Audit log: Log when Dependabot settings/config change

[timReynolds]

It would be great to see an audit log or event history in the dashboard allowing users to understand the actions taken by the bot.

[greysteil]

Thanks for the feedback Tim. What kind of things would you want to see in that audit log?

[timReynolds]

Mostly created and auto merged PRs. I think the most value is in the auto merged PRs

[greysteil]

Interesting. For created it's possible to construct a GitHub PR filter like this one for all PRs created for alphagov. Merges is trickier - I can't find any docs on filtering PRs by who merged them, and I'm not having any joy experimenting with it. There's the GitHub API, of course, but that's a bunch less convenient.

I'll keep this in mind. I can see how adding a "Event history" section to the account drop-down could be useful.

[cabello]

To extend on that request, I wish we had people's action audit log as well, our org is kinda big so it would be nice to know:

• who added a given repo
• who modified settings for a repo
• what repo was removed recently and by whom
• changes to settings
• changes to config variables

Example:

• John added foo/bar on 2018-08-21 17:00
• Jeremy removed foo/qux on 2018-08-20 10:00

[captn3m0]

+1 to @cabello's request. If an application gets disabled/edited by any user in the org - we'd want a notification of some sort.

Currently, anyone in the org can do this, which I find confusing from a security perspective.

[simlu]

Still relevant. Bump

[jeffwidman]

As an update on this, currently enablement of Dependabot Security Alerts is tracked in the GitHub audit log, but not enablement of Security or Version updates.

I agree it makes sense to add support for this, although may not get prioritized for a while.