docs/content/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise.md

title, intro, shortTitle, permissions, redirect_from, versions, type, topics

title	intro	shortTitle	permissions	redirect_from	versions	type	topics
Audit log events for your enterprise	Learn about audit log events recorded for your enterprise.	Audit log events	Enterprise owners {% ifversion ghes %}and site administrators {% endif %}can interact with the audit log.	/enterprise/admin/articles/audited-actions /enterprise/admin/installation/audited-actions /enterprise/admin/user-management/audited-actions /admin/user-management/audited-actions /admin/user-management/monitoring-activity-in-your-enterprise/audited-actions	ghec ghes ghae * * *	reference	Auditing Enterprise Logging Security

{% note %}

{% ifversion ghes %} Notes:

• {% else %} Note: {% endif %}This article contains the events that may appear in the audit log for an enterprise. For the events that can appear in a user account's security log or the audit log for an organization, see "AUTOTITLE" and "AUTOTITLE."

{% ifversion ghes %}

• This article contains the events that may appear in the enterprise settings, specifically. The audit log in the site admin dashboard may contain additional events not listed here. {% endif %}

{% endnote %}

{% ifversion ghec%}

About audit log events for your enterprise

The scope of the events that appear in your enterprise's audit log depend on whether your enterprise uses {% data variables.product.prodname_emus %}. For more information about {% data variables.product.prodname_emus %}, see "AUTOTITLE."

• If your enterprise does not use {% data variables.product.prodname_emus %}, the audit log only includes events related to the enterprise account and the organizations within the enterprise account, which are listed in this article.
• If your enterprise uses {% data variables.product.prodname_emus %}, the audit log also includes user events for {% data variables.enterprise.prodname_managed_users %}, such as each time the user logs in to {% data variables.product.product_name %} and actions they take within their user account. For a list of these user account events, see "AUTOTITLE." {% endif %}

{%- ifversion fpt or ghec %}

account category actions

Action	Description
account.billing_plan_change	An organization's billing cycle changed. For more information, see "AUTOTITLE."
account.plan_change	An organization's subscription changed. For more information, see "AUTOTITLE."
account.pending_plan_change	An organization owner or billing manager canceled or downgraded a paid subscription. For more information, see "AUTOTITLE."
account.pending_subscription_change	A {% data variables.product.prodname_marketplace %} free trial started or expired. For more information, see "AUTOTITLE."
{%- endif %}

{%- ifversion fpt or ghec %}

advisory_credit category actions

Action	Description
advisory_credit.accept	Someone accepted credit for a security advisory. For more information, see "AUTOTITLE."
advisory_credit.create	The administrator of a security advisory added someone to the credit section.
advisory_credit.decline	Someone declined credit for a security advisory.
advisory_credit.destroy	The administrator of a security advisory removed someone from the credit section.
{%- endif %}

artifact category actions

Action	Description
artifact.destroy	A workflow run artifact was manually deleted.

{%- ifversion audit-log-streaming %}

audit_log_streaming category actions

Action	Description
audit_log_streaming.check	A manual check was performed of the endpoint configured for audit log streaming.
audit_log_streaming.create	An endpoint was added for audit log streaming.
audit_log_streaming.update	An endpoint configuration was updated for audit log streaming, such as the stream was paused, enabled, or disabled.
audit_log_streaming.destroy	An audit log streaming endpoint was deleted.
{%- endif %}

{%- ifversion fpt or ghec %}

billing category actions

Action	Description
billing.change_billing_type	An organization changed how it paid for {% data variables.product.prodname_dotcom %}. For more information, see "AUTOTITLE."
billing.change_email	An organization's billing email address changed. For more information, see "AUTOTITLE."
{%- endif %}

business category actions

Action	Description
business.add_admin	An enterprise owner{% ifversion ghes %} or site administrator{% endif %} was added to an enterprise.
{%- ifversion ghec %}
business.add_billing_manager	A billing manager was added to an enterprise.
{%- endif %}
business.add_organization	An organization was added to an enterprise.
{%- ifversion ghec %}
business.add_support_entitlee	A support entitlement was added to a member of an enterprise. For more information, see "AUTOTITLE."
{%- endif %}
{%- ifversion ghes or ghae %}
business.advanced_security_policy_update	An enterprise owner{% ifversion ghes %} or site administrator{% endif %} created, updated, or removed a policy for {% data variables.product.prodname_GH_advanced_security %}. For more information, see "AUTOTITLE."
{%- endif %}
{%- ifversion ghec %}
business.cancel_admin_invitation	An invitation for someone to be an owner{% ifversion ghes %} or site administrator{% endif %} of an enterprise was canceled.
business.cancel_billing_manager_invitation	An invitation for someone to be an billing manager of an enterprise was canceled.
{%- endif %}
{%- ifversion ghes %}
business.clear_actions_settings	An enterprise owner or site administrator cleared {% data variables.product.prodname_actions %} policy settings for an enterprise. For more information, see "AUTOTITLE."
{%- endif %}
business.clear_default_repository_permission	An enterprise owner{% ifversion ghes %} or site administrator{% endif %} cleared the base repository permission policy setting for an enterprise. For more information, see "AUTOTITLE."
business.clear_members_can_create_repos	An enterprise owner{% ifversion ghes %} or site administrator{% endif %} cleared a restriction on repository creation in organizations in the enterprise. For more information, see "AUTOTITLE."
business.create	An enterprise was created.
{%- ifversion ghec %}
business.disable_oidc	OIDC single sign-on was disabled for an enterprise. For more information, see "AUTOTITLE."
business.disable_saml	SAML single sign-on was disabled for an enterprise.
{%- endif %}
business.disable_two_factor_requirement	The requirement for members to have two-factor authentication enabled to access an enterprise was disabled.
{%- ifversion ghec %}
business.enable_oidc	OIDC single sign-on was enabled for an enterprise. For more information, see "AUTOTITLE."
business.enable_saml	SAML single sign-on was enabled for an enterprise.
{%- endif %}
business.enable_two_factor_requirement	The requirement for members to have two-factor authentication enabled to access an enterprise was enabled.
{%- ifversion ghec %}
business.enterprise_server_license_download	A {% data variables.product.prodname_ghe_server %} license was downloaded.
business.import_license_usage	License usage information was imported from a {% data variables.product.prodname_ghe_server %} instance to an enterprise account on {% data variables.product.prodname_dotcom_the_website %}.
business.invite_admin	An invitation for someone to be an enterprise owner{% ifversion ghes %} or site administrator{% endif %} of an enterprise was sent.
business.invite_billing_manager	An invitation for someone to be an billing manager of an enterprise was sent.
{%- endif %}
business.members_can_update_protected_branches.clear	An enterprise owner{% ifversion ghes %} or site administrator{% endif %} unset a policy for whether members of an enterprise can update protected branches on repositories for individual organizations. Organization owners can choose whether to allow updating protected branches settings.
business.members_can_update_protected_branches.disable	The ability for enterprise members to update branch protection rules was disabled. Only enterprise owners can update protected branches.
business.members_can_update_protected_branches.enable	The ability for enterprise members to update branch protection rules was enabled. Enterprise owners and members can update protected branches.
business.remove_admin	An enterprise owner{% ifversion ghes %} or site administrator{% endif %} was removed from an enterprise.
{%- ifversion ghes %}
business.referrer_override_enable	An enterprise owner or site administrator enabled the referrer policy override. For more information, see "AUTOTITLE."
business.referrer_override_disable	An enterprise owner or site administrator disabled the referrer policy override. For more information, see "AUTOTITLE."
{%- endif %}
{%- ifversion ghec %}
business.remove_billing_manager	A billing manager was removed from an enterprise.
business.remove_member	A member was removed from an enterprise.
{%- endif %}
business.remove_organization	An organization was removed from an enterprise.
{%- ifversion ghec %}
business.remove_support_entitlee	A support entitlement was removed from a member of an enterprise. For more information, see "AUTOTITLE."
{%- endif %}
business.rename_slug	The slug for the enterprise URL was renamed.
{%- ifversion ghec %}
business.revoke_external_identity	The external identity for a member in an enterprise was revoked.
business.revoke_sso_session	The SAML single sign-on session for a member in an enterprise was revoked.
{%- endif %}
{%- ifversion ghec %}
business.set_actions_fork_pr_approvals_policy	The setting for requiring approvals for workflows from public forks was changed for an enterprise. For more information, see "AUTOTITLE."
{%- endif %}
business.set_actions_retention_limit	The retention period for {% data variables.product.prodname_actions %} artifacts and logs was changed for an enterprise. For more information, see "AUTOTITLE."
{%- ifversion ghec or ghes %}
business.set_fork_pr_workflows_policy	The policy for workflows on private repository forks was changed. For more information, see "{% ifversion ghec %}Enforcing policies for {% data variables.product.prodname_actions %} in an enterprise{% else ifversion ghes > 2.22 %}Enabling workflows for private repository forks{% endif %}."
{%- endif %}
{%- ifversion audit-log-sso-response-events %}
business.sso_response	A SAML single sign-on (SSO) response was generated when a member attempted to authenticate with your enterprise. This event is only available via audit log streaming and the REST API.
{%- endif %}
{%- ifversion ghes %}
business.update_actions_settings	An enterprise owner or site administrator updated {% data variables.product.prodname_actions %} policy settings for an enterprise. For more information, see "AUTOTITLE."
{%- endif %}
business.update_default_repository_permission	The base repository permission setting was updated for all organizations in an enterprise. For more information, see "AUTOTITLE."
business.update_member_repository_creation_permission	The repository creation setting was updated for an enterprise. For more information, see "AUTOTITLE."
business.update_member_repository_invitation_permission	The policy setting for enterprise members inviting outside collaborators to repositories was updated. For more information, see "AUTOTITLE."
{%- ifversion ghec %}
business.update_saml_provider_settings	The SAML single sign-on provider settings for an enterprise were updated.
{%- endif %}

{% ifversion code-security-audit-log-events %}

business_advanced_security category actions

Action	Description
business_advanced_security.disabled	{% data variables.product.prodname_GH_advanced_security %} was disabled for your enterprise. For more information, see "AUTOTITLE."
business_advanced_security.enabled	{% data variables.product.prodname_GH_advanced_security %} was enabled for your enterprise. For more information, see "AUTOTITLE."
business_advanced_security.disabled_for_new_repos	{% data variables.product.prodname_GH_advanced_security %} was disabled for new repositories in your enterprise. For more information, see "AUTOTITLE."
business_advanced_security.enabled_for_new_repos	{% data variables.product.prodname_GH_advanced_security %} was enabled for new repositories in your enterprise. For more information, see "AUTOTITLE."

{% endif %}

{% ifversion code-security-audit-log-events %}

business_secret_scanning category actions

Action	Description
business_secret_scanning.disable	{% data variables.product.prodname_secret_scanning_caps %} was disabled for your enterprise. For more information, see "AUTOTITLE."
business_secret_scanning.enable	{% data variables.product.prodname_secret_scanning_caps %} was enabled for your enterprise. For more information, see "AUTOTITLE."
business_secret_scanning.disabled_for_new_repos	{% data variables.product.prodname_secret_scanning_caps %} was disabled for new repositories in your enterprise. For more information, see "AUTOTITLE."
business_secret_scanning.enabled_for_new_repos	{% data variables.product.prodname_secret_scanning_caps %} was enabled for new repositories in your enterprise. For more information, see "AUTOTITLE."

