Monthly permission audit and sync to GitHub

Once a month, Notis audits who has access in Google Drive and automatically updates GitHub branch permissions to match. Access stays secure without manual compliance work.

Trigger

Recurring schedule

Notis starts this workflow on a schedule, such as daily, weekly, or during business hours.

GitHub logo

Action

Add user access restrictions

Sets/replaces list of users allowed to push to a protected branch; usernames (e.g., `["user1"]`) must be a json array in request body (not schema parameters), an empty array `[]` removes all restrictions.

Why this helps

You forget to audit who can push to main. Months pass, old contractors still have access, new team members are blocked. Compliance nightmares and security risks pile up.

  • Monthly audits run automatically without manual work
  • GitHub branch access stays aligned with actual team
  • Catches stale access before it becomes a risk
  • Reduces compliance workload and security gaps

Setup

Build it in a few focused steps.

  • 1Connect Google Drive and GitHub to Notis.
  • 2Tell Notis: "On the first of each month, review who has access in Drive and update branch permissions in GitHub."
  • 3Point Notis to your team roster in Drive.
  • 4Wait for the first run, then review Notis's access report and GitHub changes.

Questions about this workflow

What if access is identical to last month?

Notis reports no changes and makes no modifications—efficiency is built in.

Can I audit more frequently?

Yes. Run weekly, bi-weekly, or any interval that matches your security needs.

Does Notis send a compliance report?

Yes. Notis can email you a summary of who has access and any changes made.

When this happens · Trigger

Do this · Action

Supported Triggers and Actions

Notis builds workflows that link Google Drive to GitHub. A trigger fires from one place; an action lands in another.

Google Drive logo

Google Drive triggers

GitHub logo

GitHub actions

Comment Added (Docs/Sheets/Slides)

Triggers when a new comment is added to Google Docs, Sheets, or Slides.

TriggerPolling

Accept a repository invitation

Accepts a pending repository invitation that has been issued to the authenticated user.

ActionInstant

File Created

Triggers when a new file is created in Google Drive.

TriggerPolling

List repositories starred by the authenticated user

Deprecated: lists repositories starred by the authenticated user, including star creation timestamps; use 'list repositories starred by the authenticated user' instead.

ActionInstant

File Deleted or Trashed

Triggers when a file is moved to trash or permanently deleted in Drive.

TriggerPolling

List stargazers

Deprecated: lists users who have starred a repository; use `list stargazers` instead.

ActionInstant

File Shared (Permissions Added)

Triggers when new sharing permissions are granted to a file or folder. Uses Drive's `changes.list` endpoint with inline `permissions` in the `fields` mask so each change carries the file's current permission set provider-atomically. We diff that against `seen_permission_keys` to identify newly added grants. Drive page tokens are the primary cursor; if Drive rejects a stored token, the trigger raises `PollingTriggerError` without clearing state rather than silently re-baselining and dropping events. Limitation: truly ephemeral permissions (added and revoked between two polls without any other file modification in between) are not detected. Drive Activity API would catch those but requires an additional OAuth scope and a different payload contract.

TriggerPolling

Star a repository for the authenticated user

Deprecated: stars a repository for the authenticated user; use `star a repository for the authenticated user` instead.

ActionInstant

File Updated

Triggers when a file's metadata or content changes in Google Drive.

TriggerPolling

Add email for auth user

Adds one or more email addresses (which will be initially unverified) to the authenticated user's github account; use this to associate new emails, noting an email verified for another account will error, while an existing email for the current user is accepted.

ActionInstant

Google Drive Changes

Triggers when changes are detected in a Google Drive.

TriggerPolling

Add app access restrictions

Replaces github app access restrictions for an existing protected branch; requires a json array of app slugs in the request body, where apps must be installed and have 'contents' write permissions.

ActionInstant

New File Matching Query

Triggers when a new Google Drive file matches a provided query. This is the legacy query-centric trigger: it preserves Drive API query config such as ``corpora`` / ``driveId`` aliases and emits the historical ``file_matching_query`` event type. ``FileCreatedTrigger`` covers the broader "new file" case and emits ``file_created``.

TriggerPolling

Add a repository collaborator

Adds a github user as a repository collaborator, or updates their permission if already a collaborator; `permission` applies to organization-owned repositories (personal ones default to 'push' and ignore this field), and an invitation may be created or permissions updated directly.

ActionInstant

Add a repository to an app installation

Adds a repository to a github app installation, granting the app access; requires authenticated user to have admin rights for the repository and access to the installation.

ActionInstant

Connect any two apps with Notis in the middle.

Not just Google Drive and GitHub. Any combination from 985+ integrations.

When this happens · Trigger

Do this · Action

Save your first hour today.

7 days free trial with 20$ free usage included.
No card. Works with personal or business GitHub.