HR & RECRUITING
Source Control Access Purge on Engineer Departure
When an engineer is marked as offboarding in monday, this workflow removes their GitHub and GitLab access, revokes personal access tokens.
How it runs
The automated pipeline, trigger to output.
- TriggerMonday flags engineer offboardingmonday.com
- ActionRemove GitHub access and revoke tokensGitHub
- ActionRemove GitLab access and revoke tokensGitLab
- LogicFlag failed removals or live tokens
- ActionRecord removed grants to audit log
- OutputDeliver purge report to security SlackSlack
What it does
Locks a departing engineer out of all source control. Triggered by an offboarding flag in monday, it removes the user from GitHub organizations and teams, removes them from GitLab groups and projects, revokes any active personal access tokens, and records each removed grant. The output is a security-ready report of exactly which repositories and tokens were touched.
When to use it
Use it for any technical departure where lingering repo access or live tokens are an unacceptable risk. Best for engineering orgs that span both GitHub and GitLab and need a single, auditable purge instead of two manual cleanups.
How it works
- 1A monday status change to "Offboarding" for an engineering role triggers the workflow.
- 2It removes the user from all GitHub orgs, teams, and repository collaborations, and revokes their tokens.
- 3It removes the user from all GitLab groups and projects and revokes GitLab tokens.
- 4A logic step flags any removal that failed or any token that could not be revoked.
- 5Each removed grant is recorded to the security audit log.
- 6A consolidated purge report is delivered to the security review channel in Slack.
Set it up
What you configure once, before turning it on.
- 1Connect monday.comVisual work management for teams.
- 2Connect GitHubRepos, issues, pull requests, actions.
- 3Connect GitLabRepos, MRs, pipelines, registry.
- 4Connect SlackChannels, DMs, threads, mentions.
- 5Set each agent's modelWe leave models unset so you pick the tier — fast + cheap, or top-quality.
- 6Tune it to your dataEdit the prompts, filters, and field mappings so it matches how your team works.
- 7Test, then turn it onRun once against a sample, confirm the output, then enable the trigger.
More HR & Recruiting workflows
Assemble and send the debrief packet after the final interview
Triggered when a candidate's final interview ends on the calendar, it waits a short window for scorecards, compiles the aggregated packet to Google Drive.
New-Hire Credential Intake to Renewal Calendar Holds
When a new credential is added to the tracker, it validates the record, files the document.
Credential Renewal Evidence Verification Agent
When an employee replies with a renewed credential document, an agent reads the attachment, extracts the new expiry date and credential number.
Escalate Compliance-Blocking Credential Lapses to Managers
Each day it finds credentials that have already expired or expire within 48 hours and are flagged compliance-blocking.
Day-one readiness orchestrator across all onboarding owners
An agent-driven coordinator that, when a hire is launched, plans the full provisioning program across IT, Facilities, and Finance, opens the work in your tracker.
Loom intake to req-tracker row in Airtable
Transcribes a hiring manager's Loom intake, scores the brief for completeness, and either logs a ready req in Airtable or routes incomplete intakes to a follow-up Slack ping.
Run it inside a business
This workflow drops into a full company template. Import the org, and this is one of the playbooks its agents run.
Run this workflow in your colony.
14-day trial. No DevOps. No Sales call. Provisioned in under a minute.