Issue/Milestone/Review Comment Audit Log

Conflicting Namespaces in TensorFlow Lite Libraries #9

Workflow file for this run

.github/workflows/issue-milestone-audit-log.yml at 79913de

	name: Issue/Milestone/Review Comment Audit Log

	on:
	milestone:
	types: [created, edited, opened, closed, deleted]
	issues:
	types:
	[
	opened,
	edited,
	deleted,
	closed,
	reopened,
	assigned,
	unassigned,
	labeled,
	unlabeled,
	milestoned,
	demilestoned,
	locked,
	unlocked,
	transferred,
	pinned,
	unpinned,
	]
	issue_comment:
	types: [created, edited, deleted]
	pull_request_review_comment:
	types: [created, edited, deleted]

	permissions:
	contents: write
	issues: write
	pull-requests: read

	jobs:
	append-audit-record:
	if: ${{ github.run_attempt == '1' }}
	runs-on: ubuntu-latest
	steps:
	- name: Verify audit push token is configured
	shell: bash
	run: \|
	set -euo pipefail
	if [ -z "${{ secrets.AUDIT_LOG_PUSH_TOKEN }}" ]; then
	echo "AUDIT_LOG_PUSH_TOKEN is not configured."
	exit 1
	fi

	- name: Checkout audit-log branch
	uses: actions/checkout@v4
	with:
	ref: audit-log
	fetch-depth: 0
	token: ${{ secrets.AUDIT_LOG_PUSH_TOKEN }}

	- name: Append event record
	shell: bash
	run: \|
	set -euo pipefail
	mkdir -p audit

	raw_record=$(jq -c '{
	timestamp: (now \| todateiso8601),
	event_ts: (
	.comment.updated_at
	// .comment.created_at
	// .issue.updated_at
	// .issue.created_at
	// .milestone.updated_at
	// .milestone.created_at
	// (now \| todateiso8601)
	),
	repo: .repository.full_name,
	event_name: env.GITHUB_EVENT_NAME,
	action: .action,
	actor: .sender.login,
	run_id: env.GITHUB_RUN_ID,
	run_attempt: env.GITHUB_RUN_ATTEMPT,
	sender: {
	login: .sender.login,
	html_url: .sender.html_url
	},
	issue: (if .issue then {
	number: .issue.number,
	title: .issue.title,
	state: .issue.state,
	html_url: .issue.html_url,
	milestone: (if .issue.milestone then {
	number: .issue.milestone.number,
	title: .issue.milestone.title
	} else null end)
	} else null end),
	pull_request: (if .pull_request then {
	number: .pull_request.number,
	title: .pull_request.title,
	state: .pull_request.state,
	html_url: .pull_request.html_url,
	milestone: (if .pull_request.milestone then {
	number: .pull_request.milestone.number,
	title: .pull_request.milestone.title
	} else null end)
	} else null end),
	comment: (if .comment then {
	id: .comment.id,
	html_url: (.comment.html_url // null),
	created_at: (.comment.created_at // null),
	updated_at: (.comment.updated_at // null),
	body: (.comment.body // null)
	} else null end),
	milestone: (if .milestone then {
	number: .milestone.number,
	title: .milestone.title,
	state: .milestone.state,
	due_on: .milestone.due_on,
	html_url: .milestone.html_url,
	description: .milestone.description
	} else null end),
	changes: (.changes // null),
	severity: (
	if env.GITHUB_EVENT_NAME == "milestone"
	and .action == "edited"
	and ((.changes.title? // null) != null or (.changes.description? // null) != null)
	then "HIGH"
	elif env.GITHUB_EVENT_NAME == "issue_comment"
	and .action == "deleted"
	then "HIGH"
	elif env.GITHUB_EVENT_NAME == "pull_request_review_comment"
	and .action == "deleted"
	then "HIGH"
	elif env.GITHUB_EVENT_NAME == "issues"
	and .action == "edited"
	and ((.changes.title? // null) != null or (.changes.body? // null) != null)
	then "HIGH"
	elif env.GITHUB_EVENT_NAME == "pull_request_review_comment"
	and .action == "edited"
	and ((.changes.body? // null) != null)
	then "HIGH"
	else "INFO"
	end
	),
	target_url: (.comment.html_url // .issue.html_url // .pull_request.html_url // .milestone.html_url // null)
	}' "$GITHUB_EVENT_PATH")

	event_id=$(printf '%s' "$raw_record" \| jq -cS . \| sha256sum \| awk '{print $1}')
	record=$(printf '%s' "$raw_record" \| jq -c --arg event_id "$event_id" '. + {event_id: $event_id}')

	if [ -f audit/events.ndjson ] && grep -Fq "\"event_id\":\"$event_id\"" audit/events.ndjson; then
	echo "Event $event_id already exists; skipping append"
	exit 0
	fi

	echo "$record" >> audit/events.ndjson

	event_date=$(printf '%s' "$record" \| jq -r '.timestamp[0:10]')
	event_dir="audit/events/${event_date}"
	mkdir -p "$event_dir"

	printf '%s\n' "$record" \| jq . > "$event_dir/$event_id.json"

