Skip to content
Latchkey

How to Build a Who/What/When Audit Trail of Deploys

Creating a GitHub Deployment for each release captures the actor, commit SHA, environment, and timestamp in one queryable record.

Auditors ask who deployed what and when. The GitHub Deployments API records exactly that, and a structured log line gives you a second, exportable copy. Emit both from the deploy job. This is educational guidance for building traceability.

Steps

  • Create a deployment record with actions/github-script (captures actor, SHA, environment).
  • Emit a structured JSON log line with the same fields for log-based search.
  • Update the deployment status to success or failure at the end.

Record the deployment

.github/workflows/deploy.yml
permissions:
  deployments: write
jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/github-script@v7
        with:
          script: |
            const d = await github.rest.repos.createDeployment({
              owner: context.repo.owner, repo: context.repo.repo,
              ref: context.sha, environment: 'production',
              required_contexts: [], auto_merge: false
            })
            core.setOutput('id', d.data.id)

Structured log line

Terminal
echo "{\"event\":\"deploy\",\"actor\":\"${{ github.actor }}\",\"sha\":\"${{ github.sha }}\",\"env\":\"production\",\"run\":\"${{ github.run_id }}\",\"ts\":\"$(date -u +%FT%TZ)\"}"

Notes

  • Deployment records survive even after the workflow log retention window passes.
  • Ship the JSON line to your SIEM so the trail lives outside the CI system too.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →