How to Collect CI Evidence for an Audit
The gh CLI can export workflow runs, reviews, and deployment approvals as JSON, giving auditors a machine-readable record of every gated change.
Rather than screenshots, hand auditors exportable JSON. This page shows how to pull workflow runs, pull request reviews, and environment approvals for an evidence period. It is educational; scope the fields to what your auditor asks for.
Steps
- Export workflow runs for the audit window with created-date filtering.
- Export pull request reviews to prove approvals happened.
- Export deployment approvals to prove the second signer on releases.
Export runs and reviews
Terminal
# Workflow runs in a date range
gh api "repos/acme/app/actions/runs?created=2026-01-01..2026-03-31&per_page=100" \
--paginate > runs.json
# Reviews on a specific PR
gh api repos/acme/app/pulls/482/reviews > pr-482-reviews.jsonExport deployment approvals
Terminal
gh api repos/acme/app/actions/runs/${RUN_ID}/approvals > approvals.json
jq '.[] | {user: .user.login, state: .state, comment: .comment}' approvals.jsonNotes
- Use --paginate so you do not silently truncate at 100 results.
- Snapshot exports into immutable storage so the evidence itself is tamper evident.
Related guides
How to Keep CI Audit Logs ImmutableShip GitHub Actions audit logs to write-once storage such as S3 Object Lock so the record cannot be altered o…
How to Build a Who/What/When Audit Trail of DeploysRecord a who, what, and when audit trail of every deploy in GitHub Actions using the Deployments API and stru…
How to Document a Pipeline as a Control MappingDocument your CI/CD pipeline as a control mapping in the repo, linking each control to the workflow step and…