[Feb-01] [Ecosystem] Update audit log for GitHub Actions events (#17436)

* Added “workflows” category for audit log

* Fixed table

* Updated links

* Small edits

* Added versioning

* Added entry for `self_hosted_runner_updated`

* Added repo entry for `self_hosted_runner_updated`

* Added `enterprise` category actions

* Added "starting_workflow_job"

* Update reviewing-the-audit-log-for-your-organization.md

* Added changes to security hardening guide

* Update security-hardening-for-github-actions.md

* Added versioning for "self-hosted runners" tables

* Update reviewing-the-audit-log-for-your-organization.md

* Apply suggestions from code review

Co-authored-by: Sarah Edwards <skedwards88@github.com>

* Update security-hardening-for-github-actions.md

* Update reviewing-the-audit-log-for-your-organization.md

* Update reviewing-the-audit-log-for-your-organization.md

* Update security-hardening-for-github-actions.md

* Update reviewing-the-audit-log-for-your-organization.md

* Update security-hardening-for-github-actions.md

* Update security-hardening-for-github-actions.md

* Update reviewing-the-audit-log-for-your-organization.md

* Update security-hardening-for-github-actions.md

* Update reviewing-the-audit-log-for-your-organization.md

* Update reviewing-the-audit-log-for-your-organization.md

* Update security-hardening-for-github-actions.md

* Moved enterprise events into reusable

* Added versioning to exclude AE

* Changed table identation and naming for consistency with reusable

* Update security-hardening-for-github-actions.md

* Update reviewing-the-audit-log-for-your-organization.md

* Added note to mention that certain events can only be viewed using the API.

* Added event visibility information.

* Removed superfluous description text

* Fixed typo

* Moved table into reusable

* Removed unused events superseded by `runner_group_updated`

Co-authored-by: Sarah Edwards <skedwards88@github.com>

Author: Martin Lopes

content/actions/learn-github-actions/security-hardening-for-github-actions.md

@@ -115,7 +115,7 @@ Some customers might attempt to partially mitigate these risks by implementing s
 
 You can use the audit log to monitor administrative tasks in an organization. The audit log records the type of action, when it was run, and which user account performed the action.
 
-For example, you can use the audit log to track the `action:org.update_actions_secret` event, which tracks changes to organization secrets:
+For example, you can use the audit log to track the `org.update_actions_secret` event, which tracks changes to organization secrets:
   ![Audit log entries](/assets/images/help/repository/audit-log-entries.png)
 
