Why separation matters
CI systems are high-value targets. A workflow secret that can deploy, roll back, restart services, and read logs is powerful. Nerve keeps the CI path narrow: the workflow gets a sender DSN that can only send an encrypted signal.
Failure signal from workflow
- name: Notify Nerve on failure
if: failure() && github.ref == 'refs/heads/main'
env:
NERVE_DSN: ${{ secrets.NERVE_DSN }}
run: |
go install github.com/nerve-ink/nerve-cli/cmd/nerve@latest
echo "CI failed repo=${{ github.repository }} run=${{ github.run_id }}" \
| nerve send --severity criticalApproved action on the host
The remediation action belongs on the host or deployment controller, not inside the untrusted workflow context. A Nerve agent can expose a reviewed wrapper such as restart-api, collect-diagnostics, or rollback-last-release.
Pull request boundary
Do not expose remediation signals from workflows that run arbitrary fork code. Restrict action-oriented notifications to protected branches, protected environments, or manually approved deployment jobs.
What CI should include
The workflow notification should include repository, branch, run ID, commit SHA, environment, and a link back to the failed job. It should not include cloud credentials, database URLs, or long logs with secrets.
What stays outside CI
Rollback credentials, service restart permissions, and diagnostic access should live on the action host. This lets you keep GitHub Actions useful for detection without turning every workflow secret into production access.
Safe first actions
- collect logs from the failed service;
- show current release and health check status;
- restart a non-stateful service;
- roll back to the previous known-good release through a wrapper.