ENGINEERING

Escalate stale security MRs to PagerDuty on a daily sweep

Each morning this scans open GitLab merge requests that carry a security label and have sat without review past their SLA.

CategoryEngineering

Enginesim

Difficultyintermediate

Triggerschedule

Steps6

Setup~15 min

How it runs

The automated pipeline, trigger to output.

TriggerDaily schedule kicks off the backlog sweep
ActionList open security-labeled MRs from GitLabGitLab
LogicFilter to MRs past the review SLA
LogicBranch: SLA-breached MRs needing escalation
ActionOpen a PagerDuty incident for on-callPagerDuty
OutputPost the aging backlog digest to SlackSlack

What it does

Runs a scheduled sweep over all open merge requests bearing a security label and measures how long each has waited without an approving review. MRs past their review SLA get escalated: the oldest or highest-severity ones trigger a PagerDuty incident for the on-call security reviewer, and the full aging backlog is summarized in a Slack digest.

When to use it

Use it when security review has a defined SLA but reviews still age out silently. A daily escalation keeps the backlog visible and forces the worst-aged MRs onto someone's plate instead of letting them rot.

How it works

1A daily schedule triggers the sweep.
2The flow lists open security-labeled MRs from GitLab and computes each one's age since opening.
3A filter keeps only MRs past the review SLA threshold.
4A branch separates SLA-breached MRs that need a PagerDuty page from the rest.
5Breached MRs trigger a PagerDuty incident for the on-call reviewer.
6A Slack digest posts the full aging backlog sorted oldest-first.

Set it up

What you configure once, before turning it on.

1
Connect GitLabRepos, MRs, pipelines, registry.
2
Connect PagerDutyIncidents, on-call, escalations.
3
Connect SlackChannels, DMs, threads, mentions.
4
Set each agent's modelWe leave models unset so you pick the tier — fast + cheap, or top-quality.
5
Tune it to your dataEdit the prompts, filters, and field mappings so it matches how your team works.
6
Test, then turn it onRun once against a sample, confirm the output, then enable the trigger.

More Engineering workflows

Gate breaking API PRs behind downstream consumer acknowledgement

When a PR introduces a breaking contract change, comments the impact summary back on the PR, applies a blocking label.

Publish a versioned API changelog to Confluence on each release tag

On a new semver release tag, gathers the contract changes since the last release and writes a clean.

Agent reviews model-license fit and suggests compliant swaps on the PR

When a PR adds a Hugging Face model, an agent reads the model card and license, judges fit against your commercial-use policy.

Upgrade Impact Router to Module Code Owners

Maps a dependency-bump PR's affected modules to their CODEOWNERS, then DMs each owner on Slack with only the changelog slice that touches code they own.

Re-Voice IVR Prompts on Phone-Tree Config Merge

When a phone-tree config change merges in GitHub, regenerates the ElevenLabs audio for any prompt whose script changed in the diff and opens a follow-up PR adding the new audio…

Upstream Release to Notion Upgrade Brief

When a watched package publishes a new release, fetches the release notes, maps them to the internal modules that depend on it.

Browse all Engineering →

Run it inside a business

This workflow drops into a full company template. Import the org, and this is one of the playbooks its agents run.

Finance

Research & Trading Desk

Governance-first research, execution, and risk — every trade on the audit trail.

Operations

Internal Operations

Runbooks, on-call, vendor management — disciplined and audited.

Software

Agent Hive runs Agent Hive

The team that built Agent Hive, exactly as it runs today.

Browse all business templates →Solutions by industry →

Run this workflow in your colony.

14-day trial. No DevOps. No Sales call. Provisioned in under a minute.

Join the Waitlist Browse all workflows →