Pull request events now included in the audit log

Pull request and review-related events are now included in the audit log at both the enterprise and organization levels. This helps administrators better monitor pull request activity and ensure security and compliance requirements are being met.

Events now included in the audit log:

  • A pull request is created, merged, closed, reopened, converted to draft, or marked ready for review
  • A review is requested or a request is removed
  • A review comment is added, updated, or deleted
  • A review is submitted, dismissed, or deleted

Events can be viewed from the web UI, exported as CSV or JSON, or accessed via REST API. You can also search the audit log for specific pull request events. For example action:pull_request filters for events directly on a pull request, action:pull_request.merge shows just merge events, and action:pull_request_review shows review events.

Learn more about audit log and available pull request actions

GitHub Actions now lets you control the permissions granted to the GITHUB_TOKEN secret.

The GITHUB_TOKEN is an automatically generated secret that lets you make authenticated calls to the GitHub API in your workflow runs. Actions generates a new token for each job and expires the token when a job completes. The token has write permissions to a number of API endpoints except in the case of pull requests from forks which are always read. These new settings allow you to follow a principle of least privilege in your workflows.

Setting permissions in the workflow

A new permissions key supported at the workflow and job level enables you to specify which permissions you want for the token. Any permission that is absent from the list will be set to none.

permissions:
  actions: read|write|none
  checks: read|write|none
  contents: read|write|none
  deployments: read|write|none
  issues: read|write|none
  packages: read|write|none
  pull-requests: read|write|none
  repository-projects: read|write|none
  security-events: read|write|none
  statuses: read|write|none

Pull requests from public forks are still considered a special case and will receive a read token regardless of these settings.

Setting the default permissions for the organization or repository

A new admin setting lets you set the default permissions for the token in your organization or repository.

You can choose between two options:

  • Read/write for all scopes (current default)
  • Read repo contents

Setting the default to contents:read is sufficient for any workflows that simply need to clone and build. If you need additional permissions you will need to specify those in your workflow yaml.

image

Learn more about setting the token permissions

For questions, visit the GitHub Actions community

To see what’s next for Actions, visit our public roadmap

See more