	{
	echo "# Audit Event $event_id"
	echo
	echo "- Timestamp: $(printf '%s' "$record" \| jq -r '.timestamp')"
	echo "- Actor: $(printf '%s' "$record" \| jq -r '.actor')"
	echo "- Event: $(printf '%s' "$record" \| jq -r '.event_name + "." + .action')"
	echo "- Target URL: $(printf '%s' "$record" \| jq -r '.target_url // "-"')"
	echo
	echo "## Raw Event"
	echo
	echo '```json'
	printf '%s\n' "$record" \| jq .
	echo '```'

	if printf '%s' "$record" \| jq -e '.action=="edited" and .changes != null' >/dev/null; then
	echo
	echo "## Field Diffs"

	while IFS=$'\t' read -r field before after; do
	before_raw=$(printf '%s' "$before" \| base64 -d)
	after_raw=$(printf '%s' "$after" \| base64 -d)
	before_decoded=$(printf '%b' "$before_raw")
	after_decoded=$(printf '%b' "$after_raw")

	echo
	echo "### $field"
	echo

	diff_tmp_dir=$(mktemp -d)
	before_file="$diff_tmp_dir/before"
	after_file="$diff_tmp_dir/after"
	printf '%s\n' "$before_decoded" > "$before_file"
	printf '%s\n' "$after_decoded" > "$after_file"

	echo '```diff'
	git diff --no-index --unified=3 -- "$before_file" "$after_file" \|\| true
	echo '```'

	rm -rf "$diff_tmp_dir"
	done < <(
	printf '%s' "$record" \| jq -r '
	. as $root
	\| def new_value($f):
	if $root.event_name == "issue_comment" and $f == "body" then $root.comment.body
	elif $root.event_name == "pull_request_review_comment" and $f == "body" then $root.comment.body
	elif $root.event_name == "issues" and $root.issue != null and ($root.issue[$f] != null) then $root.issue[$f]
	elif $root.event_name == "pull_request_review_comment" and $root.pull_request != null and ($root.pull_request[$f] != null) then $root.pull_request[$f]
	elif $root.event_name == "milestone" and $root.milestone != null and ($root.milestone[$f] != null) then $root.milestone[$f]
	elif $root.issue != null and ($root.issue[$f] != null) then $root.issue[$f]
	elif $root.pull_request != null and ($root.pull_request[$f] != null) then $root.pull_request[$f]
	elif $root.milestone != null and ($root.milestone[$f] != null) then $root.milestone[$f]
	else null end;

	$root.changes
	\| to_entries[]
	\| .key as $k
	\| (.value.from // "") as $from
	\| (new_value($k) // "") as $to
	\| [
	$k,
	($from \| tostring \| @base64),
	($to \| tostring \| @base64)
	]
	\| @tsv
	'
	)
	fi
	} > "$event_dir/$event_id.md"

	- name: Build human-readable last 100 events
	shell: bash
	run: \|
	set -euo pipefail

	{
	echo "# Last 100 Audit Events"
	echo
	echo "This file is generated from \`audit/events.ndjson\`."
	echo
	echo "\| Timestamp (UTC) \| Severity \| Event ID \| Actor \| Event \| Issue \| Milestone \| Link \|"
	echo "\|---\|---\|---\|---\|---\|---\|---\|---\|"
	tail -n 100 audit/events.ndjson \| jq -r '
	def event_file:
	if (.event_id != null and .timestamp != null) then
	"events/" + (.timestamp[0:10]) + "/" + .event_id + ".md"
	else "-"
	end;

	def event_id_cell:
	if .event_id == null then "-"
	else "[" + .event_id[0:12] + "...]" + "(" + event_file + ")"
	end;

	def issue_text:
	if .issue != null then
	"[#\(.issue.number)](\(.issue.html_url // "#"))"
	elif .pull_request != null then
	"[PR #\(.pull_request.number)](\(.pull_request.html_url // "#"))"
	else "-"
	end;

	def milestone_text:
	if .milestone != null then
	"[#\(.milestone.number)](\(.milestone.html_url // "#"))"
	elif (.pull_request != null and .pull_request.milestone != null) then
	"[#\(.pull_request.milestone.number)](https://github.com/\(.repo)/milestone/\(.pull_request.milestone.number))"
	elif (.issue != null and .issue.milestone != null) then
	"[#\(.issue.milestone.number)](https://github.com/\(.repo)/milestone/\(.issue.milestone.number))"
	else "-"
	end;

