SECOPS
Final copyleft sweep before a release tag ships
When a release tag is pushed, performs a full dependency-tree license sweep of the tagged commit and, if any copyleft package is present, files a blocking Linear issue and alerts…
How it runs
The automated pipeline, trigger to output.
- TriggerRelease tag pushedGitHub
- ActionResolve full license tree at the tagGitHub
- LogicScreen licenses against copyleft denylist
- OutputFile blocking Linear issue for release engLinear
What it does
This workflow is the last gate before code leaves the building. The moment a release tag is pushed in GitHub, it resolves the complete dependency tree of that exact tagged commit — direct and transitive — and checks every license against your copyleft denylist. A clean tree passes quietly. If any forbidden license is present, the workflow files a high-priority Linear issue describing every offending package, its license, and the manifest path, assigns it to the release engineering team, and links it to the release tag so the shipment is paused until the issue is resolved.
When to use it
Use it when your PR-time checks might miss something — a check that was skipped, a dependency resolved differently at release pinning, or a tag cut from a branch that bypassed review. It guarantees that no release artifact goes out carrying an unreviewed copyleft obligation, and it converts a finding into a tracked, owned work item rather than a fleeting CI failure.
How it works
- 1A GitHub release-tag push trigger fires.
- 2The workflow resolves the full license tree of the tagged commit from GitHub.
- 3A logic step screens all licenses against the copyleft denylist.
- 4If matches exist, it creates a blocking Linear issue assigned to release engineering with the full offender list and a link back to the tag.
Set it up
What you configure once, before turning it on.
- 1Connect GitHubRepos, issues, pull requests, actions.
- 2Connect LinearIssues, projects, cycles, triage.
- 3Set each agent's modelWe leave models unset so you pick the tier — fast + cheap, or top-quality.
- 4Tune it to your dataEdit the prompts, filters, and field mappings so it matches how your team works.
- 5Test, then turn it onRun once against a sample, confirm the output, then enable the trigger.
More SecOps workflows
Post-Revocation Verification and Audit Logging
After a key is revoked, it confirms the old credential actually fails, verifies the replacement works.
Page on-call when a WAF rule mass-blocks legitimate traffic
On demand or every few minutes, it detects a single Cloudflare WAF rule suddenly blocking a broad spread of ASNs and paths (a likely false-positive storm).
PII Content Scan on New Dropbox External Share
When a file gets an external Dropbox link, it reads the file content, uses an AI classifier to detect PII or secrets.
Compile a weekly WAF tuning review with trends to Confluence
Every week an agent rolls up Cloudflare WAF block clusters by rule and ASN, compares them to prior weeks for trend direction.
Sensitive Dropbox Link Owner Remediation Loop
When a newly created Dropbox shared link points to a sensitive file, this workflow DMs the file owner, gives them a deadline to justify or revoke it.
GitLab Push Secret Detection to Block and History Purge
On a GitLab push that contains a detected secret, it revokes the exposed credential, opens a tracking issue with git-history purge instructions.
Run it inside a business
This workflow drops into a full company template. Import the org, and this is one of the playbooks its agents run.
Run this workflow in your colony.
14-day trial. No DevOps. No Sales call. Provisioned in under a minute.