How to identify who published a package to GitHub package registry?

Question

My organization has a paid version of GitHub. Hence, we have private repositories and we can publish GitHub packages.

Unfortunately, I do not know who published the package. It is only possible to know when it was published.

Context: this is especially relevant because traditionally packages were being published by a person and, now, I am creating continuous delivery via GitHub Actions so that packages will be automatically published after a certain file that holds the project version is changed.

Is there any way to find out on GitHub Packages who published the package?

Answer 1

There's no way to know that directly from the package itself - it only has the owner.

One way to do it will be to disable all current tokens that allow the publishing of the package and force everyone to go through the CI workflow. So instead of publishing the API, they will be forced to trigger a certain workflow that does it for them through the "bot token".

That will allow you to see who triggered a workflow for a certain version.

Answer 2

You can-ish: your GitHub Org's page has an Audit log which can show all activity for up-to the past six months - including a CSV and JSON export feature:

Reviewing the audit log for your organization

The audit log allows organization admins to quickly review the actions performed by members of your organization. It includes details such as who performed the action, what the action was, and when it was performed.

The audit log lists events triggered by activities that affect your organization within the current month and previous six months. Only owners can access an organization's audit log.

By default, only events from the past three months are displayed. To view older events, you must specify a date range with the created parameter.

Step 1: Locate the Audit Log under your Org's Settings page:

Step 2: Search or Download the audit log:

Keep in mind that only the past 6 months' worth of data will be available in the audit log - and unfortunately you can't automate the process of downloading it unless you're running GitHub Enterprise:

Organizations that use GitHub Enterprise Cloud can interact with the audit log using the GraphQL API and REST API.

Workaround: Set-up an Organization-wide Webhook

For everyone else not running GitHub Enterprise Cloud, you can always set-up an Organization Webhook which receives notifications whenever package activity happens. Obviously this won't help you to find out what happened a month ago, but it gives you a way to monitor activity in future - and to retain data beyond GitHub's 6 month limit.