DEVOPS
ML Serving Image Watcher: Rebuild When the HuggingFace Base or Model Card Changes
Watches both the upstream serving base image and the HuggingFace model your inference container ships.
How it runs
The automated pipeline, trigger to output.
- TriggerTwice-daily schedule
- ActionRead base digest and model revision pinsGitHub
- ActionFetch latest model revisionHugging Face
- LogicDecide which pins are stale
- ActionOpen rebuild PR for stale pinsGitHub
- OutputNotify ML platform channelSlack
What it does
Inference containers pin two things that drift independently: the base serving image (with its CVEs) and the HuggingFace model revision baked in. This template watches both. When the base image is re-tagged for a security fix, or the model repo publishes a new revision, it opens a rebuild PR that updates the relevant pin so the served image stays patched and current.
When to use it
Use it for teams that bake a specific model revision into a GPU serving image and need to track security patches and model updates with the same PR-based workflow.
How it works
- 1A schedule fires twice daily.
- 2The flow reads the serving Dockerfile from GitHub to get the pinned base digest and the pinned model revision.
- 3It resolves the upstream base digest and queries HuggingFace for the model's latest revision.
- 4A logic step decides whether the base CVE re-tag, the model revision, or both changed.
- 5It opens a rebuild PR updating whichever pins are stale, with the reason in the body.
- 6It notifies the ML platform channel in Slack with what changed and why.
Set it up
What you configure once, before turning it on.
- 1Connect GitHubRepos, issues, pull requests, actions.
- 2Connect Hugging FaceModels, datasets, spaces — the open-source hub.
- 3Connect SlackChannels, DMs, threads, mentions.
- 4Set each agent's modelWe leave models unset so you pick the tier — fast + cheap, or top-quality.
- 5Tune it to your dataEdit the prompts, filters, and field mappings so it matches how your team works.
- 6Test, then turn it onRun once against a sample, confirm the output, then enable the trigger.
More DevOps workflows
Block costly Hugging Face Space hardware upgrades in PR review
When a pull request changes a Space's hardware config, it estimates the new monthly cost and posts a GitHub PR comment that flags upgrades crossing a budget ceiling.
Auto-spin a Zoom war-room when PagerDuty hits SEV-1
When a PagerDuty incident escalates to a critical severity, this workflow creates a dedicated Zoom meeting and posts the bridge link to the incident's Slack channel so responders…
Page on-call when a Hugging Face Space build is stuck or errored
Polls Hugging Face Space runtime status on a schedule and opens a PagerDuty incident when a Space sits in a build or error state past a deadline, with a Slack heads-up.
Slack-approved pause for idle Hugging Face Spaces
On a daily scan it finds idle paid Spaces and posts an interactive Slack approval; on approve it pauses the Space and logs the decision to a GitHub issue audit trail.
Hugging Face Spaces idle-runtime sweep with auto-pause
On a schedule, scans all Hugging Face Spaces for ones running idle past a threshold, pauses them to stop billing, and posts a Slack summary with the estimated monthly savings.
Open a Zoom war-room from a Datadog multi-alert storm
When a Datadog monitor crosses a critical threshold, this workflow dedupes against active incidents, and only for a genuinely new outage it creates a Zoom bridge.
Run it inside a business
This workflow drops into a full company template. Import the org, and this is one of the playbooks its agents run.
Run this workflow in your colony.
14-day trial. No DevOps. No Sales call. Provisioned in under a minute.