{% endif %}

{%- ifversion secret-scanning-audit-log-custom-patterns %}

business_secret_scanning_custom_pattern category actions

Action	Description
business_secret_scanning_custom_pattern.create	An enterprise-level custom pattern was created for {% data variables.product.prodname_secret_scanning %}. For more information, see "AUTOTITLE."
business_secret_scanning_custom_pattern.delete	An enterprise-level custom pattern was removed from {% data variables.product.prodname_secret_scanning %}.
business_secret_scanning_custom_pattern.publish	An enterprise-level custom pattern was published for {% data variables.product.prodname_secret_scanning %}.
business_secret_scanning_custom_pattern.update	Changes to an enterprise-level custom pattern were saved and a dry run was executed for {% data variables.product.prodname_secret_scanning %}.
{%- endif %}

{%- ifversion secret-scanning-custom-pattern-push-protection-audit %}

business_secret_scanning_custom_pattern_push_protection category actions

Action	Description
business_secret_scanning_custom_pattern_push_protection.enabled	Push protection for a custom pattern for {% data variables.product.prodname_secret_scanning %} was enabled for your enterprise. For more information, see "AUTOTITLE."
business_secret_scanning_custom_pattern_push_protection.disabled	Push protection for a custom pattern for {% data variables.product.prodname_secret_scanning %} was disabled for your enterprise. For more information, see "AUTOTITLE."
{%- endif %}

{% ifversion code-security-audit-log-events %}

business_secret_scanning_push_protection category actions

Action	Description
business_secret_scanning_push_protection.disable	Push protection for {% data variables.product.prodname_secret_scanning %} was disabled for your enterprise. For more information, see "AUTOTITLE."
business_secret_scanning_push_protection.enable	Push protection for {% data variables.product.prodname_secret_scanning %} was enabled for your enterprise. For more information, see "AUTOTITLE."
business_secret_scanning_push_protection.disabled_for_new_repos	Push protection for {% data variables.product.prodname_secret_scanning %} was disabled for new repositories in your enterprise. For more information, see "AUTOTITLE."
business_secret_scanning_push_protection.enabled_for_new_repos	Push protection for {% data variables.product.prodname_secret_scanning %} was enabled for new repositories in your enterprise. For more information, see "AUTOTITLE."

{% endif %}

{% ifversion code-security-audit-log-events %}

business_secret_scanning_push_protection_custom_message category actions

Action	Description
business_secret_scanning_push_protection_custom_message.disable	The custom message triggered by an attempted push to a push-protected repository was disabled for your enterprise. For more information, see "AUTOTITLE."
business_secret_scanning_push_protection_custom_message.enable	The custom message triggered by an attempted push to a push-protected repository was enabled for your enterprise. For more information, see "AUTOTITLE."
business_secret_scanning_push_protection_custom_message.update	The custom message triggered by an attempted push to a push-protected repository was updated for your enterprise. For more information, see "AUTOTITLE."

{% endif %}

checks category actions

Action	Description
checks.auto_trigger_disabled	Automatic creation of check suites was disabled on a repository in the organization or enterprise. For more information, see "AUTOTITLE."
checks.auto_trigger_enabled	Automatic creation of check suites was enabled on a repository in the organization or enterprise. For more information, see "AUTOTITLE."
{%- ifversion fpt or ghec %}
checks.delete_logs	Logs in a check suite were deleted.
{%- endif %}

{%- ifversion fpt or ghec %}

codespaces category actions

Action	Description
codespaces.connect	A codespace was started.
codespaces.create	A user created a codespace.
codespaces.destroy	A user deleted a codespace.
codespaces.allow_permissions	A codespace using custom permissions from its devcontainer.json file was launched.
codespaces.attempted_to_create_from_prebuild	An attempt to create a codespace from a prebuild was made.
codespaces.create_an_org_secret	A user created an organization-level secret for {% data variables.product.prodname_github_codespaces %}
codespaces.update_an_org_secret	A user updated an organization-level secret for {% data variables.product.prodname_github_codespaces %}.
codespaces.remove_an_org_secret	A user removed an organization-level secret for {% data variables.product.prodname_github_codespaces %}.
codespaces.manage_access_and_security	A user updated which repositories a codespace can access.
{%- endif %}

{%- ifversion fpt or ghec %}

commit_comment category actions

Action	Description
commit_comment.destroy	A commit comment was deleted.
commit_comment.update	A commit comment was updated.
{%- endif %}

{%- ifversion ghes %}

config_entry category actions

Action	Description
config_entry.create	A configuration setting was created. These events are only visible in the site admin audit log. The type of events recorded relate to: - Enterprise settings and policies - Organization and repository permissions and settings - Git, Git LFS, {% data variables.product.prodname_github_connect %}, {% data variables.product.prodname_registry %}, project, and code security settings.
config_entry.destroy	A configuration setting was deleted. These events are only visible in the site admin audit log. The type of events recorded relate to: - Enterprise settings and policies - Organization and repository permissions and settings - Git, Git LFS, {% data variables.product.prodname_github_connect %}, {% data variables.product.prodname_registry %}, project, and code security settings.
config_entry.update	A configuration setting was edited. These events are only visible in the site admin audit log. The type of events recorded relate to: - Enterprise settings and policies - Organization and repository permissions and settings - Git, Git LFS, {% data variables.product.prodname_github_connect %}, {% data variables.product.prodname_registry %}, project, and code security settings.
{%- endif %}

dependabot_alerts category actions

Action	Description
dependabot_alerts.disable	An enterprise owner{% ifversion ghes %} or site administrator{% endif %} disabled {% data variables.product.prodname_dependabot_alerts %} for all existing {% ifversion fpt or ghec %}private {% endif %}repositories. For more information, see "AUTOTITLE."
dependabot_alerts.enable	An enterprise owner{% ifversion ghes %} or site administrator{% endif %} enabled {% data variables.product.prodname_dependabot_alerts %} for all existing {% ifversion fpt or ghec %}private {% endif %}repositories.

dependabot_alerts_new_repos category actions

Action	Description
dependabot_alerts_new_repos.disable	An enterprise owner{% ifversion ghes %} or site administrator{% endif %} disabled {% data variables.product.prodname_dependabot_alerts %} for all new {% ifversion fpt or ghec %}private {% endif %}repositories. For more information, see "AUTOTITLE."
dependabot_alerts_new_repos.enable	An enterprise owner{% ifversion ghes %} or site administrator{% endif %} enabled {% data variables.product.prodname_dependabot_alerts %} for all new {% ifversion fpt or ghec %}private {% endif %}repositories.

dependabot_repository_accesscategory actions

Action	Description
dependabot_repository_access.repositories_updated	The repositories that {% data variables.product.prodname_dependabot %} can access were updated.

{%- ifversion fpt or ghec or ghes %}

dependabot_security_updates category actions

Action	Description
dependabot_security_updates.disable	An enterprise owner{% ifversion ghes %} or site administrator{% endif %} disabled {% data variables.product.prodname_dependabot_security_updates %} for all existing repositories. For more information, see "AUTOTITLE."
dependabot_security_updates.enable	An enterprise owner{% ifversion ghes %} or site administrator{% endif %} enabled {% data variables.product.prodname_dependabot_security_updates %} for all existing repositories.

dependabot_security_updates_new_repos category actions

Action	Description
dependabot_security_updates_new_repos.disable	An enterprise owner{% ifversion ghes %} or site administrator{% endif %} disabled {% data variables.product.prodname_dependabot_security_updates %} for all new repositories. For more information, see "AUTOTITLE."
dependabot_security_updates_new_repos.enable	An enterprise owner{% ifversion ghes %} or site administrator{% endif %} enabled {% data variables.product.prodname_dependabot_security_updates %} for all new repositories.
{%- endif %}

dependency_graph category actions

Action	Description
dependency_graph.disable	An enterprise owner{% ifversion ghes %} or site administrator{% endif %} disabled the dependency graph for all existing repositories. For more information, see "AUTOTITLE."
dependency_graph.enable	An enterprise owner{% ifversion ghes %} or site administrator{% endif %} enabled the dependency graph for all existing repositories.

dependency_graph_new_repos category actions

Action	Description
dependency_graph_new_repos.disable	An enterprise owner{% ifversion ghes %} or site administrator{% endif %} disabled the dependency graph for all new repositories. For more information, see "AUTOTITLE."
dependency_graph_new_repos.enable	An enterprise owner{% ifversion ghes %} or site administrator{% endif %} enabled the dependency graph for all new repositories.

{%- ifversion ghec or ghes %}

dotcom_connection category actions

Action	Description
dotcom_connection.create	A {% data variables.product.prodname_github_connect %} connection to {% data variables.product.prodname_dotcom_the_website %} was created.
dotcom_connection.destroy	A {% data variables.product.prodname_github_connect %} connection to {% data variables.product.prodname_dotcom_the_website %} was deleted.
dotcom_connection.token_updated	The {% data variables.product.prodname_github_connect %} connection token for {% data variables.product.prodname_dotcom_the_website %} was updated.
dotcom_connection.upload_license_usage	{% data variables.product.prodname_ghe_server %} license usage was manually uploaded to {% data variables.product.prodname_ghe_cloud %}.
dotcom_connection.upload_usage_metrics	{% data variables.product.prodname_ghe_server %} usage metrics were uploaded to {% data variables.product.prodname_dotcom_the_website %}.
{%- endif %}

enterprise category actions

Action	Description
enterprise.config.disable_anonymous_git_access	An enterprise owner{% ifversion ghes %} or site administrator{% endif %} disabled anonymous Git read access for repositories in the enterprise. For more information, see "AUTOTITLE."
enterprise.config.enable_anonymous_git_access	An enterprise owner{% ifversion ghes %} or site administrator{% endif %} enabled anonymous Git read access for repositories in the enterprise. For more information, see "AUTOTITLE."
enterprise.config.lock_anonymous_git_access	An enterprise owner{% ifversion ghes %} or site administrator{% endif %} locked anonymous Git read access to prevent repository admins from changing existing anonymous Git read access settings for repositories in the enterprise. For more information, see "AUTOTITLE."
enterprise.config.unlock_anonymous_git_access	An enterprise owner{% ifversion ghes %} or site administrator{% endif %} unlocked anonymous Git read access to allow repository admins to change existing anonymous Git read access settings for repositories in the enterprise. For more information, see "AUTOTITLE."
enterprise.register_self_hosted_runner	A new {% data variables.product.prodname_actions %} self-hosted runner was registered. For more information, see "AUTOTITLE."
enterprise.remove_self_hosted_runner	A {% data variables.product.prodname_actions %} self-hosted runner was removed. For more information, see "AUTOTITLE."
enterprise.runner_group_created	A {% data variables.product.prodname_actions %} self-hosted runner group was created. For more information, see "AUTOTITLE."
enterprise.runner_group_removed	A {% data variables.product.prodname_actions %} self-hosted runner group was removed. For more information, see "AUTOTITLE."
enterprise.runner_group_renamed	A {% data variables.product.prodname_actions %} self-hosted runner group was renamed. For more information, see "AUTOTITLE."
enterprise.runner_group_updated	The configuration of a {% data variables.product.prodname_actions %} self-hosted runner group was changed. For more information, see "AUTOTITLE."
enterprise.runner_group_runner_removed	The REST API was used to remove a {% data variables.product.prodname_actions %} self-hosted runner from a group. For more information, see "AUTOTITLE."
enterprise.runner_group_runners_added	A {% data variables.product.prodname_actions %} self-hosted runner was added to a group. For more information, see Moving a self-hosted runner to a group.
enterprise.runner_group_runners_updated	A {% data variables.product.prodname_actions %} runner group's list of members was updated. For more information, see "AUTOTITLE."
{%- ifversion ghec %}
enterprise.runner_group_visiblity_updated	The visibility of a {% data variables.product.prodname_actions %} self-hosted runner group was updated via the REST API. For more information, see "AUTOTITLE."
{%- endif %}
{%- ifversion ghec or ghes or ghae %}
enterprise.self_hosted_runner_online	The {% data variables.product.prodname_actions %} runner application was started. Can only be viewed using the REST API; not visible in the UI or JSON/CSV export. For more information, see "AUTOTITLE."
enterprise.self_hosted_runner_offline	The {% data variables.product.prodname_actions %} runner application was stopped. Can only be viewed using the REST API; not visible in the UI or JSON/CSV export. For more information, see "AUTOTITLE."
{%- endif %}
{%- ifversion ghec or ghes %}
enterprise.self_hosted_runner_updated	The {% data variables.product.prodname_actions %} runner application was updated. Can be viewed using the REST API and the UI; not visible in the JSON/CSV export. For more information, see "AUTOTITLE."
{%- endif %}

{%- ifversion ghec %}

enterprise_domain category actions

Action	Description
enterprise_domain.approve	An enterprise domain was approved for an enterprise. For more information, see "AUTOTITLE."
enterprise_domain.create	An enterprise domain was added to an enterprise. For more information, see "AUTOTITLE."
enterprise_domain.destroy	An enterprise domain was removed from an enterprise. For more information, see "AUTOTITLE."
enterprise_domain.verify	An enterprise domain was verified for an enterprise. For more information, see "AUTOTITLE."

enterprise_installation category actions

Action	Description
enterprise_installation.create	The {% data variables.product.prodname_github_app %} associated with an {% data variables.product.prodname_github_connect %} enterprise connection was created.
enterprise_installation.destroy	The {% data variables.product.prodname_github_app %} associated with an {% data variables.product.prodname_github_connect %} enterprise connection was deleted.
enterprise_installation.token_updated	The token belonging to {% data variables.product.prodname_github_app %} associated with an {% data variables.product.prodname_github_connect %} enterprise connection was updated.
{%- endif %}

{%- ifversion fpt or ghec %}

environment category actions

Action	Description
environment.add_protection_rule	A {% data variables.product.prodname_actions %} environment protection rule was created via the API. For more information, see "AUTOTITLE."
environment.create_actions_secret	A secret was created for a {% data variables.product.prodname_actions %} environment via the API. For more information, see "AUTOTITLE."
environment.delete	An environment was deleted via the API. For more information, see "AUTOTITLE."
environment.remove_actions_secret	A secret was deleted for a {% data variables.product.prodname_actions %} environment via the API. For more information, see "AUTOTITLE."
environment.remove_protection_rule	A {% data variables.product.prodname_actions %} environment protection rule was deleted via the API. For more information, see "AUTOTITLE."
environment.update_actions_secret	A secret was updated for a {% data variables.product.prodname_actions %} environment via the API. For more information, see "AUTOTITLE."
environment.update_protection_rule	A {% data variables.product.prodname_actions %} environment protection rule was updated via the API. For more information, see "AUTOTITLE."
{%- endif %}

{%- ifversion ghae %}

external_group category actions

Action	Description
external_group.delete	An Okta group was deleted. For more information, see "AUTOTITLE."
external_group.link	An Okta group was mapped to a {% data variables.product.prodname_ghe_managed %} team. For more information, see "AUTOTITLE."
external_group.provision	An Okta group was mapped to a team on {% data variables.product.prodname_ghe_managed %}. For more information, see "AUTOTITLE."
external_group.unlink	An Okta group was unmapped from a {% data variables.product.prodname_ghe_managed %} team. For more information, see "AUTOTITLE."
external_group.update	An Okta group's settings were updated. For more information, see "AUTOTITLE."

external_identity category actions

Action	Description
external_identity.deprovision	A user was removed from an Okta group and was subsequently deprovisioned from {% data variables.product.prodname_ghe_managed %}. For more information, see "AUTOTITLE."
external_identity.provision	An Okta user was added to an Okta group and was subsequently provisioned to the mapped team on {% data variables.product.prodname_ghe_managed %}. For more information, see "AUTOTITLE."
external_identity.update	An Okta user's settings were updated. For more information, see "AUTOTITLE."
{%- endif %}

{% ifversion git-events-audit-log %}

git category actions

{% ifversion enable-git-events %} Before you'll see git category actions, you must enable Git events in the audit log. For more information, see "AUTOTITLE." {% endif %}

{% data reusables.audit_log.git-events-not-in-search-results %}

Action	Description
git.clone	A repository was cloned.
git.fetch	Changes were fetched from a repository.
git.push	Changes were pushed to a repository.
{% endif %}

hook category actions

Action	Description
{%- ifversion ghes or ghae %}
hook.active_changed	A hook's active status was updated.
{%- endif %}
hook.config_changed	A hook's configuration was changed.
hook.create	A new hook was added.
hook.destroy	A hook was deleted.
hook.events_changed	A hook's configured events were changed.

integration category actions

Action	Description
integration.create	An integration was created.
integration.destroy	An integration was deleted.
integration.manager_added	A member of an enterprise or organization was added as an integration manager.
integration.manager_removed	A member of an enterprise or organization was removed from being an integration manager.
integration.transfer	Ownership of an integration was transferred to another user or organization.
integration.remove_client_secret	A client secret for an integration was removed.
integration.revoke_all_tokens	All user tokens for an integration were requested to be revoked.
integration.revoke_tokens	Token(s) for an integration were revoked.

integration_installation category actions

Action	Description
integration_installation.contact_email_changed	A contact email for an integration was changed.
integration_installation.create	An integration was installed.
integration_installation.destroy	An integration was uninstalled.
integration_installation.repositories_added	Repositories were added to an integration.
integration_installation.repositories_removed	Repositories were removed from an integration.
{%- ifversion fpt or ghec %}
integration_installation.suspend	An integration was suspended.
integration_installation.unsuspend	An integration was unsuspended.
{%- endif %}
integration_installation.version_updated	Permissions for an integration were updated.

integration_installation_request category actions

Action	Description
integration_installation_request.create	An member requested that an owner install an integration for use in an enterprise or organization.
integration_installation_request.close	A request to install an integration for use in an enterprise or organization was either approved or denied by an owner, or canceled by the member who opened the request.

{%- ifversion ghec or ghae %}

ip_allow_list category actions

Action	Description
ip_allow_list.enable	An IP allow list was enabled.
ip_allow_list.enable_for_installed_apps	An IP allow list was enabled for installed {% data variables.product.prodname_github_apps %}.
ip_allow_list.disable	An IP allow list was disabled.
ip_allow_list.disable_for_installed_apps	An IP allow list was disabled for installed {% data variables.product.prodname_github_apps %}.

ip_allow_list_entry category actions

Action	Description
ip_allow_list_entry.create	An IP address was added to an IP allow list.
ip_allow_list_entry.update	An IP address or its description was changed.
ip_allow_list_entry.destroy	An IP address was deleted from an IP allow list.
{%- endif %}

issue category actions

Action	Description
issue.destroy	An issue was deleted from the repository. For more information, see "AUTOTITLE."
issue.pinned	An issue was pinned to a repository. For more information, see "AUTOTITLE."
issue.transfer	An issue was transferred to another repository. For more information, see "AUTOTITLE."
issue.unpinned	An issue was unpinned from a repository. For more information, see "AUTOTITLE."

issue_comment category actions

Action	Description
issue_comment.destroy	A comment on an issue was deleted from the repository.
issue_comment.pinned	A comment on an issue was pinned to a repository.
issue_comment.unpinned	A comment on an issue was unpinned from a repository.
issue_comment.update	A comment on an issue (other than the initial one) changed.

issues category actions

Action	Description
issues.deletes_disabled	The ability for enterprise members to delete issues was disabled. Members cannot delete issues in any organizations in an enterprise. For more information, see "AUTOTITLE."
issues.deletes_enabled	The ability for enterprise members to delete issues was enabled. Members can delete issues in any organizations in an enterprise. For more information, see "AUTOTITLE."
issues.deletes_policy_cleared	An enterprise owner{% ifversion ghes %} or site administrator{% endif %} cleared the policy setting for allowing members to delete issues in an enterprise. For more information, see "AUTOTITLE."

{% ifversion management-console-events-audit-log %}

management_console category actions

Action	Description
management_console.add_authorized_ssh_key	Access to the administrative shell (SSH) was granted by adding a public key. For more information, see "AUTOTITLE."
management_console.change_password	The password for the root site administrator was changed. For more information, see "AUTOTITLE."
management_console.chatops_remove	A configuration for the Microsoft Teams or Slack integration was removed. For more information, see "AUTOTITLE."
management_console.configure_github_enterprise	A configuration run was started on the instance.
management_console.create_user	A new {% data variables.enterprise.management_console %} user was created. For more information, see "AUTOTITLE."
management_console.delete_authorized_ssh_key	Access to the administrative shell (SSH) was revoked due to the removal of a public key. For more information, see "AUTOTITLE."
management_console.delete_user	A {% data variables.enterprise.management_console %} user was deleted. For more information, see "AUTOTITLE."
management_console.diagnostics_file_download	A diagnostic file for the instance was generated. For more information, see "AUTOTITLE."
management_console.dns_test	Domain settings were validated. For more information, see "AUTOTITLE."
management_console.edit_user	A {% data variables.enterprise.management_console %} user's name or role was edited. For more information, see "AUTOTITLE."
management_console.email_test	A test email was sent while enabling email notifications for the instance. For more information, see "AUTOTITLE."
management_console.initialize_cluster	The instance was initialized as a cluster. For more information, see "AUTOTITLE."
management_console.initialize_management_console	During initial configuration of the instance, a license was uploaded and the root site administrator password was set.
management_console.ldap_test	LDAP connectivity was tested during configuration of LDAP for authentication. For more information, see "AUTOTITLE."
management_console.manage_maintenance_ip_exception_list	The IP exception list to validate changes in maintenance mode was configured. For more information, see "AUTOTITLE."
management_console.manage_maintenance_mode	Maintenance mode was enabled, disabled, or scheduled for the instance. For more information, see "AUTOTITLE."
management_console.modify_automatic_updates	Automatic update checks were enabled or disabled for the instance. For more information, see "AUTOTITLE."
management_console.msteams_app_manifest	A manifest file was generated for the Microsoft Teams integration. For more information, see "AUTOTITLE."
management_console.msteams_app_update	The configuration for the Microsoft Teams integration was updated. For more information, see "AUTOTITLE."
management_console.new_user_setup	An invitation invitation was sent to a new {% data variables.enterprise.management_console %} user. For more information, see "AUTOTITLE."
management_console.request_tls_certificate	A TLS certificate for the instance was requested from Let's Encrypt. For more information, see "AUTOTITLE."
management_console.resend_user_invitation	An invitation to a new {% data variables.enterprise.management_console %} user was re-sent. For more information, see "AUTOTITLE."
management_console.save_first_run_settings	Settings were saved during the initial configuration of the instance.
management_console.save_settings	Settings were saved.
management_console.select_installation_type	An installation type was selected during initialization of the instance.
management_console.slack_app_generate	An app for the Slack integration was generated. For more information, see "AUTOTITLE."
management_console.slack_app_update	The app-level token for the Slack integration was updated. For more information, see "AUTOTITLE."
management_console.smtp_test	An SMTP configuration was tested while enabling email notifications for the instance. For more information, see "AUTOTITLE."
management_console.ssh_command	A command was run using the administrative shell (SSH). For more information, see "AUTOTITLE."
management_console.storage_actions_test	A storage configuration for {% data variables.product.prodname_actions %} was tested. For more information, see "AUTOTITLE."
management_console.storage_migrations_test	A storage configuration for {% data variables.product.prodname_importer_proper_name %} was tested. For more information, see "AUTOTITLE."
management_console.storage_packages_test	A storage configuration for {% data variables.product.prodname_registry %} was tested. For more information, see "AUTOTITLE."
management_console.support_bundle_download	A support bundle for the instance was generated. For more information, see "AUTOTITLE."
management_console.unblock_user	A {% data variables.enterprise.management_console %} user account was unlocked after the account was blocked for multiple failed sign-in attempts. For more information, see "AUTOTITLE."
management_console.update_user_password	The password for a {% data variables.enterprise.management_console %} user was updated.
management_console.upgrade_license	A new license for the instance was uploaded. For more information, see "AUTOTITLE."
management_console.user_sign_in	Someone signed into the {% data variables.enterprise.management_console %}. For more information, see "AUTOTITLE."
management_console.user_sign_out	Someone signed out of the {% data variables.enterprise.management_console %}.
{% endif %}

{%- ifversion fpt or ghec %}

marketplace_agreement_signature category actions

Action	Description
marketplace_agreement_signature.create	A user signed the {% data variables.product.prodname_marketplace %} Developer Agreement on behalf of an organization.

marketplace_listing category actions

Action	Description
marketplace_listing.approve	A listing was approved for inclusion in {% data variables.product.prodname_marketplace %}.
marketplace_listing.change_category	A category for a listing for an app in {% data variables.product.prodname_marketplace %} was changed.
marketplace_listing.create	A listing for an app in {% data variables.product.prodname_marketplace %} was created.
marketplace_listing.delist	A listing was removed from {% data variables.product.prodname_marketplace %}.
marketplace_listing.redraft	A listing was sent back to draft state.
marketplace_listing.reject	A listing was not accepted for inclusion in {% data variables.product.prodname_marketplace %}.
{%- endif %}

members_can_create_pages category actions

Action	Description
members_can_create_pages.disable	The ability for members to publish {% data variables.product.prodname_pages %} was disabled. Members cannot publish {% data variables.product.prodname_pages %} in an organization. For more information, see "AUTOTITLE."
members_can_create_pages.enable	The ability for members to publish {% data variables.product.prodname_pages %} was enabled. Members can publish {% data variables.product.prodname_pages %} in an organization. For more information, see "AUTOTITLE."

members_can_create_private_pages category actions

Action	Description
members_can_create_private_pages.disable	The ability for members to publish private {% data variables.product.prodname_pages %} was disabled. Members cannot publish private {% data variables.product.prodname_pages %} in an organization. For more information, see "AUTOTITLE."
members_can_create_private_pages.enable	The ability for members to publish private {% data variables.product.prodname_pages %} was enabled. Members can publish private {% data variables.product.prodname_pages %} in an organization. For more information, see "AUTOTITLE."

members_can_create_public_pages category actions

Action	Description
members_can_create_public_pages.disable	The ability for members to publish public {% data variables.product.prodname_pages %} was disabled. Members cannot publish public {% data variables.product.prodname_pages %} in an organization. For more information, see "AUTOTITLE."
members_can_create_public_pages.enable	The ability for members to publish public {% data variables.product.prodname_pages %} was enabled. Members can publish public {% data variables.product.prodname_pages %} in an organization. For more information, see "AUTOTITLE."

