DEVOPS
Scan-Gated Base-Image Bump: Rebuild Only If the New Tag Is Actually Cleaner
Before opening a rebuild PR for a re-tagged base image, scans both the old and new digests and only proposes the bump when the new image clears the CVEs that triggered the alert.
How it runs
The automated pipeline, trigger to output.
- TriggerRegistry webhook on new tag digestHTTP webhook
- ActionScan old and new digest for CVEsShell
- LogicDiff CVEs; require net high/critical reduction
- ActionOpen digest-bump PR with CVE diffGitHub
- OutputReport decision and CVE delta to SlackSlack
What it does
A re-tag does not always mean fewer vulnerabilities. This template reacts to a new base-image digest, runs a vulnerability scan against both the currently pinned digest and the new one, diffs the findings, and opens a rebuild PR only when the new image genuinely removes high or critical CVEs. PRs that would add or not reduce severity are skipped and reported instead.
When to use it
Use it when you want CVE-driven bumps but refuse to churn PRs for re-tags that do not improve your security posture, or that regress it.
How it works
- 1A registry webhook fires when a watched tag gets a new digest.
- 2A scan action runs against the old pinned digest and the new digest via the shell scanner step.
- 3A logic step diffs the two CVE lists and computes net high/critical change.
- 4If the new image clears at least one high or critical CVE, the flow opens a digest-bump PR on GitHub with the diff in the body.
- 5If the new image is equal or worse, no PR is opened and the case is logged.
- 6The decision and CVE delta are sent to Slack either way.
Set it up
What you configure once, before turning it on.
- 1Connect HTTP webhookTrigger any URL on agent actions.
- 2Connect ShellRun sandboxed commands inside the workspace.
- 3Connect GitHubRepos, issues, pull requests, actions.
- 4Connect SlackChannels, DMs, threads, mentions.
- 5Set each agent's modelWe leave models unset so you pick the tier — fast + cheap, or top-quality.
- 6Tune it to your dataEdit the prompts, filters, and field mappings so it matches how your team works.
- 7Test, then turn it onRun once against a sample, confirm the output, then enable the trigger.
More DevOps workflows
Hugging Face Spaces idle-runtime sweep with auto-pause
On a schedule, scans all Hugging Face Spaces for ones running idle past a threshold, pauses them to stop billing, and posts a Slack summary with the estimated monthly savings.
Slack-approved pause for idle Hugging Face Spaces
On a daily scan it finds idle paid Spaces and posts an interactive Slack approval; on approve it pauses the Space and logs the decision to a GitHub issue audit trail.
Generate a weekly de-flake report and assign Linear cleanup tickets
On a weekly schedule, aggregates the current quarantine manifest and recent flake history, builds a prioritized report.
Block costly Hugging Face Space hardware upgrades in PR review
When a pull request changes a Space's hardware config, it estimates the new monthly cost and posts a GitHub PR comment that flags upgrades crossing a budget ceiling.
Auto-release tests from quarantine once they prove stable
Triggered by a webhook from a nightly stability runner, checks whether quarantined tests have passed enough consecutive runs, removes the stable ones from quarantine in GitHub.
Quarantine a test on demand from a PR comment command
Triggered when an engineer comments a quarantine command on a pull request, validates the test name, commits the quarantine change to that PR branch, opens a tracking issue.
Run it inside a business
This workflow drops into a full company template. Import the org, and this is one of the playbooks its agents run.
Run this workflow in your colony.
14-day trial. No DevOps. No Sales call. Provisioned in under a minute.