 The following tables describe the {% data variables.product.prodname_actions %} events that you can find in the audit log. For more information on using the audit log, see
@@ -124,26 +124,45 @@ The following tables describe the {% data variables.product.prodname_actions %}
 #### Events for secret management
 | Action | Description
 |------------------|-------------------
-| `action:org.create_actions_secret` | Triggered when a organization admin [creates a {% data variables.product.prodname_actions %} secret](/actions/reference/encrypted-secrets#creating-encrypted-secrets-for-an-organization).
-| `action:org.remove_actions_secret` | Triggered when a organization admin removes a {% data variables.product.prodname_actions %} secret.
-| `action:org.update_actions_secret` | Triggered when a organization admin updates a {% data variables.product.prodname_actions %} secret.
-| `action:repo.create_actions_secret ` | Triggered when a repository admin [creates a {% data variables.product.prodname_actions %} secret](/actions/reference/encrypted-secrets#creating-encrypted-secrets-for-a-repository).
-| `action:repo.remove_actions_secret` | Triggered when a repository admin removes a {% data variables.product.prodname_actions %} secret.
-| `action:repo.update_actions_secret` | Triggered when a repository admin updates a {% data variables.product.prodname_actions %} secret.
-
+| `org.create_actions_secret` | Triggered when a {% data variables.product.prodname_actions %} secret is created for an organization. For more information, see "[Creating encrypted secrets for an organization](/actions/reference/encrypted-secrets#creating-encrypted-secrets-for-an-organization)."
+| `org.remove_actions_secret` | Triggered when a {% data variables.product.prodname_actions %} secret is removed.
+| `org.update_actions_secret` | Triggered when a {% data variables.product.prodname_actions %} secret is updated.
+| `repo.create_actions_secret ` | Triggered when a {% data variables.product.prodname_actions %} secret is created for a repository. For more information, see "[Creating encrypted secrets for a repository](/actions/reference/encrypted-secrets#creating-encrypted-secrets-for-a-repository)."
+| `repo.remove_actions_secret` | Triggered when a {% data variables.product.prodname_actions %} secret is removed.
+| `repo.update_actions_secret` | Triggered when a {% data variables.product.prodname_actions %} secret is updated.
+
+{% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.21" %}
 #### Events for self-hosted runners
 | Action | Description
 |------------------|-------------------
-| `action:org.register_self_hosted_runner` | Triggered when an organization owner [registers a new self-hosted runner](/actions/hosting-your-own-runners/adding-self-hosted-runners#adding-a-self-hosted-runner-to-an-organization).
-| `action:org.remove_self_hosted_runner` | Triggered when an organization owner [removes a self-hosted runner](/actions/hosting-your-own-runners/removing-self-hosted-runners#removing-a-runner-from-an-organization).
-| `action:repo.register_self_hosted_runner` | Triggered when a repository admin [registers a new self-hosted runner](/actions/hosting-your-own-runners/adding-self-hosted-runners#adding-a-self-hosted-runner-to-a-repository).
-| `action:repo.remove_self_hosted_runner` | Triggered when a repository admin [removes a self-hosted runner](/actions/hosting-your-own-runners/removing-self-hosted-runners#removing-a-runner-from-a-repository).
+| `enterprise.register_self_hosted_runner` | Triggered when a new self-hosted runner is registered. For more information, see "[Adding a self-hosted runner to an enterprise](/actions/hosting-your-own-runners/adding-self-hosted-runners#adding-a-self-hosted-runner-to-an-enterprise)."
+| `enterprise.self_hosted_runner_updated` | Triggered when the runner application is updated. Can be viewed using the REST API and the UI; not visible in the JSON/CSV export. For more information, see "[About self-hosted runners](/actions/hosting-your-own-runners/about-self-hosted-runners#about-self-hosted-runners)."
+| `org.register_self_hosted_runner` | Triggered when a new self-hosted runner is registered. For more information, see "[Adding a self-hosted runner to an organization](/actions/hosting-your-own-runners/adding-self-hosted-runners#adding-a-self-hosted-runner-to-an-organization)."
+| `org.remove_self_hosted_runner` | Triggered when a self-hosted runner is removed. For more information, see [Removing a runner from an organization](/actions/hosting-your-own-runners/removing-self-hosted-runners#removing-a-runner-from-an-organization).
+| `org.self_hosted_runner_updated` | Triggered when the runner application is updated. Can be viewed using the REST API and the UI; not visible in the JSON/CSV export. For more information, see "[About self-hosted runners](/actions/hosting-your-own-runners/about-self-hosted-runners#about-self-hosted-runners)."
+| `repo.register_self_hosted_runner` | Triggered when a new self-hosted runner is registered. For more information, see "[Adding a self-hosted runner to a repository](/actions/hosting-your-own-runners/adding-self-hosted-runners#adding-a-self-hosted-runner-to-a-repository)."
+| `repo.remove_self_hosted_runner` | Triggered when a self-hosted runner is removed. For more information, see "[Removing a runner from a repository](/actions/hosting-your-own-runners/removing-self-hosted-runners#removing-a-runner-from-a-repository)."
+| `repo.self_hosted_runner_updated` | Triggered when the runner application is updated. Can be viewed using the REST API and the UI; not visible in the JSON/CSV export. For more information, see "[About self-hosted runners](/actions/hosting-your-own-runners/about-self-hosted-runners#about-self-hosted-runners)."
+{% endif %}
 