{%- ifversion ghec or ghes or ghae %}

members_can_delete_repos category actions

Action	Description
members_can_delete_repos.clear	An enterprise owner{% ifversion ghes %} or site administrator{% endif %} cleared the policy setting for deleting or transferring repositories in any organizations in an enterprise. For more information, see "AUTOTITLE."
members_can_delete_repos.disable	The ability for enterprise members to delete repositories was disabled. Members cannot delete or transfer repositories in any organizations in an enterprise. For more information, see "AUTOTITLE."
members_can_delete_repos.enable	The ability for enterprise members to delete repositories was enabled. Members can delete or transfer repositories in any organizations in an enterprise. For more information, see "AUTOTITLE."

members_can_view_dependency_insights category actions

Action	Description
members_can_view_dependency_insights.clear	An enterprise owner{% ifversion ghes %} or site administrator{% endif %} cleared the policy setting for viewing dependency insights in any organizations in an enterprise.{% ifversion ghec %} For more information, see "AUTOTITLE."{% endif %}
members_can_view_dependency_insights.disable	The ability for enterprise members to view dependency insights was disabled. Members cannot view dependency insights in any organizations in an enterprise.{% ifversion ghec %} For more information, see "AUTOTITLE."{% endif %}
members_can_view_dependency_insights.enable	The ability for enterprise members to view dependency insights was enabled. Members can view dependency insights in any organizations in an enterprise.{% ifversion ghec %} For more information, see "AUTOTITLE."{% endif %}

migration category actions

Action	Description
migration.create	A migration file was created for transferring data from a source location (such as a {% data variables.product.prodname_dotcom_the_website %} organization or a {% data variables.product.prodname_ghe_server %} instance) to a target {% data variables.product.prodname_ghe_server %} instance.
migration.destroy_file	A migration file for transferring data from a source location (such as a {% data variables.product.prodname_dotcom_the_website %} organization or a {% data variables.product.prodname_ghe_server %} instance) to a target {% data variables.product.prodname_ghe_server %} instance was deleted.
migration.download	A migration file for transferring data from a source location (such as a {% data variables.product.prodname_dotcom_the_website %} organization or a {% data variables.product.prodname_ghe_server %} instance) to a target {% data variables.product.prodname_ghe_server %} instance was downloaded.
{%- endif %}

oauth_access category actions

Action	Description
oauth_access.create	An OAuth access token was generated for a user account. For more information, see "AUTOTITLE."
oauth_access.destroy	An OAuth access token was deleted from a user account.

oauth_application category actions

Action	Description
oauth_application.create	An OAuth application was created for a user or organization account.
oauth_application.destroy	An OAuth application was deleted from a user or organization account.
{%- ifversion fpt or ghec %}
oauth_application.generate_client_secret	An OAuth application's secret key was generated.
oauth_application.remove_client_secret	An OAuth application's secret key was deleted.
{%- endif %}
oauth_application.reset_secret	An OAuth application's secret key was reset.
{%- ifversion fpt or ghec %}
oauth_application.revoke_all_tokens	All user tokens for an OAuth application were requested to be revoked.
{%- endif %}
oauth_application.revoke_tokens	Token(s) for an OAuth application were revoked.
oauth_application.transfer	An OAuth application was transferred from one user or organization account to another.
{%- ifversion ghes or ghae %}
oauth_application.unsuspend	An OAuth application was unsuspended for a user or organization account.
{%- endif %}

{%- ifversion fpt or ghec %}

oauth_authorization category actions

Action	Description
oauth_authorization.create	An authorization for an OAuth application was created. For more information, see "AUTOTITLE."
oauth_authorization.destroy	An authorization for an OAuth application was deleted. For more information, see "AUTOTITLE."
oauth_authorization.update	An authorization for an OAuth application was updated. For more information, see "AUTOTITLE."
{%- endif %}

org category actions

Action	Description
org.accept_business_invitation	An invitation sent to an organization to join an enterprise was accepted. {% ifversion ghec %}For more information, see "AUTOTITLE."{% endif %}
org.add_billing_manager	A billing manager was added to an organization. {% ifversion fpt or ghec %}For more information, see "AUTOTITLE."{% endif %}
org.add_member	A user joined an organization.
org.advanced_security_disabled_for_new_repos	{% data variables.product.prodname_GH_advanced_security %} was disabled for new repositories in an organization.
org.advanced_security_disabled_on_all_repos	{% data variables.product.prodname_GH_advanced_security %} was disabled for all repositories in an organization.
org.advanced_security_enabled_for_new_repos	{% data variables.product.prodname_GH_advanced_security %} was enabled for new repositories in an organization.
org.advanced_security_enabled_on_all_repos	{% data variables.product.prodname_GH_advanced_security %} was enabled for all repositories in an organization.
org.advanced_security_policy_selected_member_disabled	An enterprise owner prevented {% data variables.product.prodname_GH_advanced_security %} features from being enabled for repositories owned by the organization. {% data reusables.advanced-security.more-information-about-enforcement-policy %}
org.advanced_security_policy_selected_member_enabled	An enterprise owner allowed {% data variables.product.prodname_GH_advanced_security %} features to be enabled for repositories owned by the organization. {% data reusables.advanced-security.more-information-about-enforcement-policy %}
org.advanced_security_policy_update	An organization owner updated polices for {% data variables.product.prodname_GH_advanced_security %} in an enterprise. {% data reusables.advanced-security.more-information-about-enforcement-policy %}
org.async_delete	A user initiated a background job to delete an organization.
{%- ifversion ghec %}
org.audit_log_export	An organization owner created an export of the organization audit log. If the export included a query, the log will list the query used and the number of audit log entries matching that query. For more information, see "AUTOTITLE."
{%- endif %}
org.block_user	An organization owner blocked a user from accessing the organization's repositories. {% ifversion fpt or ghec %}For more information, see "AUTOTITLE."{% endif %}
org.cancel_business_invitation	An invitation for an organization to join an enterprise was revoked. {% ifversion ghec %}For more information, see "AUTOTITLE."{% endif %}
org.cancel_invitation	An invitation sent to a user to join an organization was revoked.
org.clear_actions_settings	An organization owner cleared {% data variables.product.prodname_actions %} policy settings for an organization. For more information, see "AUTOTITLE."
org.clear_default_repository_permission	An organization owner cleared the base repository permission policy setting for an organization. For more information, see "AUTOTITLE."
org.clear_member_team_creation_permission	An organization owner cleared the new teams creation setting for an organization. For more information, see "AUTOTITLE."
org.clear_reader_discussion_creation_permission	An organization owner cleared the new discussion creation setting for an organization. {% ifversion fpt or ghec %}For more information, see "AUTOTITLE."{% endif %}
org.clear_members_can_create_repos	An organization owner cleared a restriction on repository creation in an organization. For more information, see "AUTOTITLE."
org.clear_members_can_invite_outside_collaborators	An organization owner cleared the outside collaborators invitation policy for an organization. For more information, see "AUTOTITLE."
org.clear_new_repository_default_branch_setting	An organization owner cleared the default branch name for new repositories setting for an organization. For more information, see "AUTOTITLE."
{%- ifversion fpt or ghec %}
org.codespaces_trusted_repo_access_granted	{% data variables.product.prodname_github_codespaces %} was granted trusted repository access to all other repositories in an organization. For more information, see "AUTOTITLE."
org.codespaces_trusted_repo_access_revoked	{% data variables.product.prodname_github_codespaces %} trusted repository access to all other repositories in an organization was revoked. For more information, see "AUTOTITLE."
{%- endif %}
org.config.disable_collaborators_only	The interaction limit for collaborators only for an organization was disabled. {% ifversion fpt or ghec %}For more information, see "AUTOTITLE."{% endif %}
org.config.disable_contributors_only	The interaction limit for prior contributors only for an organization was disabled. {% ifversion fpt or ghec %}For more information, see "AUTOTITLE."{% endif %}
org.config.disable_sockpuppet_disallowed	The interaction limit for existing users only for an organization was disabled. {% ifversion fpt or ghec %}For more information, see "AUTOTITLE."{% endif %}
org.config.enable_collaborators_only	The interaction limit for collaborators only for an organization was enabled. {% ifversion fpt or ghec %}For more information, see "AUTOTITLE."{% endif %}
org.config.enable_contributors_only	The interaction limit for prior contributors only for an organization was enabled. {% ifversion fpt or ghec %}For more information, see "AUTOTITLE."{% endif %}
org.config.enable_sockpuppet_disallowed	The interaction limit for existing users only for an organization was enabled. {% ifversion fpt or ghec %}For more information, see "AUTOTITLE."{% endif %}
org.confirm_business_invitation	An invitation for an organization to join an enterprise was confirmed. {% ifversion ghec %}For more information, see "AUTOTITLE."{% endif %}
org.create	An organization was created. For more information, see "AUTOTITLE."
{%- ifversion fpt or ghec or ghes %}
org.create_actions_secret	A {% data variables.product.prodname_actions %} secret was created for an organization. For more information, see "AUTOTITLE."
{%- endif %}
org.create_integration_secret	A {% data variables.product.prodname_dependabot %}{% ifversion fpt or ghec %} or {% data variables.product.prodname_github_codespaces %}{% endif %} integration secret was created for an organization.
org.delete	An organization was deleted by a user-initiated background job.
org.disable_member_team_creation_permission	An organization owner limited team creation to owners. For more information, see "AUTOTITLE."
org.disable_reader_discussion_creation_permission	An organization owner limited discussion creation to users with at least triage permission in an organization. {% ifversion fpt or ghec %}For more information, see "AUTOTITLE."{% endif %}
{%- ifversion fpt or ghec %}
org.disable_oauth_app_restrictions	Third-party application access restrictions for an organization were disabled. For more information, see "AUTOTITLE."
{%- endif %}
{%- ifversion ghec %}
org.disable_saml	An organization owner disabled SAML single sign-on for an organization.
{%- endif %}
{%- ifversion not ghae %}
org.disable_two_factor_requirement	An organization owner disabled a two-factor authentication requirement for all members{% ifversion fpt or ghec %}, billing managers,{% endif %} and outside collaborators in an organization.
{%- endif %}
org.display_commenter_full_name_disabled	An organization owner disabled the display of a commenter's full name in an organization. Members cannot see a comment author's full name.
org.display_commenter_full_name_enabled	An organization owner enabled the display of a commenter's full name in an organization. Members can see a comment author's full name.
org.enable_member_team_creation_permission	An organization owner allowed members to create teams. For more information, see "AUTOTITLE."
org.enable_reader_discussion_creation_permission	An organization owner allowed users with read access to create discussions in an organization. {% ifversion fpt or ghec %}For more information, see "AUTOTITLE."{% endif %}
{%- ifversion fpt or ghec %}
org.enable_oauth_app_restrictions	Third-party application access restrictions for an organization were enabled. For more information, see "AUTOTITLE."
{%- endif %}
{%- ifversion ghec %}
org.enable_saml	An organization owner enabled SAML single sign-on for an organization.
{%- endif %}
{%- ifversion not ghae %}
org.enable_two_factor_requirement	An organization owner requires two-factor authentication for all members{% ifversion fpt or ghec %}, billing managers,{% endif %} and outside collaborators in an organization.
{%- endif %}
org.integration_manager_added	An organization owner granted a member access to manage all GitHub Apps owned by an organization.
org.integration_manager_removed	An organization owner removed access to manage all GitHub Apps owned by an organization from an organization member.
org.invite_member	A new user was invited to join an organization. {% ifversion fpt or ghec %}For more information, see "AUTOTITLE."{% endif %}
org.invite_to_business	An organization was invited to join an enterprise.
org.members_can_update_protected_branches.clear	An organization owner unset a policy for whether members of an organization can update protected branches on repositories in an organization. Organization owners can choose whether to allow updating protected branches settings.
org.members_can_update_protected_branches.disable	The ability for enterprise members to update protected branches was disabled. Only enterprise owners can update protected branches.
org.members_can_update_protected_branches.enable	The ability for enterprise members to update protected branches was enabled. Members of an organization can update protected branches.
{%- ifversion fpt or ghec %}
org.oauth_app_access_approved	An owner granted organization access to an {% data variables.product.prodname_oauth_app %}.
org.oauth_app_access_denied	An owner disabled a previously approved {% data variables.product.prodname_oauth_app %}'s access to an organization.
org.oauth_app_access_requested	An organization member requested that an owner grant an {% data variables.product.prodname_oauth_app %} access to an organization.
{%- endif %}
org.recreate	An organization was restored.
org.register_self_hosted_runner	A new self-hosted runner was registered. For more information, see "AUTOTITLE."
org.remove_actions_secret	A {% data variables.product.prodname_actions %} secret was removed.
org.remove_integration_secret	A {% data variables.product.prodname_dependabot %}{% ifversion fpt or ghec %} or {% data variables.product.prodname_github_codespaces %}{% endif %} integration secret was removed from an organization.
org.remove_billing_manager	An owner removed a billing manager from an organization. {% ifversion fpt or ghec %}For more information, see "AUTOTITLE"{% endif %}{% ifversion not ghae %} or when two-factor authentication was required in an organization and a billing manager didn't use 2FA or disabled 2FA.{% endif %}
org.remove_member	An owner removed a member from an organization{% ifversion not ghae %} or when two-factor authentication was required in an organization and an organization member doesn't use 2FA or disabled 2FA{% endif %}. Also an organization member removed themselves from an organization.
org.remove_outside_collaborator	An owner removed an outside collaborator from an organization{% ifversion not ghae %} or when two-factor authentication was required in an organization and an outside collaborator didn't use 2FA or disabled 2FA{% endif %}.
org.remove_self_hosted_runner	A self-hosted runner was removed. For more information, see "AUTOTITLE."
org.rename	An organization was renamed.
org.restore_member	An organization member was restored. For more information, see "AUTOTITLE."
{%- ifversion ghec %}
org.revoke_external_identity	An organization owner revoked a member's linked identity. For more information, see "AUTOTITLE."
org.revoke_sso_session	An organization owner revoked a member's SAML session. For more information, see "AUTOTITLE."
{%- endif %}
org.runner_group_created	A self-hosted runner group was created. For more information, see "AUTOTITLE."
org.runner_group_removed	A self-hosted runner group was removed. For more information, see "AUTOTITLE."
{%- ifversion fpt or ghec %}
org.runner_group_renamed	A self-hosted runner group was renamed. For more information, see "AUTOTITLE."
{%- endif %}
org.runner_group_updated	The configuration of a self-hosted runner group was changed. For more information, see "AUTOTITLE."
org.runner_group_runner_removed	The REST API was used to remove a self-hosted runner from a group. For more information, see "AUTOTITLE."
org.runner_group_runners_added	A self-hosted runner was added to a group. For more information, see Moving a self-hosted runner to a group.
org.runner_group_runners_updated	A runner group's list of members was updated. For more information, see "AUTOTITLE."
{%- ifversion fpt or ghec %}
org.runner_group_visiblity_updated	The visibility of a self-hosted runner group was updated via the REST API. For more information, see "AUTOTITLE."
{%- endif %}
{%- ifversion secret-scanning-custom-pattern-push-protection-audit %}
org.secret_scanning_custom_pattern_push_protection_disabled	Push protection for a custom pattern for {% data variables.product.prodname_secret_scanning %} was disabled for your organization. For more information, see "AUTOTITLE."
org.secret_scanning_custom_pattern_push_protection_enabled	Push protection for a custom pattern for {% data variables.product.prodname_secret_scanning %} was enabled for your organization. For more information, see "AUTOTITLE."
{%- endif %}
{%- ifversion code-security-audit-log-events %}
org.secret_scanning_push_protection_custom_message_disabled	The custom message triggered by an attempted push to a push-protected repository was disabled for your organization. For more information, see "AUTOTITLE."
org.secret_scanning_push_protection_custom_message_enabled	The custom message triggered by an attempted push to a push-protected repository was enabled for your organization. For more information, see "AUTOTITLE."
org.secret_scanning_push_protection_custom_message_updated	The custom message triggered by an attempted push to a push-protected repository was updated for your organization. For more information, see "AUTOTITLE."
{%- endif %}
{%- ifversion secret-scanning-audit-log-custom-patterns %}
org.secret_scanning_push_protection_disable	An organization owner or administrator disabled push protection for secret scanning. For more information, see "AUTOTITLE."
org.secret_scanning_push_protection_enable	An organization owner or administrator enabled push protection for secret scanning.
{%- endif %}
org.self_hosted_runner_online	The runner application was started. Can only be viewed using the REST API; not visible in the UI or JSON/CSV export. For more information, see "AUTOTITLE."
org.self_hosted_runner_offline	The runner application was stopped. Can only be viewed using the REST API; not visible in the UI or JSON/CSV export. For more information, see "AUTOTITLE."
{%- ifversion fpt or ghec or ghes %}
org.self_hosted_runner_updated	The runner application was updated. Can be viewed using the REST API and the UI; not visible in the JSON/CSV export. For more information, see "AUTOTITLE."
{%- endif %}
{%- ifversion fpt or ghec %}
org.set_actions_fork_pr_approvals_policy	The setting for requiring approvals for workflows from public forks was changed for an organization. For more information, see "AUTOTITLE."
{%- endif %}
org.set_actions_retention_limit	The retention period for {% data variables.product.prodname_actions %} artifacts and logs in an organization was changed. For more information, see "AUTOTITLE."
{%- ifversion fpt or ghec or ghes %}
org.set_fork_pr_workflows_policy	The policy for workflows on private repository forks was changed. For more information, see "AUTOTITLE."
{%- endif %}
{%- ifversion ghes or audit-log-sso-response-events %}
org.sso_response	A SAML single sign-on (SSO) response was generated when a member attempted to authenticate with your organization. This event is only available via audit log streaming and the REST API.
{%- endif %}
{%- ifversion ghec %}
org.transfer	An organization was transferred between enterprise accounts. For more information, see "AUTOTITLE."
{%- endif %}
{%- ifversion not ghae %}
org.transform	A user account was converted into an organization. For more information, see "AUTOTITLE."
{%- endif %}
org.unblock_user	An organization owner unblocked a user from an organization. {% ifversion fpt or ghec %}For more information, see "AUTOTITLE."{% endif %}
{%- ifversion fpt or ghec or ghes %}
org.update_actions_secret	A {% data variables.product.prodname_actions %} secret was updated.
{%- endif %}
org.update_integration_secret	A {% data variables.product.prodname_dependabot %}{% ifversion fpt or ghec %} or {% data variables.product.prodname_github_codespaces %}{% endif %} integration secret was updated for an organization.
org.update_default_repository_permission	An organization owner changed the default repository permission level for organization members.
org.update_member	An organization owner changed a person's role from owner to member or member to owner.
org.update_member_repository_creation_permission	An organization owner changed the create repository permission for organization members.
org.update_member_repository_invitation_permission	An organization owner changed the policy setting for organization members inviting outside collaborators to repositories. For more information, see "AUTOTITLE."
org.update_new_repository_default_branch_setting	An organization owner changed the name of the default branch for new repositories in the organization. For more information, see "AUTOTITLE."
{%- ifversion ghec or ghae %}
org.update_saml_provider_settings	An organization's SAML provider settings were updated.
org.update_terms_of_service	An organization changed between the Standard Terms of Service and the Corporate Terms of Service. {% ifversion ghec %}For more information, see "AUTOTITLE."{% endif %}
{%- endif %}

{%- ifversion ghec or ghes or ghae %}

org_credential_authorization category actions

Action	Description
org_credential_authorization.deauthorized	A member deauthorized credentials for use with SAML single sign-on. {% ifversion ghec or ghae %}For more information, see "AUTOTITLE."{% endif %}
org_credential_authorization.grant	A member authorized credentials for use with SAML single sign-on. {% ifversion ghec or ghae %}For more information, see "AUTOTITLE."{% endif %}
org_credential_authorization.revoke	An owner revoked authorized credentials. {% ifversion ghec %}For more information, see "AUTOTITLE."{% endif %}
{%- endif %}

{%- ifversion secret-scanning-audit-log-custom-patterns %}

org_secret_scanning_custom_pattern category actions

Action	Description
org_secret_scanning_custom_pattern.create	A custom pattern was created for {% data variables.product.prodname_secret_scanning %} in an organization. For more information, see "AUTOTITLE."
org_secret_scanning_custom_pattern.delete	A custom pattern was removed from {% data variables.product.prodname_secret_scanning %} in an organization. For more information, see "AUTOTITLE."
org_secret_scanning_custom_pattern.publish	A custom pattern was published for {% data variables.product.prodname_secret_scanning %} in an organization. For more information, see "AUTOTITLE."
org_secret_scanning_custom_pattern.update	Changes to a custom pattern were saved and a dry run was executed for {% data variables.product.prodname_secret_scanning %} in an organization. For more information, see "AUTOTITLE."
{%- endif %}

organization_default_label category actions

Action	Description
organization_default_label.create	A default label for repositories in an organization was created. For more information, see "AUTOTITLE."
organization_default_label.update	A default label for repositories in an organization was edited. For more information, see "AUTOTITLE."
organization_default_label.destroy	A default label for repositories in an organization was deleted. For more information, see "AUTOTITLE."

{%- ifversion fpt or ghec or ghes %}

organization_domain category actions

Action	Description
organization_domain.approve	An enterprise domain was approved for an organization. For more information, see "AUTOTITLE."
organization_domain.create	An enterprise domain was added to an organization. For more information, see "AUTOTITLE."
organization_domain.destroy	An enterprise domain was removed from an organization. For more information, see "AUTOTITLE."
organization_domain.verify	An enterprise domain was verified for an organization. For more information, see "AUTOTITLE."

organization_projects_change category actions

Action	Description
organization_projects_change.clear	An enterprise owner{% ifversion ghes %} or site administrator{% endif %} cleared the policy setting for organization-wide project boards in an enterprise. For more information, see "AUTOTITLE."
organization_projects_change.disable	Organization projects were disabled for all organizations in an enterprise. For more information, see "AUTOTITLE."
organization_projects_change.enable	Organization projects were enabled for all organizations in an enterprise. For more information, see "AUTOTITLE."
{%- endif %}

{%- ifversion not ghes %}

packages category actions

Action	Description
packages.package_deleted	A package was deleted from an organization.{% ifversion fpt or ghec or ghes %} For more information, see "AUTOTITLE."{% endif %}
packages.package_published	A package was published or republished to an organization.
packages.package_version_deleted	A specific package version was deleted.{% ifversion fpt or ghec or ghes %} For more information, see "AUTOTITLE."{% endif %}
packages.package_version_published	A specific package version was published or republished to a package.
{%- endif %}

{%- ifversion fpt or ghec %}

pages_protected_domain category actions

Action	Description
pages_protected_domain.create	A {% data variables.product.prodname_pages %} verified domain was created for an organization or enterprise. For more information, see "AUTOTITLE."
pages_protected_domain.delete	A {% data variables.product.prodname_pages %} verified domain was deleted from an organization or enterprise. For more information, see "AUTOTITLE."
pages_protected_domain.verify	A {% data variables.product.prodname_pages %} domain was verified for an organization or enterprise. For more information, see "AUTOTITLE."

payment_method category actions

Action	Description
payment_method.create	A new payment method was added, such as a new credit card or PayPal account.
payment_method.remove	A payment method was removed.
payment_method.update	An existing payment method was updated.

prebuild_configuration category actions

Action	Description
prebuild_configuration.create	A {% data variables.product.prodname_github_codespaces %} prebuild configuration for a repository was created. For more information, see "AUTOTITLE."
prebuild_configuration.destroy	A {% data variables.product.prodname_github_codespaces %} prebuild configuration for a repository was deleted. For more information, see "AUTOTITLE."
prebuild_configuration.run_triggered	A user initiated a run of a {% data variables.product.prodname_github_codespaces %} prebuild configuration for a repository branch. For more information, see "AUTOTITLE."
prebuild_configuration.update	A {% data variables.product.prodname_github_codespaces %} prebuild configuration for a repository was edited. For more information, see "AUTOTITLE."
{%- endif %}