	[
	(.timestamp // "-"),
	(.severity // "INFO"),
	event_id_cell,
	(.actor // "-"),
	(((.event_name // "-") + "." + (.action // "-"))),
	issue_text,
	milestone_text,
	(.target_url // "-")
	]
	\| @tsv
	' \| while IFS=$'\t' read -r ts severity event_id actor ev issue ms url; do
	safe_issue=$(printf '%s' "$issue" \| tr '\n\r' ' ')
	safe_ms=$(printf '%s' "$ms" \| tr '\n\r' ' ')
	safe_ev=$(printf '%s' "$ev" \| tr '\n\r' ' ')
	safe_sev=$(printf '%s' "$severity" \| tr '\n\r' ' ')
	safe_event_id=$(printf '%s' "$event_id" \| tr '\n\r' ' ')
	safe_actor=$(printf '%s' "$actor" \| tr '\n\r' ' ')

	if [ "$url" = "-" ]; then
	link_cell='-'
	else
	link_cell="[link]($url)"
	fi

	printf '\| %s \| %s \| %s \| %s \| %s \| %s \| %s \| %s \|\n' "$ts" "$safe_sev" "$safe_event_id" "$safe_actor" "$safe_ev" "$safe_issue" "$safe_ms" "$link_cell"
	done
	} > audit/LAST_100.md

	- name: Commit and push audit update (fallback to staging branch)
	id: push_audit
	shell: bash
	run: \|
	set -euo pipefail

	if [ -z "$(git status --porcelain -- audit/events.ndjson audit/LAST_100.md audit/events)" ]; then
	echo "No audit changes to commit"
	exit 0
	fi

	git config user.name "github-actions[bot]"
	git config user.email "41898282+github-actions[bot]@users.noreply.github.com"

	record="$(tail -n 1 audit/events.ndjson \|\| true)"
	if [ -z "$record" ]; then
	echo "Unable to extract event record from audit/events.ndjson"
	exit 1
	fi
	event_id="$(printf '%s' "$record" \| jq -r '.event_id // empty')"
	if [ -z "$event_id" ]; then
	echo "Event record missing event_id"
	exit 1
	fi
	event_date="$(printf '%s' "$record" \| jq -r '.timestamp[0:10]')"
	severity="$(printf '%s' "$record" \| jq -r '.severity // "INFO"')"
	actor="$(printf '%s' "$record" \| jq -r '.actor // "-"')"
	event_name="$(printf '%s' "$record" \| jq -r '.event_name // "-"')"
	action="$(printf '%s' "$record" \| jq -r '.action // "-"')"
	target_url="$(printf '%s' "$record" \| jq -r '.target_url // "-"')"

	echo "event_id=$event_id" >> "$GITHUB_OUTPUT"
	echo "event_date=$event_date" >> "$GITHUB_OUTPUT"
	echo "severity=$severity" >> "$GITHUB_OUTPUT"
	echo "actor=$actor" >> "$GITHUB_OUTPUT"
	echo "event_name=$event_name" >> "$GITHUB_OUTPUT"
	echo "action=$action" >> "$GITHUB_OUTPUT"
	echo "target_url=$target_url" >> "$GITHUB_OUTPUT"
	echo "alert_needed=true" >> "$GITHUB_OUTPUT"
	echo "alert_branch=audit-log" >> "$GITHUB_OUTPUT"

	apply_record_to_worktree() {
	echo "$record" >> audit/events.ndjson

	event_dir="audit/events/${event_date}"
	mkdir -p "$event_dir"
	printf '%s\n' "$record" \| jq . > "$event_dir/$event_id.json"

	{
	echo "# Audit Event $event_id"
	echo
	echo "- Timestamp: $(printf '%s' "$record" \| jq -r '.timestamp')"
	echo "- Actor: $(printf '%s' "$record" \| jq -r '.actor')"
	echo "- Event: $(printf '%s' "$record" \| jq -r '.event_name + "." + .action')"
	echo "- Target URL: $(printf '%s' "$record" \| jq -r '.target_url // "-"')"
	echo
	echo "## Raw Event"
	echo
	echo '```json'
	printf '%s\n' "$record" \| jq .
	echo '```'

	if printf '%s' "$record" \| jq -e '.action=="edited" and .changes != null' >/dev/null; then
	echo
	echo "## Field Diffs"

	while IFS=$'\t' read -r field before after; do
	before_raw=$(printf '%s' "$before" \| base64 -d)
	after_raw=$(printf '%s' "$after" \| base64 -d)
	before_decoded=$(printf '%b' "$before_raw")
	after_decoded=$(printf '%b' "$after_raw")

	echo
	echo "### $field"
	echo

	diff_tmp_dir=$(mktemp -d)
	before_file="$diff_tmp_dir/before"
	after_file="$diff_tmp_dir/after"
	printf '%s\n' "$before_decoded" > "$before_file"
	printf '%s\n' "$after_decoded" > "$after_file"

	echo '```diff'
	git diff --no-index --unified=3 -- "$before_file" "$after_file" \|\| true
	echo '```'

	rm -rf "$diff_tmp_dir"
	done < <(
	printf '%s' "$record" \| jq -r '
	. as $root
	\| def new_value($f):
	if $root.event_name == "issue_comment" and $f == "body" then $root.comment.body
	elif $root.event_name == "pull_request_review_comment" and $f == "body" then $root.comment.body
	elif $root.event_name == "issues" and $root.issue != null and ($root.issue[$f] != null) then $root.issue[$f]
	elif $root.event_name == "pull_request_review_comment" and $root.pull_request != null and ($root.pull_request[$f] != null) then $root.pull_request[$f]
	elif $root.event_name == "milestone" and $root.milestone != null and ($root.milestone[$f] != null) then $root.milestone[$f]
	elif $root.issue != null and ($root.issue[$f] != null) then $root.issue[$f]
	elif $root.pull_request != null and ($root.pull_request[$f] != null) then $root.pull_request[$f]
	elif $root.milestone != null and ($root.milestone[$f] != null) then $root.milestone[$f]
	else null end;

	$root.changes
	\| to_entries[]
	\| .key as $k
	\| (.value.from // "") as $from
	\| (new_value($k) // "") as $to
	\| [
	$k,
	($from \| tostring \| @base64),
	($to \| tostring \| @base64)
	]
	\| @tsv
	'
	)
	fi
	} > "$event_dir/$event_id.md"

	{
	echo "# Last 100 Audit Events"
	echo
	echo "This file is generated from \`audit/events.ndjson\`."
	echo
	echo "\| Timestamp (UTC) \| Severity \| Event ID \| Actor \| Event \| Issue \| Milestone \| Link \|"
	echo "\|---\|---\|---\|---\|---\|---\|---\|---\|"
	tail -n 100 audit/events.ndjson \| jq -r '
	def event_file:
	if (.event_id != null and .timestamp != null) then
	"events/" + (.timestamp[0:10]) + "/" + .event_id + ".md"
	else "-"
	end;

	def event_id_cell:
	if .event_id == null then "-"
	else "[" + .event_id[0:12] + "...]" + "(" + event_file + ")"
	end;

	def issue_text:
	if .issue != null then
	"[#\(.issue.number)](\(.issue.html_url // "#"))"
	elif .pull_request != null then
	"[PR #\(.pull_request.number)](\(.pull_request.html_url // "#"))"
	else "-"
	end;

	def milestone_text:
	if .milestone != null then
	"[#\(.milestone.number)](\(.milestone.html_url // "#"))"
	elif (.pull_request != null and .pull_request.milestone != null) then
	"[#\(.pull_request.milestone.number)](https://github.com/\(.repo)/milestone/\(.pull_request.milestone.number))"
	elif (.issue != null and .issue.milestone != null) then
	"[#\(.issue.milestone.number)](https://github.com/\(.repo)/milestone/\(.issue.milestone.number))"
	else "-"
	end;

	[
	(.timestamp // "-"),
	(.severity // "INFO"),
	event_id_cell,
	(.actor // "-"),
	(((.event_name // "-") + "." + (.action // "-"))),
	issue_text,
	milestone_text,
	(.target_url // "-")
	]
	\| @tsv
	' \| while IFS=$'\t' read -r ts severity_col event_id_col actor ev issue ms url; do
	safe_issue=$(printf '%s' "$issue" \| tr '\n\r' ' ')
	safe_ms=$(printf '%s' "$ms" \| tr '\n\r' ' ')
	safe_ev=$(printf '%s' "$ev" \| tr '\n\r' ' ')
	safe_sev=$(printf '%s' "$severity_col" \| tr '\n\r' ' ')
	safe_event_id=$(printf '%s' "$event_id_col" \| tr '\n\r' ' ')
	safe_actor=$(printf '%s' "$actor" \| tr '\n\r' ' ')