+{% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.21" %}
 #### Events for self-hosted runner groups
 | Action | Description
 |------------------|-------------------
-| `action:org.runner_group_created` | Triggered when an organization admin [creates a self-hosted runner group](/actions/hosting-your-own-runners/managing-access-to-self-hosted-runners-using-groups#creating-a-self-hosted-runner-group-for-an-organization).
-| `action:org.runner_group_removed` | Triggered when an organization admin removes a self-hosted runner group.
-| `action:org.runner_group_renamed` | Triggered when an organization admin renames a self-hosted runner group.
-| `action:org.runner_group_runners_added` | Triggered when an organization admin [adds a self-hosted runner to a group](/actions/hosting-your-own-runners/managing-access-to-self-hosted-runners-using-groups#moving-a-self-hosted-runner-to-a-group).
-| `action:org.runner_group_runners_removed` | Triggered when an organization admin removes a self-hosted runner from a group.
+| `enterprise.runner_group_created` | Triggered when a self-hosted runner group is created. For more information, see "[Creating a self-hosted runner group for an enterprise](/actions/hosting-your-own-runners/managing-access-to-self-hosted-runners-using-groups#creating-a-self-hosted-runner-group-for-an-enterprise)."
+| `enterprise.runner_group_removed` | Triggered when a self-hosted runner group is removed. For more information, see "[Removing a self-hosted runner group](/actions/hosting-your-own-runners/managing-access-to-self-hosted-runners-using-groups#removing-a-self-hosted-runner-group)."
+| `enterprise.runner_group_runner_removed` | Triggered when a self-hosted runner is removed from a group.
+| `enterprise.runner_group_runners_added` | Triggered when a self-hosted runner is added to a group. For more information, see "[Moving a self-hosted runner to a group](/actions/hosting-your-own-runners/managing-access-to-self-hosted-runners-using-groups#moving-a-self-hosted-runner-to-a-group)."
+| `enterprise.runner_group_updated` |Triggered when the configuration of a self-hosted runner group is changed. For more information, see "[Changing the access policy of a self-hosted runner group](/actions/hosting-your-own-runners/managing-access-to-self-hosted-runners-using-groups#changing-the-access-policy-of-a-self-hosted-runner-group)."
+| `org.runner_group_created` | Triggered when a self-hosted runner group is created. For more information, see "[Creating a self-hosted runner group for an organization](/actions/hosting-your-own-runners/managing-access-to-self-hosted-runners-using-groups#creating-a-self-hosted-runner-group-for-an-organization)."
+| `org.runner_group_removed` | Triggered when a self-hosted runner group is removed. For more information, see "[Removing a self-hosted runner group](/actions/hosting-your-own-runners/managing-access-to-self-hosted-runners-using-groups#removing-a-self-hosted-runner-group)."
+| `org.runner_group_runners_added` | Triggered when a self-hosted runner is added to a group. For more information, see "[Moving a self-hosted runner to a group](/actions/hosting-your-own-runners/managing-access-to-self-hosted-runners-using-groups#moving-a-self-hosted-runner-to-a-group)."
+| `org.runner_group_runner_removed` | Triggered when a self-hosted runner is removed from a group.
+{% endif %}
+
+{% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.21" %}
+#### Events for workflow activities
+
+{% data reusables.actions.actions-audit-events-workflow %}
+
+{% endif %}

content/admin/user-management/audited-actions.md

@@ -11,8 +11,8 @@ versions:
 ---
 #### Authentication
 
-Name                                 | Description
-------------------------------------:| ----------------------------------------
+Action                               | Description
+------------------------------------ | ----------------------------------------
 `oauth_access.create`                | An [OAuth access token][] was [generated][generate token] for a user account.
 `oauth_access.destroy`               | An [OAuth access token][] was deleted from a user account.
 `oauth_application.destroy`          | An [OAuth application][] was deleted from a user or organization account.
@@ -31,45 +31,52 @@ Name                                 | Description
   [OAuth application]: /guides/basics-of-authentication/#registering-your-app
   [2fa]: /articles/about-two-factor-authentication
 
+{% if currentVersion ver_gt "enterprise-server@2.21" %}
+#### {% data variables.product.prodname_actions %}
+
+{% data reusables.actions.actions-audit-events-for-enterprise %}
+
+{% endif %}
+
 #### Hooks
 
-Name                              | Description
----------------------------------:| -------------------------------------------
+Action                            | Description
+--------------------------------- | -------------------------------------------
 `hook.create`                     | A new hook was added to a repository.
 `hook.config_changed`             | A hook's configuration was changed.
 `hook.destroy`                    | A hook was deleted.
 `hook.events_changed`             | A hook's configured events were changed.
 