{%- ifversion ghes %}

pre_receive_environment category actions

Action	Description
pre_receive_environment.create	A pre-receive hook environment was created. For more information, see "AUTOTITLE."
pre_receive_environment.destroy	A pre-receive hook environment was deleted. For more information, see "AUTOTITLE."
pre_receive_environment.download	A pre-receive hook environment was downloaded. For more information, see "AUTOTITLE."
pre_receive_environment.update	A pre-receive hook environment was updated. For more information, see "AUTOTITLE."

pre_receive_hook category actions

Action	Description
pre_receive_hook.create	A pre-receive hook was created. For more information, see "AUTOTITLE."
pre_receive_hook.destroy	A pre-receive hook was deleted. For more information, see "AUTOTITLE."
pre_receive_hook.enforcement	A pre-receive hook enforcement setting allowing repository administrators and organization owners to override the hook configuration was enabled or disabled. For more information, see "AUTOTITLE."
pre_receive_hook.rejected_push	A pre-receive hook rejected a push.
pre_receive_hook.update	A pre-receive hook was created. For more information, see "AUTOTITLE."
pre_receive_hook.warned_push	A pre-receive hook warned about a push.
{%- endif %}

private_repository_forking category actions

Action	Description
private_repository_forking.clear	An enterprise owner{% ifversion ghes %} or site administrator{% endif %} cleared the policy setting for allowing forks of private and internal repositories, for a repository, organization or enterprise. For more information, see "AUTOTITLE, "AUTOTITLE and for enterprises "AUTOTITLE."
private_repository_forking.disable	An enterprise owner{% ifversion ghes %} or site administrator{% endif %} disabled the policy setting for allowing forks of private and internal repositories, for a repository, organization or enterprise. Private and internal repositories are never allowed to be forked. For more information, see "AUTOTITLE, "AUTOTITLE and for enterprises "AUTOTITLE."
private_repository_forking.enable	An enterprise owner{% ifversion ghes %} or site administrator{% endif %} enabled the policy setting for allowing forks of private and internal repositories, for a repository, organization or enterprise. Private and internal repositories are always allowed to be forked. For more information, see "AUTOTITLE, "AUTOTITLE and for enterprises "AUTOTITLE."

{%- ifversion fpt or ghec %}

profile_picture category actions

Action	Description
profile_picture.update	A profile picture was updated.
{%- endif %}

project category actions

Action	Description
project.access	A project board visibility was changed. For more information, see "AUTOTITLE."
project.close	A project board was closed. For more information, see "AUTOTITLE."
project.create	A project board was created. For more information, see "AUTOTITLE."
project.delete	A project board was deleted. For more information, see "AUTOTITLE."
project.link	A repository was linked to a project board. For more information, see "AUTOTITLE."
project.open	A project board was reopened. For more information, see "AUTOTITLE."
project.rename	A project board was renamed. For more information, see "AUTOTITLE."
project.unlink	A repository was unlinked from a project board. For more information, see "AUTOTITLE."
project.update_org_permission	The project's base-level permission for all organization members was changed or removed. For more information, see "AUTOTITLE."
project.update_team_permission	A team's project board permission level was changed or when a team was added or removed from a project board. For more information, see "AUTOTITLE."
project.update_user_permission	An organization member or outside collaborator was added to or removed from a project board or had their permission level changed. For more information, see "AUTOTITLE."

{%- ifversion projects-v2 %}

project_field category actions

Action	Description
project_field.create	A field was created in a project board. For more information, see "AUTOTITLE."
project_field.delete	A field was deleted in a project board. For more information, see "AUTOTITLE."

project_view category actions

Action	Description
project_view.create	A view was created in a project board. For more information, see "AUTOTITLE."
project_view.delete	A view was deleted in a project board. For more information, see "AUTOTITLE."
{%- endif %}

protected_branch category actions

Action	Description
protected_branch.create	Branch protection was enabled on a branch.
protected_branch.destroy	Branch protection was disabled on a branch.
protected_branch.dismiss_stale_reviews	Enforcement of dismissing stale pull requests was updated on a branch.
{%- ifversion ghes %}
protected_branch.dismissal_restricted_users_teams	Enforcement of restricting users and/or teams who can dismiss reviews was updated on a branch.
{%- endif %}
protected_branch.policy_override	A branch protection requirement was overridden by a repository administrator.
protected_branch.rejected_ref_update	A branch update attempt was rejected.
protected_branch.required_status_override	The required status checks branch protection requirement was overridden by a repository administrator.
protected_branch.review_policy_and_required_status_override	The required reviews and required status checks branch protection requirements were overridden by a repository administrator.
protected_branch.review_policy_override	The required reviews branch protection requirement was overridden by a repository administrator.
protected_branch.update_admin_enforced	Branch protection was enforced for repository administrators.
{%- ifversion ghes %}
protected_branch.update_allow_deletions_enforcement_level	Enforcement of allowing users with push access to delete matching branches was updated on a branch.
protected_branch.update_allow_force_pushes_enforcement_level	Enforcement of allowing force pushes for all users with push access was updated on a branch.
protected_branch.update_linear_history_requirement_enforcement_level	Enforcement of requiring linear commit history was updated on a branch.
{%- endif %}
protected_branch.update_pull_request_reviews_enforcement_level	Enforcement of required pull request reviews was updated on a branch. Can be one of 0(deactivated), 1(non-admins), 2(everyone).
protected_branch.update_require_code_owner_review	Enforcement of required code owner review was updated on a branch.
protected_branch.update_required_approving_review_count	Enforcement of the required number of approvals before merging was updated on a branch.
protected_branch.update_required_status_checks_enforcement_level	Enforcement of required status checks was updated on a branch.
protected_branch.update_signature_requirement_enforcement_level	Enforcement of required commit signing was updated on a branch.
protected_branch.update_strict_required_status_checks_policy	Enforcement of required status checks was updated on a branch.
protected_branch.update_name	A branch name pattern was updated for a branch.

public_key category actions

Action	Description
public_key.create	An SSH key was added to a user account or a deploy key was added to a repository.
public_key.delete	An SSH key was removed from a user account or a deploy key was removed from a repository.
public_key.update	A user account's SSH key or a repository's deploy key was updated.
public_key.unverification_failure	A user account's SSH key or a repository's deploy key was unable to be unverified.
public_key.unverify	A user account's SSH key or a repository's deploy key was unverified.
public_key.verification_failure	A user account's SSH key or a repository's deploy key was unable to be verified.
public_key.verify	A user account's SSH key or a repository's deploy key was verified.

pull_request category actions

Action	Description
pull_request.close	A pull request was closed without being merged. For more information, see "AUTOTITLE."
pull_request.converted_to_draft	A pull request was converted to a draft. For more information, see "AUTOTITLE."
pull_request.create	A pull request was created. For more information, see "AUTOTITLE."
pull_request.create_review_request	A review was requested on a pull request. For more information, see "AUTOTITLE."
pull_request.in_progress	A pull request was marked as in progress.
pull_request.indirect_merge	A pull request was considered merged because the pull request's commits were merged into the target branch.
pull_request.merge	A pull request was merged. For more information, see "AUTOTITLE."
pull_request.ready_for_review	A pull request was marked as ready for review. For more information, see "AUTOTITLE."
pull_request.remove_review_request	A review request was removed from a pull request. For more information, see "AUTOTITLE."
pull_request.reopen	A pull request was reopened after previously being closed.
pull_request_review.delete	A review on a pull request was deleted.
pull_request_review.dismiss	A review on a pull request was dismissed. For more information, see "AUTOTITLE."
pull_request_review.submit	A review was submitted for a pull request. For more information, see "AUTOTITLE."

pull_request_review category actions

Action	Description
pull_request_review.delete	A review on a pull request was deleted.
pull_request_review.dismiss	A review on a pull request was dismissed. For more information, see "AUTOTITLE."
pull_request_review.submit	A review on a pull request was submitted. For more information, see "AUTOTITLE."

pull_request_review_comment category actions

Action	Description
pull_request_review_comment.create	A review comment was added to a pull request. For more information, see "AUTOTITLE."
pull_request_review_comment.delete	A review comment on a pull request was deleted.
pull_request_review_comment.update	A review comment on a pull request was changed.

repo category actions

Action	Description
repo.access	The visibility of a repository changed.
repo.actions_enabled	{% data variables.product.prodname_actions %} was enabled for a repository.
repo.add_member	A collaborator was added to a repository.
repo.add_topic	A topic was added to a repository.
repo.advanced_security_disabled	{% data variables.product.prodname_GH_advanced_security %} was disabled for a repository.
repo.advanced_security_enabled	{% data variables.product.prodname_GH_advanced_security %} was enabled for a repository.
repo.advanced_security_policy_selected_member_disabled	A repository administrator prevented {% data variables.product.prodname_GH_advanced_security %} features from being enabled for a repository.
repo.advanced_security_policy_selected_member_enabled	A repository administrator allowed {% data variables.product.prodname_GH_advanced_security %} features to be enabled for a repository.
repo.archived	A repository was archived. For more information, see "AUTOTITLE."
repo.change_merge_setting	Pull request merge options were changed for a repository.
repo.clear_actions_settings	A repository administrator cleared {% data variables.product.prodname_actions %} policy settings for a repository.
repo.code_scanning_analysis_deleted	Code scanning analysis for a repository was deleted. For more information, see "AUTOTITLE."
{%- ifversion remove-code-scanning-configurations %}
repo.code_scanning_configuration_for_branch_deleted	A {% data variables.product.prodname_code_scanning %} configuration for a branch of a repository was deleted. For more information, see "AUTOTITLE."
{%- endif %}
repo.config	A repository administrator blocked force pushes. For more information, see "AUTOTITLE."
{%- ifversion fpt or ghec %}
repo.config.disable_collaborators_only	The interaction limit for collaborators only was disabled. For more information, see "AUTOTITLE."
repo.config.disable_contributors_only	The interaction limit for prior contributors only was disabled in a repository. For more information, see "AUTOTITLE."
repo.config.disable_sockpuppet_disallowed	The interaction limit for existing users only was disabled in a repository. For more information, see "AUTOTITLE."
repo.config.enable_collaborators_only	The interaction limit for collaborators only was enabled in a repository. Users that are not collaborators or organization members were unable to interact with a repository for a set duration. For more information, see "AUTOTITLE."
repo.config.enable_contributors_only	The interaction limit for prior contributors only was enabled in a repository. Users that are not prior contributors, collaborators or organization members were unable to interact with a repository for a set duration. For more information, see "AUTOTITLE."
repo.config.enable_sockpuppet_disallowed	The interaction limit for existing users was enabled in a repository. New users aren't able to interact with a repository for a set duration. Existing users of the repository, contributors, collaborators or organization members are able to interact with a repository. For more information, see "AUTOTITLE."
{%- endif %}
{%- ifversion ghes %}
repo.config.disable_anonymous_git_access	Anonymous Git read access was disabled for a repository. For more information, see "AUTOTITLE."
repo.config.enable_anonymous_git_access	Anonymous Git read access was enabled for a repository. For more information, see "AUTOTITLE."
repo.config.lock_anonymous_git_access	A repository's anonymous Git read access setting was locked, preventing repository administrators from changing (enabling or disabling) this setting. For more information, see "AUTOTITLE."
repo.config.unlock_anonymous_git_access	A repository's anonymous Git read access setting was unlocked, allowing repository administrators to change (enable or disable) this setting. For more information, see "AUTOTITLE."
{%- endif %}
repo.create	A repository was created.
repo.create_actions_secret	A {% data variables.product.prodname_actions %} secret was created for a repository. For more information, see "AUTOTITLE."
repo.create_integration_secret	A {% data variables.product.prodname_dependabot %}{% ifversion fpt or ghec %} or {% data variables.product.prodname_github_codespaces %}{% endif %} integration secret was created for a repository.
repo.destroy	A repository was deleted.
{%- ifversion ghes %}
repo.disk_archive	A repository was archived on disk. For more information, see "AUTOTITLE."
{%- endif %}
repo.download_zip	A source code archive of a repository was downloaded as a ZIP file. For more information, see "AUTOTITLE."
repo.pages_cname	A {% data variables.product.prodname_pages %} custom domain was modified in a repository.
repo.pages_create	A {% data variables.product.prodname_pages %} site was created.
repo.pages_destroy	A {% data variables.product.prodname_pages %} site was deleted.
repo.pages_https_redirect_disabled	HTTPS redirects were disabled for a {% data variables.product.prodname_pages %} site.
repo.pages_https_redirect_enabled	HTTPS redirects were enabled for a {% data variables.product.prodname_pages %} site.
repo.pages_source	A {% data variables.product.prodname_pages %} source was modified.
repo.pages_private	A {% data variables.product.prodname_pages %} site visibility was changed to private.
repo.pages_public	A {% data variables.product.prodname_pages %} site visibility was changed to public.
repo.register_self_hosted_runner	A new self-hosted runner was registered. For more information, see "AUTOTITLE."
repo.remove_self_hosted_runner	A self-hosted runner was removed. For more information, see "AUTOTITLE."
repo.remove_actions_secret	A {% data variables.product.prodname_actions %} secret was deleted for a repository.
repo.remove_integration_secret	A {% data variables.product.prodname_dependabot %}{% ifversion fpt or ghec %} or {% data variables.product.prodname_github_codespaces %}{% endif %} integration secret was deleted for a repository.
repo.remove_member	A collaborator was removed from a repository.
repo.remove_topic	A topic was removed from a repository.
repo.rename	A repository was renamed.
{%- ifversion fpt or ghec %}
repo.set_actions_fork_pr_approvals_policy	The setting for requiring approvals for workflows from public forks was changed for a repository. For more information, see "AUTOTITLE."
{%- endif %}
repo.set_actions_retention_limit	The retention period for {% data variables.product.prodname_actions %} artifacts and logs in a repository was changed. For more information, see "AUTOTITLE."
repo.self_hosted_runner_online	The runner application was started. Can only be viewed using the REST API; not visible in the UI or JSON/CSV export. For more information, see "AUTOTITLE."
repo.self_hosted_runner_offline	The runner application was stopped. Can only be viewed using the REST API; not visible in the UI or JSON/CSV export. For more information, see "AUTOTITLE."
repo.self_hosted_runner_updated	The runner application was updated. Can be viewed using the REST API and the UI; not visible in the JSON/CSV export. For more information, see "AUTOTITLE."
repo.staff_unlock	An enterprise administrator or GitHub staff (with permission from a repository administrator) temporarily unlocked the repository.
repo.transfer	A user accepted a request to receive a transferred repository.
repo.transfer_outgoing	A repository was transferred to another repository network.
repo.transfer_start	A user sent a request to transfer a repository to another user or organization.
repo.unarchived	A repository was unarchived. For more information, see "AUTOTITLE."
repo.update_actions_settings	A repository administrator changed {% data variables.product.prodname_actions %} policy settings for a repository.
repo.update_actions_secret	A {% data variables.product.prodname_actions %} secret was updated.
repo.update_actions_access_settings	The setting to control how a repository was used by {% data variables.product.prodname_actions %} workflows in other repositories was changed.
repo.update_default_branch	The default branch for a repository was changed.
repo.update_integration_secret	A {% data variables.product.prodname_dependabot %}{% ifversion ghec%} or {% data variables.product.prodname_github_codespaces %}{% endif %} integration secret was updated for a repository.
repo.update_member	A user's permission to a repository was changed.

{%- ifversion fpt or ghec %}

repository_advisory category actions

Action	Description
repository_advisory.close	Someone closed a security advisory. For more information, see "AUTOTITLE."
repository_advisory.cve_request	Someone requested a CVE (Common Vulnerabilities and Exposures) number from {% data variables.product.prodname_dotcom %} for a draft security advisory.
repository_advisory.github_broadcast	{% data variables.product.prodname_dotcom %} made a security advisory public in the {% data variables.product.prodname_advisory_database %}.
repository_advisory.github_withdraw	{% data variables.product.prodname_dotcom %} withdrew a security advisory that was published in error.
repository_advisory.open	Someone opened a draft security advisory.
repository_advisory.publish	Someone publishes a security advisory.
repository_advisory.reopen	Someone reopened as draft security advisory.
repository_advisory.update	Someone edited a draft or published security advisory.

repository_content_analysis category actions

Action	Description
repository_content_analysis.enable	An organization owner or repository administrator enabled data use settings for a private repository.
repository_content_analysis.disable	An organization owner or repository administrator disabled data use settings for a private repository.

repository_dependency_graph category actions

Action	Description
repository_dependency_graph.disable	A repository owner or administrator disabled the dependency graph for a private repository. For more information, see "AUTOTITLE."
repository_dependency_graph.enable	A repository owner or administrator enabled the dependency graph for a private repository.
{%- endif %}

repository_image category actions

Action	Description
repository_image.create	An image to represent a repository was uploaded.
repository_image.destroy	An image to represent a repository was deleted.

repository_invitation category actions

Action	Description
repository_invitation.accept	An invitation to join a repository was accepted.
repository_invitation.cancel	An invitation to join a repository was canceled.
repository_invitation.create	An invitation to join a repository was sent.
repository_invitation.reject	An invitation to join a repository was declined.

repository_projects_change category actions

Action	Description
repository_projects_change.clear	The repository projects policy was removed for an organization, or all organizations in the enterprise. Organization owners can now control their repository projects settings. For more information, see "AUTOTITLE."
repository_projects_change.disable	Repository projects were disabled for a repository, all repositories in an organization, or all organizations in an enterprise.
repository_projects_change.enable	Repository projects were enabled for a repository, all repositories in an organization, or all organizations in an enterprise.

{%- ifversion ghec or ghes or ghae %}

repository_secret_scanning category actions

Action	Description
repository_secret_scanning.disable	A repository owner or administrator disabled {% data variables.product.prodname_secret_scanning %} for a {% ifversion ghec %}private or internal {% endif %}repository. For more information, see "AUTOTITLE."
repository_secret_scanning.enable	A repository owner or administrator enabled {% data variables.product.prodname_secret_scanning %} for a {% ifversion ghec %}private or internal {% endif %}repository.
{%- endif %}

{%- ifversion secret-scanning-audit-log-custom-patterns %}

repository_secret_scanning_custom_pattern category actions

Action	Description
repository_secret_scanning_custom_pattern.create	A custom pattern was created for {% data variables.product.prodname_secret_scanning %} in a repository. For more information, see "AUTOTITLE."
repository_secret_scanning_custom_pattern.delete	A custom pattern was removed from {% data variables.product.prodname_secret_scanning %} in a repository. For more information, see "AUTOTITLE."
repository_secret_scanning_custom_pattern.publish	A custom pattern was published for {% data variables.product.prodname_secret_scanning %} in a repository. For more information, see "AUTOTITLE."
repository_secret_scanning_custom_pattern.update	Changes to a custom pattern were saved and a dry run was executed for {% data variables.product.prodname_secret_scanning %} in a repository. For more information, see "AUTOTITLE."{%- endif %}

{%- ifversion secret-scanning-custom-pattern-push-protection-audit %}

repository_secret_scanning_custom_pattern_push_protection category actions

Action	Description
repository_secret_scanning_custom_pattern_push_protection.enabled	Push protection for a custom pattern for {% data variables.product.prodname_secret_scanning %} was enabled for your repository. For more information, see "AUTOTITLE."
repository_secret_scanning_custom_pattern_push_protection.disabled	Push protection for a custom pattern for {% data variables.product.prodname_secret_scanning %} was disabled for your repository. For more information, see "AUTOTITLE."{%- endif %}

{%- ifversion secret-scanning-audit-log-custom-patterns %}

repository_secret_scanning_push_protection category actions

Action	Description
repository_secret_scanning_push_protection.disable	A repository owner or administrator disabled {% data variables.product.prodname_secret_scanning %} for a repository. For more information, see "AUTOTITLE."
repository_secret_scanning_push_protection.enable	A repository owner or administrator enabled {% data variables.product.prodname_secret_scanning %} for a repository. For more information, see "AUTOTITLE."
{%- endif %}

repository_visibility_change category actions

Action	Description
repository_visibility_change.clear	The repository visibility change setting was cleared for an organization or enterprise. For more information, see "AUTOTITLE" and "AUTOTITLE for an enterprise."
repository_visibility_change.disable	The ability for enterprise members to update a repository's visibility was disabled. Members are unable to change repository visibilities in an organization, or all organizations in an enterprise.
repository_visibility_change.enable	The ability for enterprise members to update a repository's visibility was enabled. Members are able to change repository visibilities in an organization, or all organizations in an enterprise.

repository_vulnerability_alert category actions

Action	Description
repository_vulnerability_alert.create	{% data variables.product.product_name %} created a {% data variables.product.prodname_dependabot %} alert for a repository that uses an insecure dependency. For more information, see "AUTOTITLE."
repository_vulnerability_alert.dismiss	An organization owner{% ifversion dependabot-alerts-permissions-write-maintain %}, repository administrator, or someone with write or maintain access to a repository{% else %} or repository administrator{% endif %} dismissed a {% data variables.product.prodname_dependabot %} alert about a vulnerable dependency{% ifversion GH-advisory-db-supports-malware %} or malware{% endif %}.
repository_vulnerability_alert.resolve	Someone with write{% ifversion dependabot-alerts-permissions-write-maintain %} or maintain{% endif %} access to a repository pushed changes to update and resolve a {% data variables.product.prodname_dependabot %} alert in a project dependency.

{%- ifversion fpt or ghec %}

repository_vulnerability_alerts category actions

Action	Description
repository_vulnerability_alerts.authorized_users_teams	An organization owner or repository administrator updated the list of people or teams authorized to receive {% data variables.product.prodname_dependabot_alerts %} for the repository. For more information, see "AUTOTITLE."
repository_vulnerability_alerts.disable	A repository owner or repository administrator disabled {% data variables.product.prodname_dependabot_alerts %}.
repository_vulnerability_alerts.enable	A repository owner or repository administrator enabled {% data variables.product.prodname_dependabot_alerts %}.
{%- endif %}

required_status_check category actions

Action	Description
required_status_check.create	A status check was marked as required for a protected branch. For more information, see "AUTOTITLE."
required_status_check.destroy	A status check was no longer marked as required for a protected branch. For more information, see "AUTOTITLE."

{%- ifversion ghec or ghes %}

restrict_notification_delivery category actions

Action	Description
restrict_notification_delivery.enable	Email notification restrictions for an organization or enterprise were enabled. For more information, see "AUTOTITLE" and "AUTOTITLE."
restrict_notification_delivery.disable	Email notification restrictions for an organization or enterprise were disabled. For more information, see "AUTOTITLE" and "AUTOTITLE."
{%- endif %}

{%- ifversion custom-repository-roles %}

role category actions

Action	Description
create	An organization owner created a new custom repository role. For more information, see "AUTOTITLE."
destroy	An organization owner deleted a custom repository role. For more information, see "AUTOTITLE."
update	An organization owner edited an existing custom repository role. For more information, see "AUTOTITLE."
{%- endif %}

{%- ifversion ghec or ghes or ghae %}

secret_scanning category actions

Action	Description
secret_scanning.disable	An organization owner disabled secret scanning for all existing{% ifversion ghec %} private or internal{% endif %} repositories. For more information, see "AUTOTITLE."
secret_scanning.enable	An organization owner enabled secret scanning for all existing{% ifversion ghec %} private or internal{% endif %} repositories.

