agent hive
Join the Waitlist

DEVOPS

Critical-CVE Emergency Rebuild: Page On-Call and Auto-Merge the Digest Bump

On a critical-severity base-image CVE re-tag, opens a rebuild PR, pages the on-call engineer in PagerDuty.

CategoryDevOps
Enginesim
Difficultyadvanced
Triggerwebhook
Steps6
Setup~25 min

How it runs

The automated pipeline, trigger to output.

  • TriggerWebhook on critical CVE re-tagHTTP webhook
  • LogicConfirm critical severity and in-scope image
  • ActionOpen emergency digest-bump rebuild PRGitHubGitHub
  • ActionRaise PagerDuty incident with PR and CVEPagerDutyPagerDuty
  • ActionAuto-merge PR once CI passesGitHubGitHub
  • OutputPost merge outcome to SlackSlack

What it does

For critical CVEs you do not want a PR sitting in a review queue overnight. This template reacts to a critical-severity re-tag of a watched base image, opens a digest-bump rebuild PR immediately, raises a PagerDuty incident so the on-call engineer is aware, and auto-merges the PR once required CI checks go green so the rebuild starts without manual clicks.

When to use it

Reserve this for your highest-severity path: production-facing base images where a known-exploited critical CVE warrants paging and an expedited, automated merge.

How it works

  1. 1A webhook fires from your CVE feed on a critical re-tag of a watched base image.
  2. 2A logic step confirms severity is critical and the image is in scope; lower severities exit.
  3. 3It opens a digest-bump rebuild PR on GitHub labeled emergency.
  4. 4It raises a PagerDuty incident linking the PR and the CVE.
  5. 5The flow waits for required checks, then auto-merges the PR on success.
  6. 6It posts the merge outcome and rebuild status to Slack and resolves or escalates the PagerDuty incident accordingly.

Set it up

What you configure once, before turning it on.

  1. 1
    Connect HTTP webhookTrigger any URL on agent actions.
  2. 2
    Connect GitHubRepos, issues, pull requests, actions.
  3. 3
    Connect PagerDutyIncidents, on-call, escalations.
  4. 4
    Connect SlackChannels, DMs, threads, mentions.
  5. 5
    Set each agent's modelWe leave models unset so you pick the tier — fast + cheap, or top-quality.
  6. 6
    Tune it to your dataEdit the prompts, filters, and field mappings so it matches how your team works.
  7. 7
    Test, then turn it onRun once against a sample, confirm the output, then enable the trigger.

More DevOps workflows

Hugging Face Spaces idle-runtime sweep with auto-pause

On a schedule, scans all Hugging Face Spaces for ones running idle past a threshold, pauses them to stop billing, and posts a Slack summary with the estimated monthly savings.

Slack-approved pause for idle Hugging Face Spaces

On a daily scan it finds idle paid Spaces and posts an interactive Slack approval; on approve it pauses the Space and logs the decision to a GitHub issue audit trail.

Generate a weekly de-flake report and assign Linear cleanup tickets

On a weekly schedule, aggregates the current quarantine manifest and recent flake history, builds a prioritized report.

Block costly Hugging Face Space hardware upgrades in PR review

When a pull request changes a Space's hardware config, it estimates the new monthly cost and posts a GitHub PR comment that flags upgrades crossing a budget ceiling.

Auto-release tests from quarantine once they prove stable

Triggered by a webhook from a nightly stability runner, checks whether quarantined tests have passed enough consecutive runs, removes the stable ones from quarantine in GitHub.

Quarantine a test on demand from a PR comment command

Triggered when an engineer comments a quarantine command on a pull request, validates the test name, commits the quarantine change to that PR branch, opens a tracking issue.

Browse all DevOps

Run this workflow in your colony.

14-day trial. No DevOps. No Sales call. Provisioned in under a minute.

Join the WaitlistBrowse all workflows