- This article contains the events available in the latest version of GitHub Enterprise Server. Some of the events may not be available in previous versions.
- This article contains the events that may appear in your user account's security log. For the events that can appear in an organization's audit log or the audit log for an enterprise, see "Audit log events for your organization" and "Audit log events for your enterprise."
The name for each audit log entry is composed of a category of events, followed by an operation type. For example, the
repo.create entry refers to the
create operation on the
repo category. The reference information in this article is grouped by categories.
|The retention period for GitHub Actions artifacts and logs was changed for an enterprise.
|Automatic creation of check suites was disabled on a repository in the organization or enterprise.
|Automatic creation of check suites was enabled on a repository in the organization or enterprise.
|A hook's configuration was changed.
|A new hook was added.
|A hook was deleted.
|A hook's configured events were changed.
|An integration was created.
|An integration was deleted.
|A member of an enterprise or organization was added as an integration manager.
|A member of an enterprise or organization was removed from being an integration manager.
|Ownership of an integration was transferred to another user or organization.
|An integration was installed.
|An integration was uninstalled.
|Repositories were added to an integration.
|Repositories were removed from an integration.
|Permissions for an integration were updated.
|An OAuth application was created.
|An OAuth application was deleted.
|The secret key for an OAuth application was reset.
|Token(s) for an OAuth application were revoked.
|An OAuth application was transferred from one account to another.
|An authorization for an OAuth application was created.
|An authorization for an OAuth application was deleted.
|A user joined an organization.
|GitHub Advanced Security was disabled for new repositories in an organization.
|GitHub Advanced Security was disabled for all repositories in an organization.
|GitHub Advanced Security was enabled for new repositories in an organization.
|GitHub Advanced Security was enabled for all repositories in an organization.
|A member was removed from an organization, either manually or due to a two-factor authentication requirement.
|The retention period for GitHub Actions artifacts and logs in an organization was changed.
|The create repository permission for organization members was changed.
|An organization owner changed the policy setting for organization members inviting outside collaborators to repositories.
|An SSH key was added to a user account or a deploy key was added to a repository.
|An SSH key was removed from a user account or a deploy key was removed from a repository.
|A user account's SSH key or a repository's deploy key was unable to be unverified.
|A user account's SSH key or a repository's deploy key was unverified.
|A user account's SSH key or a repository's deploy key was updated.
|A user account's SSH key or a repository's deploy key was unable to be verified.
|A user account's SSH key or a repository's deploy key was verified.
|The visibility of a repository changed.
|A collaborator was added to a repository.
|A topic was added to a repository.
|GitHub Advanced Security was disabled for a repository.
|GitHub Advanced Security was enabled for a repository.
|A repository was archived.
|Pull request merge options were changed for a repository.
|Code scanning analysis for a repository was deleted.
|A code scanning configuration for a branch of a repository was deleted.
|The interaction limit for collaborators only was disabled.
|The interaction limit for prior contributors only was disabled in a repository.
|The interaction limit for existing users only was disabled in a repository.
|The interaction limit for collaborators only was enabled in a repository Users that are not collaborators or organization members were unable to interact with a repository for a set duration.
|The interaction limit for prior contributors only was enabled in a repository Users that are not prior contributors, collaborators or organization members were unable to interact with a repository for a set duration.
|The interaction limit for existing users was enabled in a repository New users aren't able to interact with a repository for a set duration Existing users of the repository, contributors, collaborators or organization members are able to interact with a repository.
|A repository was created.
|A repository was deleted.
|A GitHub Pages custom domain was modified in a repository.
|A GitHub Pages site was created.
|A GitHub Pages site was deleted.
|HTTPS redirects were disabled for a GitHub Pages site.
|HTTPS redirects were enabled for a GitHub Pages site.
|A GitHub Pages site visibility was changed to private.
|A GitHub Pages site visibility was changed to public.
|A GitHub Pages source was modified.
|A new self-hosted runner was registered.
|A collaborator was removed from a repository.
|A self-hosted runner was removed.
|A topic was removed from a repository.
|A repository was renamed.
|The retention period for GitHub Actions artifacts and logs in a repository was changed.
|An enterprise owner or GitHub staff (with permission from a repository administrator) temporarily unlocked the repository.
|A user accepted a request to receive a transferred repository.
|A repository was transferred to another repository network.
|A user sent a request to transfer a repository to another user or organization.
|A repository was unarchived.
|The setting to control how a repository was used by GitHub Actions workflows in other repositories was changed.
|A repository administrator changed GitHub Actions policy settings for a repository.
|A user's permission to a repository was changed.
|An invitation to join a repository was accepted.
|An invitation to join a repository was canceled.
|An invitation to join a repository was sent.
|An invitation to join a repository was declined.
|A repository ruleset was created.
|A repository ruleset was deleted.
|A repository ruleset was edited.
|A security key was registered for an account.
|A security key was removed from an account.
|A secondary authentication factor was added to a user account.
|Two-factor authentication was disabled for a user account.
|Two-factor authentication was enabled for a user account.
|A one-time password code was sent to a user account fallback phone number.
|Two factor recovery codes were regenerated for a user account.
|A secondary authentication factor was removed from a user account.
|A one-time password code was sent to a user account fallback phone number.
|The two-factor authentication fallback for a user account was changed.
|An email address was added to a user account.
|An asynchronous job was started to destroy a user account, eventually triggering a user.delete event.
|A user was blocked by another user.
|A user changed their password.
|A new user account was created.
|The rate of creation of user accounts, applications, issues, pull requests or other resources exceeded the configured rate limits, or too many users were followed too quickly.
|A user account was destroyed by an asynchronous job.
|A site administrator was demoted to an ordinary user account.
|A user deleted his or her account, triggering user.async_delete.
|A user tried to sign in with an incorrect username, password, or two-factor authentication code.
|A user requested a password reset.
|A user changed the visibility of their private contributions. The number of contributions to private repositories on the user's profile are now hidden.
|A user signed in.
|A user signed out.
|An ordinary user account was promoted to a site administrator.
|A user's account was restored.
|An email address was removed from a user account.
|A username was changed.
|A user reset their account password.
|A user changed the visibility of their private contributions. The number of contributions to private repositories on the user's profile are now shown.
|A user signed in from an unrecognized device.
|A user signed in from an unrecognized device and location.
|A user account was suspended.
|A 2FA challenge issued for a user account failed.
|A 2FA challenge issued for a user account succeeded.
|A user used their 2FA recovery codes.
|A user downloaded 2FA recovery codes for their account.
|A user printed 2FA recovery codes for their account.
|A user viewed 2FA recovery codes for their account.
|A user was prompted for a two-factor authentication code.
|A user was unblocked by another user.
|A user account was unsuspended.
|A workflow job was approved.
|A workflow run was deleted.
|A workflow was disabled.
|A workflow was enabled, after previously being disabled by disable_workflow.
|A workflow job was rejected.