AUDITAL
Get Started

Integrations

GitHub Integration

Connect GitHub to automatically capture model code changes, pull request approvals, workflow runs, and deployments as verified entries in your Audital hash chain.

Last updated: 2 March 2026

Push events

Every commit to tracked branches is logged with author, changed files, and diff summary.

Pull requests

PR creation, approval, merge, and reviewer identities are captured.

Workflow runs

CI/CD pipeline outcomes including test results and deployment steps.

Releases & tags

Version tags and GitHub Releases are linked to deployment events.

Setup

Option A: GitHub App (recommended)

  1. 1In the Audital dashboard, go to Integrations → GitHub → Install App. You will be redirected to GitHub.
  2. 2Select the organisation and repositories you want to connect. Audital requests read-only permissions — it never writes to your repositories.
  3. 3After installation, Audital displays the installationId. You can optionally restrict auditing to specific repositories via the API:
bash
curl -X POST https://api.audital.ai/v1/integrations/github/install \
  -H "Authorization: Bearer ak_live_xxxxxxxxxxxxxxxxxxxx" \
  -H "Content-Type: application/json" \
  -d '{
    "installationId": 12345678,
    "repositories": ["my-org/credit-scorer", "my-org/fraud-detection"]
  }'

Option B: Webhook

If you cannot install a GitHub App (e.g., due to org restrictions), configure a repository webhook manually:

bash
# In your GitHub repository settings:
# Settings → Webhooks → Add webhook
#
# Payload URL: https://api.audital.ai/v1/integrations/github/webhook
# Content type: application/json
# Secret: <your-webhook-secret from Audital Settings → Integrations>
# Events to send:
#   ✓ Push
#   ✓ Pull requests
#   ✓ Releases
#   ✓ Deployments
#   ✓ Workflow runs

Repository Permissions

Audital uses the minimum necessary permissions. All access is read-only.

bash
# Minimum required GitHub App permissions:
# Repository permissions:
#   - Contents: Read
#   - Deployments: Read
#   - Pull requests: Read
#   - Statuses: Read
#   - Workflows: Read
#
# Organisation permissions:
#   - Members: Read (only needed for org-level audit)

Captured Events

Push / Commit event

Triggered on every push to a monitored repository. The audit event records the full commit SHA, author identity, changed files, and any associated pull request.

json
{
  "id": "evt_01HZABCDEF1234567890ABCD",
  "chainPosition": 4892,
  "blockHash": "sha256:9f86d081884c7d659a2feaa0c55ad015a3bf4f1b",
  "previousHash": "sha256:7c4a8d09ca3762af61e59520943dc26494f8941b",
  "timestamp": "2026-03-02T14:22:11.003Z",
  "eventType": "CONFIG_CHANGE",
  "severity": "MEDIUM",
  "modelId": "mdl_abc123",
  "source": "GITHUB",
  "actor": {
    "type": "HUMAN",
    "id": "github:jane-smith",
    "displayName": "Jane Smith"
  },
  "payload": {
    "repository": "my-org/credit-scorer",
    "commit": {
      "sha": "a1b2c3d4e5f6789012345678901234567890abcd",
      "message": "chore: update decision threshold to 0.72",
      "author": "jane-smith",
      "url": "https://github.com/my-org/credit-scorer/commit/a1b2c3d4"
    },
    "ref": "refs/heads/main",
    "changedFiles": [
      { "filename": "src/config/thresholds.py", "additions": 1, "deletions": 1 },
      { "filename": "tests/test_thresholds.py", "additions": 12, "deletions": 0 }
    ],
    "pullRequest": {
      "number": 142,
      "title": "Update decision threshold",
      "reviewers": ["compliance-officer"],
      "approved": true,
      "url": "https://github.com/my-org/credit-scorer/pull/142"
    }
  },
  "tags": ["threshold-change", "github-push"],
  "verified": true
}

Pull request approval event

When a PR is approved and merged, Audital creates a HUMAN_REVIEW event capturing who reviewed and approved the change — critical for demonstrating human oversight to regulators.

json
{
  "eventType": "HUMAN_REVIEW",
  "source": "GITHUB",
  "payload": {
    "reviewType": "PULL_REQUEST_APPROVAL",
    "pullRequest": {
      "number": 142,
      "title": "Update decision threshold",
      "state": "merged",
      "mergedBy": "compliance-officer",
      "mergedAt": "2026-03-02T14:20:00.000Z",
      "baseBranch": "main",
      "headBranch": "feat/update-threshold"
    },
    "reviewers": [
      { "login": "compliance-officer", "state": "APPROVED", "submittedAt": "2026-03-02T14:18:00.000Z" },
      { "login": "tech-lead", "state": "APPROVED", "submittedAt": "2026-03-02T14:10:00.000Z" }
    ]
  }
}

Deployment event

GitHub Actions workflows that deploy to production trigger a DEPLOYMENT event with the workflow run outcome, git SHA, and environment name.

json
{
  "eventType": "DEPLOYMENT",
  "source": "GITHUB",
  "payload": {
    "environment": "production",
    "workflow": "deploy.yml",
    "runId": 9876543210,
    "conclusion": "success",
    "triggeredBy": "jane-smith",
    "sha": "a1b2c3d4e5f6789012345678901234567890abcd",
    "tag": "v2.4.1",
    "duration": 187
  }
}

What is not captured

  • Issue comments unrelated to model changes
  • Repository secrets or environment variable values (only names are logged)
  • Private key material or credentials
  • Repository contents beyond file names and commit messages

Related

Jira Integration →Audit Events API →Webhooks →
PreviousCore ConceptsNextMLflow