	if [ "$url" = "-" ]; then
	link_cell='-'
	else
	link_cell="[link]($url)"
	fi

	printf '\| %s \| %s \| %s \| %s \| %s \| %s \| %s \| %s \|\n' "$ts" "$safe_sev" "$safe_event_id" "$safe_actor" "$safe_ev" "$safe_issue" "$safe_ms" "$link_cell"
	done
	} > audit/LAST_100.md
	}

	start_epoch=$(date +%s)
	max_seconds=900
	attempt=0

	while true; do
	now_epoch=$(date +%s)
	elapsed=$((now_epoch - start_epoch))
	if [ "$elapsed" -ge "$max_seconds" ]; then
	echo "Retry budget exhausted after ${elapsed}s"
	break
	fi

	attempt=$((attempt + 1))
	echo "Push attempt $attempt (elapsed ${elapsed}s/${max_seconds}s)"

	git fetch origin audit-log
	git reset --hard origin/audit-log
	touch audit/events.ndjson

	if grep -Fq "\"event_id\":\"$event_id\"" audit/events.ndjson; then
	echo "Event $event_id already present in audit-log; nothing to push"
	echo "alert_needed=false" >> "$GITHUB_OUTPUT"
	exit 0
	fi

	apply_record_to_worktree
	git add audit/events.ndjson audit/LAST_100.md audit/events
	if git diff --cached --quiet; then
	echo "No net changes after applying record; treating as success"
	exit 0
	fi
	git commit -m "chore(audit): log ${{ github.event_name }}.${{ github.event.action }}"

	if git push origin HEAD:audit-log; then
	echo "Push to audit-log succeeded on attempt $attempt"
	exit 0
	fi

	echo "Push failed on attempt $attempt; retrying"
	sleep_seconds=$((10 + RANDOM % 110))
	echo "Sleeping ${sleep_seconds}s before retry"
	sleep "$sleep_seconds"
	done

	staging_branch="audit-staging/${GITHUB_RUN_ID}-${GITHUB_RUN_ATTEMPT}"
	echo "Direct push failed after retries; preserving event on $staging_branch"

	git fetch origin audit-log
	git reset --hard origin/audit-log
	touch audit/events.ndjson
	if grep -Fq "\"event_id\":\"$event_id\"" audit/events.ndjson; then
	echo "Event $event_id already present in audit-log; no staging fallback needed"
	echo "alert_needed=false" >> "$GITHUB_OUTPUT"
	exit 0
	fi

	apply_record_to_worktree
	git add audit/events.ndjson audit/LAST_100.md audit/events
	git commit -m "chore(audit): log ${{ github.event_name }}.${{ github.event.action }}"

	echo "alert_branch=$staging_branch" >> "$GITHUB_OUTPUT"
	git checkout -B "$staging_branch"
	git push origin "HEAD:$staging_branch"

	echo "Event preserved on staging branch for later reconciliation"
	exit 0

	- name: Create HIGH severity alert issue
	if: steps.push_audit.outputs.severity == 'HIGH' && steps.push_audit.outputs.alert_needed == 'true'
	env:
	GH_TOKEN: ${{ github.token }}
	shell: bash
	run: \|
	set -euo pipefail

	repo="${{ github.repository }}"
	event_id="${{ steps.push_audit.outputs.event_id }}"
	event_date="${{ steps.push_audit.outputs.event_date }}"
	severity="${{ steps.push_audit.outputs.severity }}"
	actor="${{ steps.push_audit.outputs.actor }}"
	event_name="${{ steps.push_audit.outputs.event_name }}"
	action="${{ steps.push_audit.outputs.action }}"
	target_url="${{ steps.push_audit.outputs.target_url }}"
	alert_branch="${{ steps.push_audit.outputs.alert_branch }}"
	event_link="https://github.com/${repo}/blob/${alert_branch}/audit/events/${event_date}/${event_id}.md"

	title="HIGH audit event: ${event_name}.${action} by ${actor} (${event_id:0:12})"
	body=$(cat <<EOF
	## HIGH Severity Audit Event

	- Severity: \`${severity}\`
	- Actor: \`${actor}\`
	- Event: \`${event_name}.${action}\`
	- Target: ${target_url}
	- Audit Record: ${event_link}

	Please review the audit record and milestone/issue changes.
	EOF
	)

	gh issue create \
	--repo "$repo" \
	--title "$title" \
	--body "$body" \
	--assignee "topherbuckley"

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Conflicting Namespaces in TensorFlow Lite Libraries #9

Workflow file

Conflicting Namespaces in TensorFlow Lite Libraries #9

Uh oh!

Workflow file for this run