Doppler secret change alerts in Slack with Linear escalation

PromptCreate workflow

Build an agent workflow that reviews every Doppler secret change and posts the right alert in Slack, escalating high-risk changes to Linear.

Trigger: a webhook from Doppler on the config.secrets.update event. Set up the workflow so a single Doppler webhook URL feeds it, configured in Doppler at the workplace level to fire on secret updates. The incoming payload contains the project, config, workplace, and a diff with added, removed, and updated arrays of secret names. Doppler never includes secret values in the webhook payload, and the agent must never attempt to fetch or print a value.

On each webhook fire the agent should:

1. Parse the project, config, and diff from the payload. Treat the diff as three lists of secret names: added, removed, updated.

2. Call Doppler's List Config Logs for the same project and config, pulling the most recent entry. Use it to learn who made the change and how it was made (dashboard, CLI, service account, or API token). If the most recent log entry does not clearly correspond to this change, note that the actor is unknown rather than guessing.

3. Classify the change as routine or high-risk. Default rules: production configs (commonly named prd, prod, production, or anything explicitly marked as a production environment) are high-risk on any change. Introducing a secret whose name suggests admin, root, signing, private key, service account credentials, or master credentials is high-risk. Removing a secret whose name suggests audit, security, or signing material is high-risk. A bulk delete of more than five secrets in one change is high-risk. Anything else, including typical dev or staging tweaks and routine rotations, is routine.

4. Always post a Slack message to the configured security or platform channel using Slack Bot's Send a Message. The message should include: the project and config, the actor (name or service account, plus the source like dashboard or CLI), counts of secrets added, removed, and updated, the actual secret names in each bucket, the risk classification, and a one-sentence rationale for the classification. Use Slack markdown for readability. Never include secret values. If a list of names is long, cap it at the first 20 and note the remainder count.

5. If the change is high-risk, also create a Linear issue via Linear's Create Issue in the security team's workspace. Title: short summary like "High-risk Doppler change in <project>/<config>". Description: full details (actor, source, added/removed/updated names, classification rationale, timestamp) and a link to the Doppler config in the dashboard at https://dashboard.doppler.com/workplace/<workplace>/projects/<project>/configs/<config>. Set priority to High. Include a label or tag for security if one exists, otherwise mention security in the body so it can be routed. For routine changes do not open a Linear issue.

Strict rules for the agent: never call any Doppler endpoint that returns secret values (no List Secrets, no Get Secret). Only use List Config Logs for context and the webhook payload's diff for the names. Never include a secret value in any Slack message, Linear issue, log line, or thought. If the payload is malformed or missing required fields, post a single Slack message saying a malformed Doppler webhook was received and stop.

Integrations to use: Doppler (List Config Logs), Slack Bot (Send a Message), Linear (Create Issue).

Additional information

What does this prompt do?

Watches Doppler for any secret change across your projects and configs.
Posts a short Slack summary with who made the change, which project and config it hit, and which secret names were added, removed, or updated.
Classifies each change as routine or high-risk based on environment, secret names, and patterns like bulk deletes.
Opens a Linear ticket for the security team whenever a change is flagged high-risk, with a link back to the Doppler config.
Never logs or echoes secret values. Only secret names appear in Slack and Linear.

What do I need to use this?

A Doppler account with permission to set up outgoing webhooks.
A Slack workspace and the channel you want alerts to land in.
A Linear workspace and a team where security tickets should be filed.

How can I customize it?

Change which Slack channel receives alerts, or split routine and high-risk notifications across two channels.
Tune the high-risk rules. For example, treat any change to a production config as high-risk, or flag specific secret name patterns like admin, root, or signing keys.
Pick which Linear team and project new security tickets land in, and adjust the default priority or labels.

Frequently asked questions

Will my secret values ever appear in Slack or Linear?

No. The workflow is built to only reference secret names. Doppler's webhook payload does not include values, and the prompt explicitly forbids the agent from fetching or repeating any secret value.

What counts as a high-risk change?

By default, changes to production configs, anything that introduces an admin or signing token, removal of audit or security related secrets, and large bulk deletes. You can tune these rules in the prompt to match your environment naming and threat model.

How fast will alerts arrive?

Doppler sends a webhook within seconds of a secret change. The Slack message and Linear ticket are posted as soon as the workflow finishes classifying the change, usually under a minute.

Can I send alerts somewhere other than Slack?

Yes. Swap Slack for Microsoft Teams, Discord, or email when you start the workflow. The classification and Linear ticket logic stay the same.

Do I need a paid Doppler plan?

You need a plan that allows outgoing webhooks on config changes. Most Team and above plans include this. Check your Doppler workplace settings to confirm webhooks are available.

Catch risky secret changes before they ship.

Connect Doppler, Slack, and Linear once. Geni summarizes every secret change and escalates the dangerous ones.

Explore more prompts Create workflow