Minimal workflow step
Create a sender DSN in Nerve, store it as NERVE_DSN, then notify from a workflow step.
- name: Notify Nerve
if: always()
env:
NERVE_DSN: ${{ secrets.NERVE_DSN }}
run: |
go install github.com/nerve-ink/nerve-cli/cmd/nerve@latest
echo "backend deploy ${{ job.status }}" | nerve send --severity standardWhy this is safer than a generic webhook
The sender secret is scoped to one pipe and one capability: send encrypted signals. It cannot read old messages, decrypt history, connect as an agent, or execute commands.
Good messages
backend deploy success
sha: $GITHUB_SHA
run: $GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_IDFailure-only workflow
Most teams should start with failure-only alerts. Successful builds are useful in logs, but they quickly make phone notifications noisy.
- name: Notify Nerve on failure
if: failure()
env:
NERVE_DSN: ${{ secrets.NERVE_DSN }}
run: |
go install github.com/nerve-ink/nerve-cli/cmd/nerve@latest
echo "FAILED: ${{ github.repository }} / ${{ github.ref_name }}
run: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" \
| nerve send --severity criticalWhere to store the DSN
Use repository or organization secrets. If a workflow can run from forks, keep the Nerve step out of untrusted pull request contexts and only notify from trusted branches or protected environments.
Debug checklist
- Confirm
NERVE_DSNis available to the job environment. - Check that
go env GOPATHis onPATHafter install. - Send a tiny test message before piping long logs.
- Never print the DSN in workflow logs.
Reusable workflow pattern
If every repository repeats the same notification step, move it into a reusable workflow or composite action. That keeps the alert format consistent and makes sender rotation less painful.
A good shared format includes repository, branch, environment, run URL, and one short reason. Keep repo-specific troubleshooting in the linked run logs or runbook.