 #### Enterprise configuration settings
 
-Name                                            | Description
------------------------------------------------:| -------------------------------------------
+Action                                          | Description
+----------------------------------------------- | -------------------------------------------
 `business.update_member_repository_creation_permission` | A site admin restricts repository creation in organizations in the enterprise. For more information, see "[Enforcing repository management policies in your enterprise](/admin/policies/enforcing-repository-management-policies-in-your-enterprise#setting-a-policy-for-repository-creation)."
 `business.clear_members_can_create_repos` | A site admin clears a restriction on repository creation in organizations in the enterprise. For more information, see "[Enforcing repository management policies in your enterprise](/admin/policies/enforcing-repository-management-policies-in-your-enterprise#setting-a-policy-for-repository-creation)."{% if enterpriseServerVersions contains currentVersion %}
 `enterprise.config.lock_anonymous_git_access`   | A site admin locks anonymous Git read access to prevent repository admins from changing existing anonymous Git read access settings for repositories in the enterprise. For more information, see "[Enforcing repository management policies in your enterprise](/admin/policies/enforcing-repository-management-policies-in-your-enterprise#configuring-anonymous-git-read-access)."
 `enterprise.config.unlock_anonymous_git_access` | A site admin unlocks anonymous Git read access to allow repository admins to change existing anonymous Git read access settings for repositories in the enterprise. For more information, see "[Enforcing repository management policies in your enterprise](/admin/policies/enforcing-repository-management-policies-in-your-enterprise#configuring-anonymous-git-read-access)."{% endif %}
 
 #### Issues and pull requests
 
-Name                                 | Description
-------------------------------------:| -----------------------------------------------------------
+Action                               | Description
+------------------------------------ | -----------------------------------------------------------
 `issue.update`                       | An issue's body text (initial comment) changed.
 `issue_comment.update`               | A comment on an issue (other than the initial one) changed.
 `pull_request_review_comment.delete` | A comment on a pull request was deleted.
 `issue.destroy`                      | An issue was deleted from the repository. For more information, see "[Deleting an issue](/github/managing-your-work-on-github/deleting-an-issue)."
 
 #### Organizations
 
-Name               | Description
-------------------:| ----------------------------------------------------------
+Action             | Description
+------------------ | ----------------------------------------------------------
 `org.async_delete` | A user initiated a background job to delete an organization.
 `org.delete`       | An organization was deleted by a user-initiated background job.{% if currentVersion != "github-ae@latest" %}
 `org.transform`    | A user account was converted into an organization. For more information, see "[Converting a user into an organization](/github/setting-up-and-managing-your-github-user-account/converting-a-user-into-an-organization)."{% endif %}
 
 #### Protected branches
 
-Name                       | Description
---------------------------:| ----------------------------------------------------------
+Action                     | Description
+-------------------------- | ----------------------------------------------------------
 `protected_branch.create ` | Branch protection is enabled on a branch.
 `protected_branch.destroy` | Branch protection is disabled on a branch.
 `protected_branch.update_admin_enforced `            | Branch protection is enforced for repository administrators.
@@ -83,8 +90,8 @@ Name                       | Description
 
 #### Repositories
 
-Name                  | Description
----------------------:| -------------------------------------------------------
+Action                | Description
+--------------------- | -------------------------------------------------------
 `repo.access`         | The visibility of a repository changed to private{% if enterpriseServerVersions contains currentVersion %}, public,{% endif %} or internal.
 `repo.archived`       | A repository was archived. For more information, see "[Archiving a {% data variables.product.prodname_dotcom %} repository](/github/creating-cloning-and-archiving-repositories/archiving-a-github-repository)."
 `repo.add_member`     | A collaborator was added to a repository.
@@ -103,8 +110,8 @@ Name                  | Description
 
 #### Site admin tools
 
-Name                          | Description
------------------------------:| -----------------------------------------------
+Action                        | Description
+----------------------------- | -----------------------------------------------
 `staff.disable_repo`          | A site admin disabled access to a repository and all of its forks.
 `staff.enable_repo`           | A site admin re-enabled access to a repository and all of its forks.
 `staff.fake_login`            | A site admin signed into {% data variables.product.product_name %} as another user.
@@ -113,8 +120,8 @@ Name                          | Description
 
 #### Teams
 
-Name                              | Description
----------------------------------:| -------------------------------------------
+Action                            | Description
+--------------------------------- | -------------------------------------------
 `team.create`                     | A user account or repository was added to a team.
 `team.delete`                     | A user account or repository was removed from a team.{% if currentVersion ver_gt "enterprise-server@2.22" or currentVersion == "github-ae@latest" %}
 `team.demote_maintainer`          | A user was demoted from a team maintainer to a team member.{% endif %}
@@ -124,8 +131,8 @@ Name                              | Description
 
 #### Users
 
-Name                              | Description
----------------------------------:| -------------------------------------------
+Action                            | Description
+--------------------------------- | -------------------------------------------
 `user.add_email`                  | An email address was added to a user account.
 `user.async_delete`               | An asynchronous job was started to destroy a user account, eventually triggering `user.delete`.{% if enterpriseServerVersions contains currentVersion %}
 `user.change_password`            | A user changed his or her password.{% endif %}