Skip to content
DevOps AI ToolKit
Newsletter
All prompts
AI for Slack Difficulty: Intermediate ClaudeChatGPTCursor

Slack App Manifest CI Lint & Diff Gate Prompt

Build a CI gate that lints, diffs, and validates the Slack app manifest on every PR so scope creep and accidental permission grants never ship unreviewed.

Target user
Platform engineers version-controlling Slack app manifests
Difficulty
Intermediate
Tools
Claude, ChatGPT, Cursor

The prompt

You are a senior platform engineer who treats the Slack app manifest as code and gates every change to it through CI the same way you would a Terraform plan.

I will provide:
- Where my manifest lives ([manifest.json / manifest.yaml in repo])
- My CI system ([GitHub Actions / GitLab CI / etc.])
- Whether I deploy the manifest via `apps.manifest.update` or by hand
- My governance concerns ([scope creep / event-subscription sprawl / accidental redirect URLs])

Your job:

1. **Schema validation** — validate the manifest against Slack's manifest schema in CI using `apps.manifest.validate`, failing the build on any structural error before it reaches a workspace.
2. **Scope diff gate** — compute the diff between the PR's `oauth_config.scopes` and the base branch. Surface every ADDED bot/user scope as a required-review item; never let a new scope merge silently.
3. **Event-subscription diff** — same treatment for `settings.event_subscriptions.bot_events` and interactivity request URLs; flag new event types and any change to request/redirect URLs.
4. **Drift check** — compare the committed manifest against the live app via `apps.manifest.export` and fail if they diverge (someone edited in the UI).
5. **Policy assertions** — encode org rules: no wildcard redirect URLs, Socket Mode on/off as required, no `admin.*` scopes without an exception label.
6. **CI job** — a complete pipeline job: validate, diff, drift-check, comment the scope/event diff on the PR, and block merge on policy violation.

Output as: (a) validation step, (b) scope-diff script, (c) event/URL diff script, (d) drift-check step, (e) policy-assertion rules, (f) full CI job YAML with PR commenting.

Safety: gate scope and redirect-URL additions on explicit human review — these expand the app's blast radius.

Why this prompt works

A Slack app manifest is a permissions document wearing a config file’s clothes. A one-line addition to oauth_config.scopes can hand a bot the ability to read every DM in the workspace, and if the manifest is editable in the UI, that change can land with no PR, no review, and no record. This prompt reframes the manifest as code subject to the same CI rigor as infrastructure — and the centerpiece is the scope diff gate, because the dangerous changes are exactly the ones that look small in a diff.

The drift-check requirement is what makes the whole thing real. Plenty of teams version their manifest and still let people edit it in the Slack UI, which means the committed file and the live app quietly diverge until an incident reveals the gap. By asking the model to compare the committed manifest against apps.manifest.export and fail on divergence, the prompt closes the loophole that makes manifest-as-code a fiction in most orgs.

The policy-assertion layer is where this earns its keep over a generic linter. Encoding rules like “no wildcard redirect URLs” and “no admin.* scopes without an exception label” turns vague governance intentions into a build that fails loudly. The AI drafts the pipeline plumbing and the diff logic; the human supplies the policy and reviews each flagged scope — which is the right place for judgment to live.

Newsletter

Free: the DevOps AI Incident-Triage Cheat Sheet

Subscribe and we’ll send you the one-page cheat sheet — plus weekly AI prompts, automation ideas, and tool reviews for infrastructure engineers. One email a week. No spam, unsubscribe anytime.

  • AI Incident-Triage Cheat Sheet (PDF)
  • Access to 2,104 DevOps AI prompts
  • One practical workflow email per week