Catch Permission Drift Before It Becomes a Problem

Every day at 9am, Notis checks if your team's GitHub access matches your expectations. Permission surprises get flagged immediately.

Trigger

Recurring schedule

Notis starts this workflow on a schedule, such as daily, weekly, or during business hours.

GitHub logo

Action

Check team permissions for a repository

Checks a team's permissions for a specific repository within an organization, including permissions inherited from parent teams.

Why this helps

You assume your team has the right repository access, but drift happens gradually. Someone gets promoted, permissions don't update. A contractor's access stays active too long. You only notice during emergency incident or when someone can't access what they need.

  • Catch permission drift early—before it causes an outage or security issue
  • Spend less time manually auditing access levels
  • Proactively align team access with your actual organizational structure

Setup

Build it in a few focused steps.

  • 1Connect GitHub to Notis.
  • 2Create an automation: 'Every day at 9am, check if our key GitHub teams have the expected repository access. Report any mismatches.'
  • 3Give Notis a list of teams and the repositories they should have access to (e.g., 'Frontend team should have push access to repos: dashboard, ui-lib, marketing-site').
  • 4Choose a Slack channel where Notis will send the audit report each morning.
  • 5Test by running the audit manually once to see the baseline report.

Questions about this workflow

What counts as a 'mismatch'?

A team has more access than expected (e.g., admin instead of push), has less access (can't push when they should), or is missing access to a repo entirely.

Can I change the audit schedule?

Yes. You can run it daily, weekly, before releases, or whenever makes sense for your team's pace.

Does this also check individual user permissions?

The default focuses on team-level permissions, but Notis can also audit specific users if you need that visibility.

When this happens · Trigger

Do this · Action

Supported Triggers and Actions

Notis builds workflows that link Slack to GitHub. A trigger fires from one place; an action lands in another.

Slack logo

Slack triggers

GitHub logo

GitHub actions

New Channel Created Trigger

Triggered when a new channel is created in Slack.

TriggerInstant

Accept a repository invitation

Accepts a pending repository invitation that has been issued to the authenticated user.

ActionInstant

Channel Message Received

Triggered when a message is posted in a Slack channel (public, private, or multi-party IM). Does NOT match direct messages.

TriggerInstant

List repositories starred by the authenticated user

Deprecated: lists repositories starred by the authenticated user, including star creation timestamps; use 'list repositories starred by the authenticated user' instead.

ActionInstant

Direct Message Received

Triggered when a new direct message (DM) is sent to a user in Slack. Catches all DMs across all DM channels.

TriggerInstant

List stargazers

Deprecated: lists users who have starred a repository; use `list stargazers` instead.

ActionInstant

Message Reaction Added

Triggered when a reaction is added to a message in Slack. Supports optional filtering by channel and emoji name.

TriggerInstant

Star a repository for the authenticated user

Deprecated: stars a repository for the authenticated user; use `star a repository for the authenticated user` instead.

ActionInstant

Message Reaction Removed

Triggered when a reaction is removed from a message in Slack. Supports optional filtering by channel and emoji name.

TriggerInstant

Add email for auth user

Adds one or more email addresses (which will be initially unverified) to the authenticated user's github account; use this to associate new emails, noting an email verified for another account will error, while an existing email for the current user is accepted.

ActionInstant

Reaction Added Trigger

DEPRECATED: use `SLACK_MESSAGE_REACTION_ADDED` instead. Triggered when a reaction is added to a message in Slack.

TriggerInstant

Add app access restrictions

Replaces github app access restrictions for an existing protected branch; requires a json array of app slugs in the request body, where apps must be installed and have 'contents' write permissions.

ActionInstant

Reaction Removed Trigger

DEPRECATED: use `SLACK_MESSAGE_REACTION_REMOVED` instead. Triggered when a reaction is removed from a message.

TriggerInstant

Add a repository collaborator

Adds a github user as a repository collaborator, or updates their permission if already a collaborator; `permission` applies to organization-owned repositories (personal ones default to 'push' and ignore this field), and an invitation may be created or permissions updated directly.

ActionInstant

New Bot Message Received Trigger

DEPRECATED: use `SLACK_CHANNEL_MESSAGE_RECEIVED` with `is_bot_message=true` instead. Triggered when a new bot message is posted to a Slack channel.

TriggerInstant

Add a repository to an app installation

Adds a repository to a github app installation, granting the app access; requires authenticated user to have admin rights for the repository and access to the installation.

ActionInstant

Connect any two apps with Notis in the middle.

Not just Slack and GitHub. Any combination from 985+ integrations.

When this happens · Trigger

Do this · Action

Save your first hour today.

7 days free trial with 20$ free usage included.
No card. Works with personal or business GitHub.