Emergency Access Automation: Critical Issues to GitHub Secrets
Create a critical Linear issue and assign it to the security team. Notis immediately grants them access to the necessary GitHub Actions secrets so they can push emergency fixes without asking for permission.
Trigger
Issue Created Trigger
Triggered when a new issue is created.
Action
Add selected repository to an organization secret
Adds a repository to an organization secret's access list when the secret's visibility is 'selected'; this operation is idempotent.
Why this helps
A security issue is discovered and assigned to an engineer who doesn't have access to GitHub Actions secrets. They have to wait for someone to manually grant access, delaying the fix by hours.
- Reduce mean-time-to-response for security and critical issues
- Eliminate the step where access has to be manually granted
- Trust that assigned team members always have the tools they need
- Maintain security while streamlining the response process
Setup
Build it in a few focused steps.
- 1Connect Linear and GitHub to Notis
- 2Identify which GitHub Actions secrets are needed for emergency responses (deploy keys, API tokens, etc.)
- 3Create an automation: 'When a new issue is created in Linear with the Security label, grant the assigned team member access to GitHub Actions secrets'
- 4Customize the secret list in your prompt: 'grant access to DEPLOY_KEY and DATABASE_SECRET'
- 5Set trigger to 'Linear issue created'
- 6Test by creating a test security Linear issue and verifying access is granted
Questions about this workflow
How do I know which secrets to include?
Work with your DevOps or infrastructure team to identify which secrets are needed for emergency response. Your automation can be specific: 'grant emergency secrets' or broad: 'grant all deploy and API secrets'.
Is this a security risk?
It's a calculated trade-off: faster response time for security issues vs. broader access. Rotate secrets regularly and audit access logs. You can limit this to specific people: 'only grant access if the issue is assigned to an on-call engineer'.
What if someone is assigned by mistake?
Access is granted immediately, but can be revoked manually. You can also add guardrails: 'only grant if the issue has the security label AND the assigned person is on the on-call rotation'.
Can I revoke access automatically when the issue is resolved?
Yes. Create a complementary automation: 'When a security issue is marked Done, revoke the temporary secret access'.
Does this work for non-critical issues?
It can, but it's designed for critical/security work. For routine access, use the team permissions automation instead.
When this happens · Trigger
Do this · Action
Supported Triggers and Actions
Notis builds workflows that link Linear to GitHub. A trigger fires from one place; an action lands in another.
Linear triggers
GitHub actions
Comment Received Trigger
Triggered when a comment is received.
Accept a repository invitation
Accepts a pending repository invitation that has been issued to the authenticated user.
Issue Created Trigger
Triggered when a new issue is created.
List repositories starred by the authenticated user
Deprecated: lists repositories starred by the authenticated user, including star creation timestamps; use 'list repositories starred by the authenticated user' instead.
Issue Updated Trigger
Triggered when an issue is updated. For example labels are changed, issue status is changed, etc.
List stargazers
Deprecated: lists users who have starred a repository; use `list stargazers` instead.
Private Team Comment Created
Fires when a new comment is posted on an issue in a private Linear team (polled with the connected user's token).
Star a repository for the authenticated user
Deprecated: stars a repository for the authenticated user; use `star a repository for the authenticated user` instead.
Private Team Issue Created
Fires when a new issue appears in a private Linear team (polled with the connected user's token).
Add email for auth user
Adds one or more email addresses (which will be initially unverified) to the authenticated user's github account; use this to associate new emails, noting an email verified for another account will error, while an existing email for the current user is accepted.
Private Team Issue Properties Updated
Fires when properties on an issue change in a private Linear team (polled with the connected user's token).
Add app access restrictions
Replaces github app access restrictions for an existing protected branch; requires a json array of app slugs in the request body, where apps must be installed and have 'contents' write permissions.
Project Created
Fires when a new Linear project is created. Covers projects in both public and private teams — polls with the connected user's token, so visibility matches what the connected user can see in Linear.
Add a repository collaborator
Adds a github user as a repository collaborator, or updates their permission if already a collaborator; `permission` applies to organization-owned repositories (personal ones default to 'push' and ignore this field), and an invitation may be created or permissions updated directly.
Project Properties Updated
Fires when properties on a Linear project change (status, lead, target date, priority, etc.). Covers projects in both public and private teams — polls with the connected user's token.
Add a repository to an app installation
Adds a repository to a github app installation, granting the app access; requires authenticated user to have admin rights for the repository and access to the installation.
Connect any two apps with Notis in the middle.
Not just Linear and GitHub. Any combination from 985+ integrations.
When this happens · Trigger
Do this · Action
Save your first hour today.
7 days free trial with 20$ free usage included.
No card. Works with personal or business GitHub.
