Skip to content

feat(actions): add notify-irm composite action#51

Merged
DevSecNinja merged 1 commit intomainfrom
feat/notify-irm-action
May 1, 2026
Merged

feat(actions): add notify-irm composite action#51
DevSecNinja merged 1 commit intomainfrom
feat/notify-irm-action

Conversation

@DevSecNinja
Copy link
Copy Markdown
Owner

@DevSecNinja DevSecNinja commented May 1, 2026

Summary

Adds a reusable composite action notify-irm so any repo in the org can wire its CI workflows to the homelab Grafana IRM pager with a single uses: line.

The action POSTs a Grafana IRM Custom webhook payload:

  • state=alerting (severity=critical) when any prior job failed/was cancelled.
  • state=ok (severity=info) when all green — same alert_uid so the open incident auto-resolves.
  • Silently skipped when webhook-url is empty, so the action is safe on forks and during initial bring-up.

alert_uid is intentionally gha-<repo>-<workflow>-<branch> (no SHA) so successful re-runs and follow-up commits on the same branch resolve the incident from a previous failed commit.

The labels block on the payload carries service, service_name (Grafana IRM built-in for SLO/alert routing), source, repo, workflow, branch, sha, actor, severity — these surface as Assigned Labels on the IRM alert group when the integration's Multi-label Extraction Template is set to {{ payload.labels | tojson }}.

Usage (caller workflow)

notify-irm:
  name: Notify Grafana IRM
  needs: [job1, job2, ...]
  if: ${{ always() && github.ref == 'refs/heads/main' && github.event_name == 'push' }}
  runs-on: ubuntu-24.04
  permissions:
    contents: read
  steps:
    - uses: DevSecNinja/.github/.github/actions/notify-irm@<sha> # main
      with:
        webhook-url: ${{ secrets.GRAFANA_IRM_WEBHOOK_URL }}
        job-failed: ${{ contains(needs.*.result, 'failure') || contains(needs.*.result, 'cancelled') }}

Inputs

Input Required Default Description
webhook-url yes Grafana IRM Custom webhook URL. Empty disables the step.
job-failed yes true when any prior job failed or was cancelled.
service no ci Logical service tag used for both service and service_name labels.
resolve-on-success no true Set to false for one-shot workflows (e.g. tag-push releases) where alert_uid is unique per run.

Origin

Extracted from the inline notify-irm job validated in DevSecNinja/truenas-apps#300 / #304. The truenas-apps follow-up PR will switch all push:main workflows to consume this action.

@DevSecNinja
feat(actions): add notify-irm composite action
434c0f7 
Posts an alert state (alerting/ok) to a Grafana IRM Custom webhook.
Reusable across repos that want to page on main-branch CI failure and
auto-resolve on green. alert_uid is keyed on
<repo>-<workflow>-<branch> so successful re-runs and follow-up commits
on the same branch resolve the open incident.
@DevSecNinja DevSecNinja merged commit a877d35 into main May 1, 2026
@devsecninja-release-please devsecninja-release-please Bot mentioned this pull request May 1, 2026
Merged
This was referenced May 1, 2026
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@DevSecNinja