Skip to content

Creates a CSV file of `git log` data, useful for audit reports and other "chain of custody" type reports

License

Notifications You must be signed in to change notification settings

some-natalie/gitlog-to-csv

Use this GitHub action with your project
Add this Action to an existing workflow or create a new one
View on Marketplace

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

68 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

gitlog-to-csv Action

Creates a CSV file of some git log data, useful for exporting to audit reports and other "chain of custody" type reports. It can optionally create diffs to show line-by-line and file-by-file what changed at each commit and by whom, as well as if each commit was signed with a GPG certificate.

OpenSSF Scorecard

Note

Only need the shell script? Here you go - git-history-report.sh

Inputs and Outputs

Inputs

  • Repository name (defaults to the current repository)
  • Branch name (defaults to "main")
  • Whether the GPG commit signing info should be included (defaults to "false")
  • GitHub PAT token to use (defaults to the included github.token, only needed if the repository name isn't the current one)
  • Whether to also generate diff files for each commit and include them in the zip archive (defaults to "false")

It'll output a CSV file, zipped and uploaded as an artifact on that workflow run. If the diff file option is also set to true, it'll include all of those diffs in the zip file as well. Artifact storage has a limited timeframe, so you may need to download it and move it into another business system (either automatically or manually) depending on your needs. Here's what it'll return:

Header Description
url URL within GitHub to view the detailed diff of this commit
commit id Short SHA of the commit
author Commit author
commit signature status GPG commit signature status (docs)
name of signer Name on the GPG key
key used to sign GPG key used to sign
date Date on the commit
comment Comment (short, not full) on the commit
changed files Number of files changed in this commit
lines added Number of lines added in this commit
lines deleted Number of lines deleted in this commit

Usage

Create a new workflow (or add it to an existing workflow) in ~/.github/workflows and add the following to a step:

steps:
  - name: Upload a CSV code audit log to this workflow
    uses: some-natalie/gitlog-to-csv@v1

There's also an example using this Action in this repo.

An important note on GPG commit signing

Per the git documentation, the "status codes" in the "commit signature status" field is included below.

Code Meaning
G Good (valid) signature
B Bad signature
U Good signature with unknown validity
X Good signature that has expired
Y Good signature made by an expired key
R Good signature made by a revoked key
E Signature cannot be checked (e.g. missing key)
N No signature

Note

The runner that you use to execute this Action might need to be set up to trust your key management server. This may mean you'll need to chat with your key management / identity management folks to get things set up on a private key server.

GitHub Enterprise version compatibility

Naturally, this works without any hitch on GitHub.com. As a composite Action that calls other Actions, you'll need to be on at least GitHub Enterprise Server or GitHub AE version 3.3 to use this if you're not in GitHub.com.

Note

This references the tag v4 of actions/checkout and actions/upload-artifact, which may be beyond the version shipped bundled in GHES. Your enterprise administrator might need to update the bundled actions. Alternatively, you can copy this repository to your GHES instance and downgrade the versions of these dependencies in that process.

Using it without GitHub Actions

❓ Not using or can't use GitHub Actions? Not a problem - the core logic of this report is a plain bash script that you can plug into your CI system of choice or run ad hoc. To run on an arbitrary machine, you'll need the following:

  • BASH, of course
  • GNU awk and sed
  • Git
  • GPG set up and appropriate certificates installed if you want to verify commit signing - sorry this one is kinda vague, but what this looks like will vary widely based on your company's configuration.

But why, though?

Yes, all of this information is available in git because this information is the very nature of version control - but sometimes we all need a checklist or report to give to someone who doesn't want to hang out in a version control system. The goal here is to make everyone's life just a tiny bit easier, one sed command at a time. ❤️

About

Creates a CSV file of `git log` data, useful for audit reports and other "chain of custody" type reports

Topics

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Languages