Audited actions

You can search the audit log for a wide variety of actions.

In this article

Authentication

ActionDescription
oauth_access.createAn OAuth access token was generated for a user account.
oauth_access.destroyAn OAuth access token was deleted from a user account.
oauth_application.destroyAn OAuth application was deleted from a user or organization account.
oauth_application.reset_secretAn OAuth application's secret key was reset.
oauth_application.transferAn OAuth application was transferred from one user or organization account to another.
public_key.createAn SSH key was added to a user account or a deploy key was added to a repository.
public_key.deleteAn SSH key was removed from a user account or a deploy key was removed from a repository.
public_key.updateA user account's SSH key or a repository's deploy key was updated.
two_factor_authentication.enabledTwo-factor authentication was enabled for a user account.
two_factor_authentication.disabledTwo-factor authentication was disabled for a user account.

GitHub Actions

ActionDescription
remove_self_hosted_runnerTriggered when a self-hosted runner is removed.
register_self_hosted_runnerTriggered when a new self-hosted runner is registered. For more information, see "Adding self-hosted runners."
runner_group_createdTriggered when a self-hosted runner group is created. For more information, see "About self-hosted runner groups.
runner_group_removedTriggered when a self-hosted runner group is removed. For more information, see "Removing a self-hosted runner group."
runner_group_runner_removedTriggered when the REST API is used to remove a self-hosted runner from a group.
runner_group_runners_addedTriggered when a self-hosted runner is added to a group. For more information, see "Moving a self-hosted runner to a group."
runner_group_runners_updatedTriggered when a runner group's list of members is updated. For more information, see "Set self-hosted runners in a group for an organization."
runner_group_updatedTriggered when the configuration of a self-hosted runner group is changed. For more information, see "Changing the access policy of a self-hosted runner group."
self_hosted_runner_updatedTriggered when the runner application is updated. Can be viewed using the REST API and the UI; not visible in the JSON/CSV export. For more information, see "About self-hosted runners."

Hooks

ActionDescription
hook.createA new hook was added to a repository.
hook.config_changedA hook's configuration was changed.
hook.destroyA hook was deleted.
hook.events_changedA hook's configured events were changed.

Enterprise configuration settings

ActionDescription
business.advanced_security_policy_updateA site admin creates, updates, or removes a policy for GitHub Advanced Security. For more information, see "Enforcing policies for Advanced Security in your enterprise."
business.clear_members_can_create_reposA site admin clears a restriction on repository creation in organizations in the enterprise. For more information, see "Enforcing repository management policies in your enterprise."
business.update_member_repository_creation_permissionA site admin restricts repository creation in organizations in the enterprise. For more information, see "Enforcing repository management policies in your enterprise."
enterprise.config.lock_anonymous_git_accessA site admin locks anonymous Git read access to prevent repository admins from changing existing anonymous Git read access settings for repositories in the enterprise. For more information, see "Enforcing repository management policies in your enterprise."
enterprise.config.unlock_anonymous_git_accessA site admin unlocks anonymous Git read access to allow repository admins to change existing anonymous Git read access settings for repositories in the enterprise. For more information, see "Enforcing repository management policies in your enterprise."

Issues and pull requests

ActionDescription
issue.updateAn issue's body text (initial comment) changed.
issue_comment.updateA comment on an issue (other than the initial one) changed.
pull_request_review_comment.deleteA comment on a pull request was deleted.
issue.destroyAn issue was deleted from the repository. For more information, see "Deleting an issue."

Organizations

ActionDescription
org.async_deleteA user initiated a background job to delete an organization.
org.deleteAn organization was deleted by a user-initiated background job.
org.transformA user account was converted into an organization. For more information, see "Converting a user into an organization."

