ENGINEERING
Route security-labeled GitLab MRs to the right reviewer group
When a merge request gets a security label in GitLab, it assigns the correct specialist reviewer group, posts the MR to that team's Slack channel.
How it runs
The automated pipeline, trigger to output.
- TriggerGitLab MR webhook fires on open or label changeGitLab
- LogicFilter: keep only MRs with a security domain label
- LogicMap label to the owning reviewer group
- ActionAssign reviewer group + comment on the MRGitLab
- OutputPost the MR to the team's Slack channelSlack
What it does
Watches GitLab for merge requests that carry a security-related label (`security`, `appsec`, `crypto`, `auth`) and routes each one to the reviewer group that owns that domain. It assigns the group as MR reviewers, drops a comment on the MR naming the owning team, and pings that team's Slack channel so the review never sits unclaimed.
When to use it
Use it when security-sensitive merge requests slip through normal round-robin review and land with engineers who lack the context to vet them. Ideal for teams that maintain separate AppSec, cryptography, and identity review groups and need labels to drive ownership.
How it works
- 1A GitLab merge request webhook fires on open or label change.
- 2A filter checks whether any label maps to a known security domain; non-security MRs exit early.
- 3A routing branch maps the matched label to the correct reviewer group ID.
- 4The flow assigns that group as MR reviewers via the GitLab API and posts an MR comment naming the owning team.
- 5A Slack message lands in the team's channel with the MR title, author, and direct link.
Set it up
What you configure once, before turning it on.
- 1Connect GitLabRepos, MRs, pipelines, registry.
- 2Connect SlackChannels, DMs, threads, mentions.
- 3Set each agent's modelWe leave models unset so you pick the tier — fast + cheap, or top-quality.
- 4Tune it to your dataEdit the prompts, filters, and field mappings so it matches how your team works.
- 5Test, then turn it onRun once against a sample, confirm the output, then enable the trigger.
More Engineering workflows
Upgrade Impact Router to Module Code Owners
Maps a dependency-bump PR's affected modules to their CODEOWNERS, then DMs each owner on Slack with only the changelog slice that touches code they own.
Re-Voice IVR Prompts on Phone-Tree Config Merge
When a phone-tree config change merges in GitHub, regenerates the ElevenLabs audio for any prompt whose script changed in the diff and opens a follow-up PR adding the new audio…
Agent reviews model-license fit and suggests compliant swaps on the PR
When a PR adds a Hugging Face model, an agent reads the model card and license, judges fit against your commercial-use policy.
Scan for deprecated endpoints and email consumers a weekly sunset countdown
On a weekly schedule, scans the OpenAPI spec for endpoints marked deprecated with a sunset date, and emails each consuming team a countdown of how many days remain before removal.
Publish a versioned API changelog to Confluence on each release tag
On a new semver release tag, gathers the contract changes since the last release and writes a clean.
Gate breaking API PRs behind downstream consumer acknowledgement
When a PR introduces a breaking contract change, comments the impact summary back on the PR, applies a blocking label.
Run it inside a business
This workflow drops into a full company template. Import the org, and this is one of the playbooks its agents run.
Run this workflow in your colony.
14-day trial. No DevOps. No Sales call. Provisioned in under a minute.