Reviewing PRs and compiling lists of PRs during audits can take time. One particular scenario is where an administrator uses their privileges to merge across protected brances without peer approval. How do you find these? While the below approach isn't perfect, it can give you some ideas.
When an administrator uses their privileges to override a branch protection rule and merge a pull request, an entry is written to the audit log with the category set to protected_branch and the action set to policy_override. You can search your audit log entries for these types of events by constructing a search query:
action:protected_branch.policy_override which will show events like this:
[user icon] [username] – protected_branch.policy_override Refs/heads/[branchname] was updated despite unsatisfied required status checks because [username] is an admin on [owner]/[repository] [country] [n] [time units] ago Using the Get the audit log for an organization REST API endpoint will show the same event like this:
{
"actor": "[username]",
"@timestamp": 1632132184509,
"org": "[owner]",
"repo": "[owner]/[repository]",
"created_at": 1632132184509,
"action": "protected_branch.policy_override",
"actor_location": {
"country_code": "[2 character country code]"
},
"_document_id": "[unique ID]"
}
The timestamp value in the JSON data comprises the Unix timestamp including microseconds multiplied by 1000.
The web UI shows the name of the branch which was updated but this information is not included in the output from the REST API endpoint, and at this time, neither the web UI nor the REST endpoint includes the pull request number.
The best option I can suggest is to query a repository for pull requests which are closed, and attempt to match the actor and approximate timestamp value against entries in the Audit log.
This should get you a very nice list of PRs you can sample from, or discuss with your administrators.