger to output.
- TriggerSchedule check every 4 hours
- ActionRead Dockerfiles and parse pinned digestsGitHub
- ActionResolve current registry digest per tagHTTP webhook
- LogicKeep only images whose digest drifted
- ActionCommit digest bump and open rebuild PRGitHub
- OutputPost PR link and changed images to SlackSlack
What it does
Monitors the base images referenced in your repository Dockerfiles. When an upstream tag (for example `node:22-bookworm-slim`) is re-published with a new digest to ship a CVE fix, this template detects the digest drift and opens a pull request that updates your pinned `FROM ...@sha256:` line so the next build picks up the patched layers.
When to use it
Run this when you pin base images by digest for reproducibility but still need to absorb security patches quickly. It closes the gap between "upstream patched the CVE" and "our image rebuilt against it" without a human watching Docker Hub.
How it works
- 1A schedule fires every few hours.
- 2The flow reads each Dockerfile from GitHub and extracts the pinned image and digest.
- 3It resolves the current digest for each tag from the registry and compares against the pinned value.
- 4A logic step keeps only images whose digest actually changed.
- 5For each drifted image it commits an updated `FROM` digest on a branch and opens a PR.
- 6It posts the PR link and the affected images to Slack so an on-call engineer can review and merge.
Set it up
What you configure once, before turning it on.
- 1Connect GitHubRepos, issues, pull requests, actions.
- 2Connect SlackChannels, DMs, threads, mentions.
- 3Connect HTTP webhookTrigger any URL on agent actions.
- 4Set each agent's modelWe leave models unset so you pick the tier — fast + cheap, or top-quality.
- 5Tune it to your dataEdit the prompts, filters, and field mappings so it matches how your team works.
- 6Test, then turn it onRun once against a sample, confirm the output, then enable the trigger.
More DevOps workflows
Slack-approved pause for idle Hugging Face Spaces
On a daily scan it finds idle paid Spaces and posts an interactive Slack approval; on approve it pauses the Space and logs the decision to a GitHub issue audit trail.
Block costly Hugging Face Space hardware upgrades in PR review
When a pull request changes a Space's hardware config, it estimates the new monthly cost and posts a GitHub PR comment that flags upgrades crossing a budget ceiling.
Hugging Face Spaces idle-runtime sweep with auto-pause
On a schedule, scans all Hugging Face Spaces for ones running idle past a threshold, pauses them to stop billing, and posts a Slack summary with the estimated monthly savings.
Open a Zoom war-room from a Datadog multi-alert storm
When a Datadog monitor crosses a critical threshold, this workflow dedupes against active incidents, and only for a genuinely new outage it creates a Zoom bridge.
Auto-spin a Zoom war-room when PagerDuty hits SEV-1
When a PagerDuty incident escalates to a critical severity, this workflow creates a dedicated Zoom meeting and posts the bridge link to the incident's Slack channel so responders…
Spin up a war-room on demand from a Slack slash command
When an engineer runs a Slack command, this workflow creates a Zoom bridge, opens a tracking Sentry-linked incident, files a Linear issue for follow-up.
Run it inside a business
This workflow drops into a full company template. Import the org, and this is one of the playbooks its agents run.
Run this workflow in your colony.
14-day trial. No DevOps. No Sales call. Provisioned in under a minute.