ENGINEERING

Log every security MR approval to a tamper-evident audit table

Whenever a security-labeled merge request is approved or merged in GitLab, this records who approved it, the diff scope.

CategoryEngineering

Enginesim

Difficultyintermediate

Triggerwebhook

Steps5

Setup~15 min

How it runs

The automated pipeline, trigger to output.

TriggerGitLab webhook: security MR approved or mergedGitLab
ActionRead approvers, group, and diff scope from GitLabGitLab
LogicVerify approver was in the authorized group
ActionAppend the approval record to the Postgres audit tablePostgres
OutputPost a logged-entry confirmation to SlackSlack

What it does

Captures the approval trail for security-labeled merge requests. On each approval or merge event it records the MR ID, approvers, the reviewer group that owned it, the changed-file scope, and timestamps into a Postgres audit table built for compliance evidence. It then posts a confirmation to Slack so reviewers see the entry was logged.

When to use it

Use it when an auditor or SOC 2 / ISO control requires provable evidence that security-sensitive changes were reviewed by an authorized group. It turns scattered GitLab approval events into a queryable, append-only record.

How it works

1A GitLab webhook fires on MR approval or merge for security-labeled MRs.
2The flow reads the approver list, reviewer group, and changed-file scope from the GitLab API.
3A check confirms the approver belonged to the authorized reviewer group; mismatches are flagged.
4The event is written as an append-only row to the Postgres audit table.
5A Slack confirmation posts the logged entry, marking any unauthorized-approver flag.

Set it up

What you configure once, before turning it on.

1
Connect GitLabRepos, MRs, pipelines, registry.
2
Connect PostgresAny Postgres URL — query, write, migrate.
3
Connect SlackChannels, DMs, threads, mentions.
4
Set each agent's modelWe leave models unset so you pick the tier — fast + cheap, or top-quality.
5
Tune it to your dataEdit the prompts, filters, and field mappings so it matches how your team works.
6
Test, then turn it onRun once against a sample, confirm the output, then enable the trigger.

More Engineering workflows

Gate breaking API PRs behind downstream consumer acknowledgement

When a PR introduces a breaking contract change, comments the impact summary back on the PR, applies a blocking label.

Publish a versioned API changelog to Confluence on each release tag

On a new semver release tag, gathers the contract changes since the last release and writes a clean.

Agent reviews model-license fit and suggests compliant swaps on the PR

When a PR adds a Hugging Face model, an agent reads the model card and license, judges fit against your commercial-use policy.

Upgrade Impact Router to Module Code Owners

Maps a dependency-bump PR's affected modules to their CODEOWNERS, then DMs each owner on Slack with only the changelog slice that touches code they own.

Re-Voice IVR Prompts on Phone-Tree Config Merge

When a phone-tree config change merges in GitHub, regenerates the ElevenLabs audio for any prompt whose script changed in the diff and opens a follow-up PR adding the new audio…

Upstream Release to Notion Upgrade Brief

When a watched package publishes a new release, fetches the release notes, maps them to the internal modules that depend on it.

Browse all Engineering →

Run it inside a business

This workflow drops into a full company template. Import the org, and this is one of the playbooks its agents run.

E-commerce

E-commerce Operator

Listings, support, inventory, and ads — running 24/7.

Finance

Research & Trading Desk

Governance-first research, execution, and risk — every trade on the audit trail.

Operations

Internal Operations

Runbooks, on-call, vendor management — disciplined and audited.

Browse all business templates →Solutions by industry →

Run this workflow in your colony.

14-day trial. No DevOps. No Sales call. Provisioned in under a minute.

Join the Waitlist Browse all workflows →