Creates a CSV file of some git log data, useful for exporting to audit reports and other "chain of custody" type reports. It can optionally create diffs to show line-by-line and file-by-file what changed at each commit and by whom, as well as if each commit was signed with a GPG certificate.
Note
Only need the shell script? Here you go - git-history-report.sh
Inputs
- Repository name (defaults to the current repository)
- Branch name (defaults to "main")
- Whether the GPG commit signing info should be included (defaults to "false")
- GitHub PAT token to use (defaults to the included
github.token, only needed if the repository name isn't the current one) - Whether to also generate diff files for each commit and include them in the zip archive (defaults to "false")
It'll output a CSV file, zipped and uploaded as an artifact on that workflow run. If the diff file option is also set to true, it'll include all of those diffs in the zip file as well. Artifact storage has a limited timeframe, so you may need to download it and move it into another business system (either automatically or manually) depending on your needs. Here's what it'll return:
| Header | Description |
|---|---|
| url | URL within GitHub to view the detailed diff of this commit |
| commit id | Short SHA of the commit |
| author | Commit author |
| commit signature status | GPG commit signature status (docs) |
| name of signer | Name on the GPG key |
| key used to sign | GPG key used to sign |
| date | Date on the commit |
| comment | Comment (short, not full) on the commit |
| changed files | Number of files changed in this commit |
| lines added | Number of lines added in this commit |
| lines deleted | Number of lines deleted in this commit |
Create a new workflow (or add it to an existing workflow) in ~/.github/workflows and add the following to a step:
steps:
- name: Upload a CSV code audit log to this workflow
uses: some-natalie/gitlog-to-csv@v1There's also an example using this Action in this repo.
Per the git documentation, the "status codes" in the "commit signature status" field is included below.
| Code | Meaning |
|---|---|
| G | Good (valid) signature |
| B | Bad signature |
| U | Good signature with unknown validity |
| X | Good signature that has expired |
| Y | Good signature made by an expired key |
| R | Good signature made by a revoked key |
| E | Signature cannot be checked (e.g. missing key) |
| N | No signature |
Note
The runner that you use to execute this Action might need to be set up to trust your key management server. This may mean you'll need to chat with your key management / identity management folks to get things set up on a private key server.
Naturally, this works without any hitch on GitHub.com. As a composite Action that calls other Actions, you'll need to be on at least GitHub Enterprise Server or GitHub AE version 3.3 to use this if you're not in GitHub.com.
Note
This references the tag v4 of actions/checkout and actions/upload-artifact, which may be beyond the version shipped bundled in GHES. Your enterprise administrator might need to update the bundled actions. Alternatively, you can copy this repository to your GHES instance and downgrade the versions of these dependencies in that process.
❓ Not using or can't use GitHub Actions? Not a problem - the core logic of this report is a plain bash script that you can plug into your CI system of choice or run ad hoc. To run on an arbitrary machine, you'll need the following:
- BASH, of course
- GNU
awkandsed - Git
- GPG set up and appropriate certificates installed if you want to verify commit signing - sorry this one is kinda vague, but what this looks like will vary widely based on your company's configuration.
Yes, all of this information is available in git because this information is the very nature of version control - but sometimes we all need a checklist or report to give to someone who doesn't want to hang out in a version control system. The goal here is to make everyone's life just a tiny bit easier, one sed command at a time. ❤️