{% ifversion secret-scanning-alert-audit-log %}

secret_scanning_alert category actions

Action	Description
secret_scanning_alert.create	{% data variables.product.prodname_dotcom %} detected a secret and created a {% data variables.product.prodname_secret_scanning %} alert. For more information, see "AUTOTITLE."
secret_scanning_alert.reopen	A user reopened a {% data variables.product.prodname_secret_scanning %} alert.
secret_scanning_alert.resolve	A user resolved a {% data variables.product.prodname_secret_scanning %} alert.
{% endif %}

secret_scanning_new_repos category actions

Action	Description
secret_scanning_new_repos.disable	An organization owner disabled secret scanning for all new{% ifversion ghec %} private or internal{% endif %} repositories. For more information, see "AUTOTITLE."
secret_scanning_new_repos.enable	An organization owner enabled secret scanning for all new{% ifversion ghec %} private or internal{% endif %} repositories.
{%- endif %}

{% ifversion secret-scanning-push-protection-bypasses %}

secret_scanning_push_protection category actions

Action	Description
bypass	Triggered when a user bypasses the push protection on a secret detected by secret scanning. For more information, see "AUTOTITLE."{% endif %}

{%- ifversion ghec or ghes or ghae %}

security_key category actions

Action	Description
security_key.register	A security key was registered for an account.
security_key.remove	A security key was removed from an account.
{%- endif %}

{%- ifversion fpt or ghec %}

sponsors category actions

Action	Description
sponsors.agreement_sign	A {% data variables.product.prodname_sponsors %} agreement was signed on behalf of an organization.
sponsors.custom_amount_settings_change	Custom amounts for {% data variables.product.prodname_sponsors %} were enabled or disabled, or the suggested custom amount was changed. For more information, see "AUTOTITLE."
sponsors.fiscal_host_change	The fiscal host for a {% data variables.product.prodname_sponsors %} listing was updated.
sponsors.withdraw_agreement_signature	A signature was withdrawn from a {% data variables.product.prodname_sponsors %} agreement that applies to an organization.
sponsors.repo_funding_links_file_action	The FUNDING file in a repository was changed. For more information, see "AUTOTITLE."
sponsors.sponsor_sponsorship_cancel	A sponsorship was canceled. For more information, see "AUTOTITLE."
sponsors.sponsor_sponsorship_create	A sponsorship was created, by sponsoring an account. For more information, see "AUTOTITLE."
sponsors.sponsor_sponsorship_payment_complete	After you sponsor an account and a payment has been processed, the sponsorship payment was marked as complete. For more information, see "AUTOTITLE."
sponsors.sponsor_sponsorship_preference_change	The option to receive email updates from a sponsored account was changed. For more information, see "AUTOTITLE."
sponsors.sponsor_sponsorship_tier_change	A sponsorship was upgraded or downgraded. For more information, see "AUTOTITLE" and "AUTOTITLE."
sponsors.sponsored_developer_approve	A {% data variables.product.prodname_sponsors %} account was approved. For more information, see "AUTOTITLE."
sponsors.sponsored_developer_create	A {% data variables.product.prodname_sponsors %} account was created. For more information, see "AUTOTITLE."
sponsors.sponsored_developer_disable	A {% data variables.product.prodname_sponsors %} account was disabled.
sponsors.sponsored_developer_profile_update	You edit a sponsored organization profile. For more information, see "AUTOTITLE."
sponsors.sponsored_developer_redraft	A {% data variables.product.prodname_sponsors %} account was returned to draft state from approved state.
sponsors.sponsored_developer_request_approval	An application for {% data variables.product.prodname_sponsors %} was submitted for approval. For more information, see "AUTOTITLE."
sponsors.sponsored_developer_tier_description_update	The description for a sponsorship tier was changed. For more information, see "AUTOTITLE."
sponsors.update_tier_welcome_message	The welcome message for a {% data variables.product.prodname_sponsors %} tier for an organization was updated.
sponsors.update_tier_repository	A {% data variables.product.prodname_sponsors %} tier changed access for a repository.
{%- endif %}

{%- ifversion ghec or ghes or ghae %}

ssh_certificate_authority category actions

Action	Description
ssh_certificate_authority.create	An SSH certificate authority for an organization or enterprise was created. For more information, see "AUTOTITLE" and "AUTOTITLE."
ssh_certificate_authority.destroy	An SSH certificate authority for an organization or enterprise was deleted. For more information, see "AUTOTITLE" and "AUTOTITLE."

ssh_certificate_requirement category actions

Action	Description
ssh_certificate_requirement.enable	The requirement for members to use SSH certificates to access an organization resources was enabled. For more information, see "AUTOTITLE" and "AUTOTITLE."
ssh_certificate_requirement.disable	The requirement for members to use SSH certificates to access an organization resources was disabled. For more information, see "AUTOTITLE" and "AUTOTITLE."
{%- endif %}

{% ifversion sso-redirect %}

sso_redirect category actions

{% data reusables.enterprise-managed.sso-redirect-release-phase %}

Action	Description
sso_redirect.enable	Automatic redirects for users to single sign-on (SSO) was enabled.
sso_redirect.disable	Automatic redirects for users to single sign-on (SSO) was disabled.

For more information, see "AUTOTITLE." {% endif %}

staff category actions

Action	Description
staff.disable_repo	An organization{% ifversion ghes %}, repository or site{% else %} or repository{% endif %} administrator disabled access to a repository and all of its forks.
staff.enable_repo	An organization{% ifversion ghes %}, repository or site{% else %} or repository{% endif %} administrator re-enabled access to a repository and all of its forks.
{%- ifversion ghes or ghae %}
staff.exit_fake_login	An enterprise owner{% ifversion ghes %} or site administrator{% endif %} ended an impersonation session on {% data variables.product.product_name %}.
staff.fake_login	An enterprise owner{% ifversion ghes %} or site administrator{% endif %} signed into {% data variables.product.product_name %} as another user.
{%- endif %}
staff.repo_lock	An organization{% ifversion ghes %}, repository or site{% else %} or repository{% endif %} administrator locked (temporarily gained full access to) a user's private repository.
staff.repo_unlock	An organization{% ifversion ghes %}, repository or site{% else %} or repository{% endif %} administrator unlocked (ended their temporary access to) a user's private repository.
{%- ifversion ghes %}
staff.search_audit_log	A site administrator performed a search of the site admin audit log.
{%- endif %}
staff.set_domain_token_expiration	{% ifversion ghes %}A site administrator or {% endif %}GitHub staff set the verification code expiry time for an organization or enterprise domain. {% ifversion ghec or ghes %}For more information, see "AUTOTITLE" and "AUTOTITLE."{% endif %}
{%- ifversion ghes %}
staff.unlock	A site administrator unlocked (temporarily gained full access to) all of a user's private repositories.
{%- endif %}
staff.unverify_domain	{% ifversion ghes %}A site administrator or {% endif %}GitHub staff unverified an organization or enterprise domain. {% ifversion ghec or ghes %}For more information, see "AUTOTITLE" and "AUTOTITLE."{% endif %}
staff.verify_domain	{% ifversion ghes %}A site administrator or {% endif %}GitHub staff verified an organization or enterprise domain. {% ifversion ghec or ghes %}For more information, see "AUTOTITLE" and "AUTOTITLE."{% endif %}
{%- ifversion ghes %}
staff.view_audit_log	A site administrator viewed the site admin audit log.
{%- endif %}

team category actions

Action	Description
team.add_member	A member of an organization was added to a team. For more information, see "AUTOTITLE."
team.add_repository	A team was given access and permissions to a repository.
team.change_parent_team	A child team was created or a child team's parent was changed. For more information, see "AUTOTITLE."
team.change_privacy	A team's privacy level was changed. For more information, see "AUTOTITLE."
team.create	A user account or repository was added to a team.
team.delete	A user account or repository was removed from a team.
team.destroy	A team was deleted.
{%- ifversion ghec or ghes or ghae %}
team.demote_maintainer	A user was demoted from a team maintainer to a team member.
team.promote_maintainer	A user was promoted from a team member to a team maintainer. For more information, see "AUTOTITLE."
{%- endif %}
team.remove_member	A member of an organization was removed from a team. For more information, see "AUTOTITLE."
team.remove_repository	A repository was no longer under a team's control.
team.rename	A team's name was changed.
team.update_permission	A team's access was changed.
team.update_repository_permission	A team's permission to a repository was changed.

{% ifversion team-discussions %}

team_discussions category actions

Action	Description
team_discussions.clear	An organization owner cleared the setting to allow team discussions for an organization or enterprise.
team_discussions.disable	An organization owner disabled team discussions for an organization. For more information, see "AUTOTITLE."
team_discussions.enable	An organization owner enabled team discussions for an organization.
{% endif %}

{%- ifversion ghec %}

team_sync_tenant category actions

Action	Description
team_sync_tenant.disabled	Team synchronization with a tenant was disabled. For more information, see "AUTOTITLE" and "AUTOTITLE."
team_sync_tenant.enabled	Team synchronization with a tenant was enabled. For more information, see "AUTOTITLE" and "AUTOTITLE."
team_sync_tenant.update_okta_credentials	The Okta credentials for team synchronization with a tenant were changed.
{%- endif %}

{%- ifversion fpt or ghes %}

two_factor_authentication category actions

Action	Description
two_factor_authentication.disabled	Two-factor authentication was disabled for a user account.
two_factor_authentication.enabled	Two-factor authentication was enabled for a user account.
two_factor_authentication.password_reset_fallback_sms	A one-time password code was sent to a user account fallback phone number.
two_factor_authentication.recovery_codes_regenerated	Two factor recovery codes were regenerated for a user account.
two_factor_authentication.sign_in_fallback_sms	A one-time password code was sent to a user account fallback phone number.
two_factor_authentication.update_fallback	The two-factor authentication fallback for a user account was changed.
{%- endif %}

{%- ifversion fpt or ghes or ghae %}

user category actions

Action	Description
user.add_email	An email address was added to a user account.
user.async_delete	An asynchronous job was started to destroy a user account, eventually triggering a user.delete event.
user.audit_log_export	Audit log entries were exported.
user.block_user	A user was blocked by another user{% ifversion ghes %} or a site administrator{% endif %}.
user.change_password	A user changed his or her password.
user.create	A new user account was created.
user.creation_rate_limit_exceeded	The rate of creation of user accounts, applications, issues, pull requests or other resources exceeded the configured rate limits, or too many users were followed too quickly.
user.delete	A user account was destroyed by an asynchronous job.
{%- ifversion ghes %}
user.demote	A site administrator was demoted to an ordinary user account.
{%- endif %}
user.destroy	A user deleted his or her account, triggering user.async_delete.
user.failed_login	A user tries to sign in with an incorrect username, password, or two-factor authentication code.
user.flag_as_large_scale_contributor	A user account was flagged as a large scale contributor. Only contributions from public repositories the user owns will be shown in their contribution graph, in order to prevent timeouts.
user.forgot_password	A user requested a password reset via the sign-in page.
user.hide_private_contributions_count	A user changed the visibility of their private contributions. The number of contributions to private repositories on the user's profile are now hidden. For more information, see "AUTOTITLE."
user.lockout	A user was locked out of their account.
user.login	A user signed in.
{%- ifversion ghes or ghae %}
user.mandatory_message_viewed	A user viewed a mandatory message. For more information see "AUTOTITLE" for details."
{%- endif %}
user.minimize_comment	A comment made by a user was minimized.
{%- ifversion ghes %}
user.promote	An ordinary user account was promoted to a site administrator.
{%- endif %}
user.recreate	A user's account was restored.
user.remove_email	An email address was removed from a user account.
user.remove_large_scale_contributor_flag	A user account was no longer flagged as a large scale contributor.
user.rename	A username was changed.
user.reset_password	A user reset their account password.
user.show_private_contributions_count	A user changed the visibility of their private contributions. The number of contributions to private repositories on the user's profile are now shown. For more information, see "AUTOTITLE."
user.sign_in_from_unrecognized_device	A user signed in from an unrecognized device.
user.sign_in_from_unrecognized_device_and_location	A user signed in from an unrecognized device and location.
user.sign_in_from_unrecognized_location	A user signed in from an unrecognized location.
user.suspend	A user account was suspended by an enterprise owner {% ifversion ghes %} or site administrator{% endif %}.
user.two_factor_challenge_failure	A 2FA challenge issued for a user account failed.
user.two_factor_challenge_success	A 2FA challenge issued for a user account succeeded.
user.two_factor_recover	A user used their 2FA recovery codes.
user.two_factor_recovery_codes_downloaded	A user downloaded 2FA recovery codes for their account.
user.two_factor_recovery_codes_printed	A user printed 2FA recovery codes for their account.
user.two_factor_recovery_codes_viewed	A user viewed 2FA recovery codes for their account.
user.two_factor_requested	A user was prompted for a two-factor authentication code.
user.unblock_user	A user was unblocked another user{% ifversion ghes %} or a site administrator{% endif %}.
user.unminimize_comment	A comment made by a user was unminimized.
user.unsuspend	A user account was unsuspended by an enterprise owner {% ifversion ghes %} or site administrator{% endif %}.
{%- endif %}

{%- ifversion ghec or ghes %}

user_license category actions

Action	Description
user_license.create	A seat license for a user in an enterprise was created.
user_license.destroy	A seat license for a user in an enterprise was deleted.
user_license.update	A seat license type for a user in an enterprise was changed.
{%- endif %}

workflows category actions

{% data reusables.audit_log.audit-log-events-workflows %}