Protected branches

ActionDescription
protected_branch.create Branch protection is enabled on a branch.
protected_branch.destroyBranch protection is disabled on a branch.
protected_branch.update_admin_enforced Branch protection is enforced for repository administrators.
protected_branch.update_require_code_owner_review Enforcement of required code owner review is updated on a branch.
protected_branch.dismiss_stale_reviews Enforcement of dismissing stale pull requests is updated on a branch.
protected_branch.update_signature_requirement_enforcement_level Enforcement of required commit signing is updated on a branch.
protected_branch.update_pull_request_reviews_enforcement_level Enforcement of required pull request reviews is updated on a branch.
protected_branch.update_required_status_checks_enforcement_level Enforcement of required status checks is updated on a branch.
protected_branch.rejected_ref_update A branch update attempt is rejected.
protected_branch.policy_override A branch protection requirement is overridden by a repository administrator.

Repositories

ActionDescription
repo.accessThe visibility of a repository changed to private, public, or internal.
repo.archivedA repository was archived. For more information, see "Archiving a GitHub repository."
repo.add_memberA collaborator was added to a repository.
repo.configA site admin blocked force pushes. For more information, see Blocking force pushes to a repository to a repository.
repo.createA repository was created.
repo.destroyA repository was deleted.
repo.remove_memberA collaborator was removed from a repository.
repo.renameA repository was renamed.
repo.transferA user accepted a request to receive a transferred repository.
repo.transfer_startA user sent a request to transfer a repository to another user or organization.
repo.unarchivedA repository was unarchived. For more information, see "Archiving a GitHub repository."
repo.config.disable_anonymous_git_accessAnonymous Git read access is disabled for a repository. For more information, see "Enabling anonymous Git read access for a repository."
repo.config.enable_anonymous_git_accessAnonymous Git read access is enabled for a repository. For more information, see "Enabling anonymous Git read access for a repository."
repo.config.lock_anonymous_git_accessA repository's anonymous Git read access setting is locked, preventing repository administrators from changing (enabling or disabling) this setting. For more information, see "Preventing users from changing anonymous Git read access."
repo.config.unlock_anonymous_git_accessA repository's anonymous Git read access setting is unlocked, allowing repository administrators to change (enable or disable) this setting. For more information, see "Preventing users from changing anonymous Git read access."

Site admin tools

ActionDescription
staff.disable_repoA site admin disabled access to a repository and all of its forks.
staff.enable_repoA site admin re-enabled access to a repository and all of its forks.
staff.fake_loginA site admin signed into GitHub Enterprise Server as another user.
staff.repo_unlockA site admin unlocked (temporarily gained full access to) one of a user's private repositories.
staff.unlockA site admin unlocked (temporarily gained full access to) all of a user's private repositories.

Teams

ActionDescription
team.createA user account or repository was added to a team.
team.deleteA user account or repository was removed from a team.
team.demote_maintainerA user was demoted from a team maintainer to a team member.
team.destroyA team was deleted.
team.promote_maintainerA user was promoted from a team member to a team maintainer.

Users

ActionDescription
user.add_emailAn email address was added to a user account.
user.async_deleteAn asynchronous job was started to destroy a user account, eventually triggering user.delete.
user.change_passwordA user changed his or her password.
user.createA new user account was created.
user.deleteA user account was destroyed by an asynchronous job.
user.demoteA site admin was demoted to an ordinary user account.
user.destroyA user deleted his or her account, triggering user.async_delete.
user.failed_loginA user tried to sign in with an incorrect username, password, or two-factor authentication code.
user.forgot_passwordA user requested a password reset via the sign-in page.
user.loginA user signed in.
user.mandatory_message_viewedA user views a mandatory message (see "Customizing user messages" for details)
user.promoteAn ordinary user account was promoted to a site admin.
user.remove_emailAn email address was removed from a user account.
user.renameA username was changed.
user.suspendA user account was suspended by a site admin.
user.two_factor_requestedA user was prompted for a two-factor authentication code.
user.unsuspendA user account was unsuspended by a site admin.

Did this doc help you?Privacy policy

Help us make these docs great!

All GitHub docs are open source. See something that's wrong or unclear? Submit a pull request.

Make a contribution

Or, learn how to contribute.