I’m using the Git events audit log REST API, and I feel that the data returned could be a lot more informative. I refer to the “git.clone” actions in particular.
In General, to clone a GitHub repository you need credentials or a token.
If a GithubApp or a 3rd party service has received a user’s consent and has the necessary permissions, it can also clone the organization or user’s repository.
If some user clones a repository, we’ll see its username in the
actor field of the audit logs repsone.
In cases in which a 3rd party service is using a given token, I would expect to see some indication that the clone was performed via a token that was assigned to a GithubApp or 3rd party service.
actor field contains the member that gave the consent to the application (integrating user) without any other indication that it was used by some other service.
This means there is no difference whatsoever between a clone that a user performed and a clone that a 3rd party service performed by using a token that the user had assigned to it.
The whole point of the Audit logs is to give admins visibility on the actions performed on their assets.
Therefore, I believe that the token association should be a vital part of the git events audit data.