GitHub Actions 审计与监控 #

审计和监控是确保GitHub Actions安全合规的重要手段。本节介绍如何进行审计和监控。

审计日志 #

什么是审计日志? #

审计日志记录了仓库和组织的重要活动:

  • 工作流执行
  • 密钥访问
  • 权限变更
  • 环境部署

查看审计日志 #

组织级 #

  1. 进入组织设置
  2. 点击 “Audit log”
  3. 筛选事件类型

仓库级 #

  1. 进入仓库设置
  2. 点击 “Audit log”

审计事件类型 #

事件类型 描述
workflow_job 工作流作业事件
workflow_run 工作流运行事件
secret 密钥事件
environment 环境事件
self_hosted_runner 自托管运行器事件

使用API查询 #

bash 
curl -H "Authorization: token $GITHUB_TOKEN" \
  https://api.github.com/orgs/ORG/audit-log

工作流监控 #

工作流状态 #

yaml 
jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - name: Build
        id: build
        run: npm run build

      - name: Report status
        if: always()
        run: |
          echo "## Build Status" >> $GITHUB_STEP_SUMMARY
          echo "Status: ${{ job.status }}" >> $GITHUB_STEP_SUMMARY

使用步骤摘要 #

yaml 
- name: Generate report
  if: always()
  run: |
    echo "## Build Report" >> $GITHUB_STEP_SUMMARY
    echo "" >> $GITHUB_STEP_SUMMARY
    echo "| Item | Status |" >> $GITHUB_STEP_SUMMARY
    echo "|------|--------|" >> $GITHUB_STEP_SUMMARY
    echo "| Build | ✅ |" >> $GITHUB_STEP_SUMMARY
    echo "| Test | ✅ |" >> $GITHUB_STEP_SUMMARY
    echo "| Deploy | ✅ |" >> $GITHUB_STEP_SUMMARY

失败通知 #

yaml 
jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - run: npm run build

  notify:
    needs: build
    if: failure()
    runs-on: ubuntu-latest
    steps:
      - uses: slackapi/slack-github-action@v1
        with:
          channel-id: 'C0123456789'
          slack-message: 'Build failed: ${{ github.workflow }}'
        env:
          SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}

日志分析 #

查看工作流日志 #

bash 
# 使用GitHub CLI
gh run view <run-id>

# 查看日志
gh run view <run-id> --log

下载日志 #

bash 
gh run download <run-id>

日志保留 #

  • 默认保留90天
  • 可以在仓库设置中调整

安全监控 #

密钥使用监控 #

yaml 
- name: Log secret usage
  run: |
    echo "Using secret at $(date)" >> usage.log
    # 使用密钥

权限变更监控 #

在审计日志中筛选:

  • org.update_actions_secret
  • repo.update_actions_secret
  • org.update_actions_settings

异常检测 #

监控以下异常:

  • 频繁失败的工作流
  • 异常的执行时间
  • 未授权的访问
  • 密钥泄露

合规检查 #

工作流验证 #

yaml 
- name: Validate workflow
  run: |
    # 检查权限
    if grep -q "permissions: write-all" .github/workflows/*.yml; then
      echo "Error: write-all permissions found"
      exit 1
    fi
    
    # 检查密钥使用
    if grep -q "secrets\." .github/workflows/*.yml; then
      echo "Secrets usage found, checking..."
    fi

使用actionlint #

bash 
# 安装actionlint
go install github.com/rhysd/actionlint/cmd/actionlint@latest

# 验证工作流
actionlint .github/workflows/*.yml

自动化检查 #

yaml 
name: Workflow Lint

on:
  push:
    paths:
      - '.github/workflows/**'

jobs:
  lint:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      
      - name: Check workflow syntax
        uses: reviewdog/action-actionlint@v1
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}

指标收集 #

工作流指标 #

yaml 
- name: Collect metrics
  if: always()
  run: |
    echo "workflow_name=${{ github.workflow }}" >> metrics.txt
    echo "run_id=${{ github.run_id }}" >> metrics.txt
    echo "run_number=${{ github.run_number }}" >> metrics.txt
    echo "status=${{ job.status }}" >> metrics.txt
    echo "duration=$((END_TIME - START_TIME))" >> metrics.txt

使用GitHub API #

yaml 
- uses: actions/github-script@v7
  with:
    script: |
      const runs = await github.rest.actions.listWorkflowRuns({
        owner: context.repo.owner,
        repo: context.repo.repo,
        workflow_id: 'ci.yml'
      });
      
      console.log(`Total runs: ${runs.data.total_count}`);

导出指标 #

yaml 
- name: Export metrics
  uses: actions/upload-artifact@v4
  with:
    name: metrics
    path: metrics.txt

报告生成 #

工作流报告 #

yaml 
- name: Generate report
  if: always()
  run: |
    cat > report.md << EOF
    # Workflow Report
    
    ## Summary
    - **Workflow**: ${{ github.workflow }}
    - **Run ID**: ${{ github.run_id }}
    - **Status**: ${{ job.status }}
    - **Branch**: ${{ github.ref_name }}
    - **Commit**: ${{ github.sha }}
    - **Actor**: ${{ github.actor }}
    - **Event**: ${{ github.event_name }}
    
    ## Jobs
    | Job | Status |
    |-----|--------|
    | Build | ${{ needs.build.result }} |
    | Test | ${{ needs.test.result }} |
    | Deploy | ${{ needs.deploy.result }} |
    EOF

- uses: actions/upload-artifact@v4
  with:
    name: report
    path: report.md

安全报告 #

yaml 
- name: Security report
  if: always()
  run: |
    cat > security-report.md << EOF
    # Security Report
    
    ## Vulnerabilities
    - Critical: 0
    - High: 0
    - Medium: 0
    - Low: 0
    
    ## Secrets Used
    - GITHUB_TOKEN: Yes
    - Other secrets: No
    
    ## Permissions
    - Contents: read
    - Pull-requests: write
    EOF

告警配置 #

Slack告警 #

yaml 
- name: Alert on failure
  if: failure()
  uses: slackapi/slack-github-action@v1
  with:
    channel-id: 'C0123456789'
    slack-message: |
      :warning: Workflow Failed
      Workflow: ${{ github.workflow }}
      Run: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
      Branch: ${{ github.ref_name }}
      Commit: ${{ github.sha }}
      Actor: ${{ github.actor }}
  env:
    SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}

邮件告警 #

yaml 
- name: Send email
  if: failure()
  uses: dawidd6/action-send-mail@v3
  with:
    server_address: smtp.gmail.com
    server_port: 465
    username: ${{ secrets.EMAIL_USERNAME }}
    password: ${{ secrets.EMAIL_PASSWORD }}
    subject: Workflow Failed: ${{ github.workflow }}
    body: |
      Workflow ${{ github.workflow }} failed.
      Run: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
    to: team@example.com
    from: GitHub Actions

最佳实践 #

1. 启用审计日志 #

确保组织启用了审计日志。

2. 定期审查 #

定期审查工作流和权限配置。

3. 设置告警 #

为关键工作流设置失败告警。

4. 使用步骤摘要 #

生成可读的工作流报告。

5. 监控异常 #

监控异常的工作流行为。

下一步学习 #

小结 #

  • 使用审计日志追踪活动
  • 监控工作流状态
  • 设置失败告警
  • 定期审查配置
  • 收集指标数据
  • 生成报告文档
最后更新:2026-03-28