Skip to content
Latchkey

How to Collect CI Evidence for an Audit

The gh CLI can export workflow runs, reviews, and deployment approvals as JSON, giving auditors a machine-readable record of every gated change.

Rather than screenshots, hand auditors exportable JSON. This page shows how to pull workflow runs, pull request reviews, and environment approvals for an evidence period. It is educational; scope the fields to what your auditor asks for.

Steps

  • Export workflow runs for the audit window with created-date filtering.
  • Export pull request reviews to prove approvals happened.
  • Export deployment approvals to prove the second signer on releases.

Export runs and reviews

Terminal
# Workflow runs in a date range
gh api "repos/acme/app/actions/runs?created=2026-01-01..2026-03-31&per_page=100" \
  --paginate > runs.json

# Reviews on a specific PR
gh api repos/acme/app/pulls/482/reviews > pr-482-reviews.json

Export deployment approvals

Terminal
gh api repos/acme/app/actions/runs/${RUN_ID}/approvals > approvals.json
jq '.[] | {user: .user.login, state: .state, comment: .comment}' approvals.json

Notes

  • Use --paginate so you do not silently truncate at 100 results.
  • Snapshot exports into immutable storage so the evidence itself is tamper evident.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →