feat(repos): Add audit logs when auto syncing repositories

Add in audit logs whenever we automatically add, update or disable a repository via webhooks and periodic syncing

Author: wedamija

src/sentry/audit_log/events.py

@@ -384,3 +384,38 @@ def render(self, audit_log_entry: AuditLogEntry) -> str:
         return "updated repository settings for {repository_count} repositories".format(
             repository_count=data.get("repository_count", 0),
         )
+
+
+def _render_repo_event(action: str, audit_log_entry: AuditLogEntry) -> str:
+    data = audit_log_entry.data
+    actor = audit_log_entry.actor_label or "unknown"
+    repo_name = data.get("repo_name", "unknown")
+    source = data.get("source", "")
+    msg = f"{actor} {action} repository {repo_name}"
+    if source:
+        msg += f" (via {source})"
+    return msg
+
+
+class RepoAddedAuditLogEvent(AuditLogEvent):
+    def __init__(self) -> None:
+        super().__init__(event_id=1161, name="REPO_ADDED", api_name="repo.added")
+
+    def render(self, audit_log_entry: AuditLogEntry) -> str:
+        return _render_repo_event("added", audit_log_entry)
+
+
+class RepoDisabledAuditLogEvent(AuditLogEvent):
+    def __init__(self) -> None:
+        super().__init__(event_id=1162, name="REPO_DISABLED", api_name="repo.disabled")
+
+    def render(self, audit_log_entry: AuditLogEntry) -> str:
+        return _render_repo_event("disabled", audit_log_entry)
+
+
+class RepoEnabledAuditLogEvent(AuditLogEvent):
+    def __init__(self) -> None:
+        super().__init__(event_id=1163, name="REPO_ENABLED", api_name="repo.enabled")
+
+    def render(self, audit_log_entry: AuditLogEntry) -> str:
+        return _render_repo_event("enabled", audit_log_entry)

src/sentry/audit_log/register.py

@@ -695,3 +695,6 @@
         template="updated autofix automation settings for {project_count} projects",
     )
 )
+default_manager.add(events.RepoAddedAuditLogEvent())
+default_manager.add(events.RepoDisabledAuditLogEvent())
+default_manager.add(events.RepoEnabledAuditLogEvent())

src/sentry/integrations/github/tasks/sync_repos.py

@@ -21,6 +21,7 @@
     SCMIntegrationInteractionEvent,
     SCMIntegrationInteractionType,
 )
+from sentry.integrations.source_code_management.repo_audit import log_repo_change
 from sentry.organizations.services.organization import organization_service
 from sentry.plugins.providers.integration_repository import (
     RepoExistsError,
@@ -127,8 +128,9 @@ def sync_repos_for_org(organization_integration_id: int) -> None:
             r for r in all_repos if r.status == ObjectStatus.DISABLED and r.external_id
         ]
 
-        sentry_active_ids = {r.external_id for r in active_repos}
-        sentry_disabled_ids = {r.external_id for r in disabled_repos}
+        # external_id is guaranteed non-None by the filter above
+        sentry_active_ids: set[str] = {r.external_id for r in active_repos}  # type: ignore[misc]
+        sentry_disabled_ids: set[str] = {r.external_id for r in disabled_repos}  # type: ignore[misc]
 
         new_ids = github_external_ids - sentry_active_ids - sentry_disabled_ids
         removed_ids = sentry_active_ids - github_external_ids
@@ -171,6 +173,8 @@ def sync_repos_for_org(organization_integration_id: int) -> None:
         if dry_run:
             return
 
+        repo_by_external_id = {r.external_id: r for r in active_repos + disabled_repos}
+
         if new_ids:
             integration_repo_provider = get_integration_repository_provider(integration)
             repo_configs = [
@@ -179,13 +183,23 @@ def sync_repos_for_org(organization_integration_id: int) -> None:
                 if str(repo["id"]) in new_ids
             ]
             if repo_configs:
+                created_repos = []
                 try:
-                    integration_repo_provider.create_repositories(
+                    created_repos = integration_repo_provider.create_repositories(
                         configs=repo_configs, organization=rpc_org
                     )
                 except RepoExistsError:
                     pass
 
+                for repo in created_repos:
+                    log_repo_change(
+                        event_name="REPO_ADDED",
+                        organization_id=organization_id,
+                        repo=repo,
+                        source="repository sync",
+                        provider=integration.provider,
+                    )
+
         if removed_ids:
             repository_service.disable_repositories_by_external_ids(
                 organization_id=organization_id,
@@ -194,13 +208,31 @@ def sync_repos_for_org(organization_integration_id: int) -> None:
                 external_ids=list(removed_ids),
             )
 
+            for eid in removed_ids:
+                repo = repo_by_external_id.get(eid)
+                if repo:
+                    log_repo_change(
+                        event_name="REPO_DISABLED",
+                        organization_id=organization_id,
+                        repo=repo,
+                        source="repository sync",
+                        provider=integration.provider,
+                    )
+
         if restored_ids:
             for repo in disabled_repos:
                 if repo.external_id in restored_ids:
                     repo.status = ObjectStatus.ACTIVE
                     repository_service.update_repository(
                         organization_id=organization_id, update=repo
                     )
+                    log_repo_change(
+                        event_name="REPO_ENABLED",
+                        organization_id=organization_id,
+                        repo=repo,
+                        source="repository sync",
+                        provider=integration.provider,
+                    )
 
 
 @instrumented_task(

src/sentry/integrations/github/tasks/sync_repos_on_install_change.py

@@ -13,6 +13,7 @@
     SCMIntegrationInteractionEvent,
     SCMIntegrationInteractionType,
 )
+from sentry.integrations.source_code_management.repo_audit import log_repo_change
 from sentry.organizations.services.organization import organization_service
 from sentry.organizations.services.organization.model import RpcOrganization
 from sentry.plugins.providers.integration_repository import (
@@ -119,18 +120,48 @@ def _sync_repos_for_org(
                 continue
 
         if repo_configs:
+            created_repos = []
             try:
-                integration_repo_provider.create_repositories(
+                created_repos = integration_repo_provider.create_repositories(
                     configs=repo_configs, organization=rpc_org
                 )
             except RepoExistsError:
                 pass
 
+            for created_repo in created_repos:
+                log_repo_change(
+                    event_name="REPO_ADDED",
+                    organization_id=rpc_org.id,
+                    repo=created_repo,
+                    source="GitHub webhook",
+                    provider=integration.provider,
+                )
+
     if repos_removed:
+        # Look up repos before disabling to get their IDs and names
         external_ids = [str(repo["id"]) for repo in repos_removed]
+        existing_repos = repository_service.get_repositories(
+            organization_id=rpc_org.id,
+            integration_id=integration.id,
+            providers=[provider],
+        )
+        repo_by_eid = {r.external_id: r for r in existing_repos if r.external_id}
+
         repository_service.disable_repositories_by_external_ids(
             organization_id=rpc_org.id,
             integration_id=integration.id,
             provider=provider,
             external_ids=external_ids,
         )
+
+        for repo in repos_removed:
+            eid = str(repo["id"])
+            sentry_repo = repo_by_eid.get(eid)
+            if sentry_repo:
+                log_repo_change(
+                    event_name="REPO_DISABLED",
+                    organization_id=rpc_org.id,
+                    repo=sentry_repo,
+                    source="GitHub webhook",
+                    provider=integration.provider,
+                )

src/sentry/integrations/source_code_management/repo_audit.py

@@ -0,0 +1,23 @@
+"""
+Audit log helpers for repository sync operations.
+"""
+
+from sentry import audit_log
+from sentry.integrations.services.repository.model import RpcRepository
+from sentry.utils.audit import create_system_audit_entry
+
+
+def log_repo_change(
+    *, event_name: str, organization_id: int, repo: RpcRepository, source: str, provider: str
+) -> None:
+    create_system_audit_entry(
+        organization_id=organization_id,
+        target_object=repo.id,
+        event=audit_log.get_event_id(event_name),
+        data={
+            "repo_name": repo.name,
+            "external_id": repo.external_id,
+            "source": source,
+            "provider": provider,
+        },
+    )

src/sentry/plugins/providers/integration_repository.py

@@ -240,13 +240,14 @@ def create_repositories(
         self,
         configs: list[RepositoryInputConfig],
         organization: RpcOrganization,
-    ):
+    ) -> list[RpcRepository]:
         external_id_to_repo_config: dict[str, RepositoryConfig] = {}
         for config in configs:
             result = self.build_repository_config(organization=organization, data=config)
             external_id_to_repo_config[result["external_id"]] = result
 
         repos_to_update: list[RpcRepository] = []
+        created_repos: list[RpcRepository] = []
 
         hidden_repos = repository_service.get_repositories(
             organization_id=organization.id,
@@ -272,6 +273,7 @@ def create_repositories(
                 organization_id=organization.id, create=create_repository
             )
             if new_repository is not None:
+                created_repos.append(new_repository)
                 continue
 
             missing_repos.append(repo_config)
@@ -302,6 +304,8 @@ def create_repositories(
         if missing_repos:
             raise RepoExistsError(repos=missing_repos)
 
+        return created_repos + repos_to_update
+
     def dispatch(self, request: Request, organization, **kwargs):
         try:
             config = self.get_repository_data(organization, request.data)

tests/sentry/integrations/github/tasks/test_sync_repos.py

@@ -4,14 +4,16 @@
 import responses
 from taskbroker_client.retry import RetryTaskError
 
+from sentry import audit_log
 from sentry.constants import ObjectStatus
 from sentry.integrations.github.integration import GitHubIntegrationProvider
 from sentry.integrations.github.tasks.sync_repos import sync_repos_for_org
 from sentry.integrations.models.organization_integration import OrganizationIntegration
+from sentry.models.auditlogentry import AuditLogEntry
 from sentry.models.repository import Repository
 from sentry.silo.base import SiloMode
 from sentry.testutils.cases import IntegrationTestCase
-from sentry.testutils.silo import assume_test_silo_mode, control_silo_test
+from sentry.testutils.silo import assume_test_silo_mode, assume_test_silo_mode_of, control_silo_test
 
 
 @control_silo_test
@@ -60,6 +62,13 @@ def test_creates_new_repos(self, _: MagicMock) -> None:
         assert repos[0].provider == "integrations:github"
         assert repos[1].name == "getsentry/snuba"
 
+        with assume_test_silo_mode_of(AuditLogEntry):
+            entries = AuditLogEntry.objects.filter(
+                organization_id=self.organization.id,
+                event=audit_log.get_event_id("REPO_ADDED"),
+            )
+            assert entries.count() == 2
+
     @responses.activate
     def test_disables_removed_repos(self, _: MagicMock) -> None:
         with assume_test_silo_mode(SiloMode.CELL):
@@ -89,6 +98,16 @@ def test_disables_removed_repos(self, _: MagicMock) -> None:
                 organization_id=self.organization.id, external_id="1"
             ).exists()
 
+        with assume_test_silo_mode_of(AuditLogEntry):
+            assert AuditLogEntry.objects.filter(
+                organization_id=self.organization.id,
+                event=audit_log.get_event_id("REPO_DISABLED"),
+            ).exists()
+            assert AuditLogEntry.objects.filter(
+                organization_id=self.organization.id,
+                event=audit_log.get_event_id("REPO_ADDED"),
+            ).exists()
+
     @responses.activate
     def test_re_enables_restored_repos(self, _: MagicMock) -> None:
         with assume_test_silo_mode(SiloMode.CELL):
@@ -113,6 +132,12 @@ def test_re_enables_restored_repos(self, _: MagicMock) -> None:
             repo.refresh_from_db()
             assert repo.status == ObjectStatus.ACTIVE
 
+        with assume_test_silo_mode_of(AuditLogEntry):
+            assert AuditLogEntry.objects.filter(
+                organization_id=self.organization.id,
+                event=audit_log.get_event_id("REPO_ENABLED"),
+            ).exists()
+
     @responses.activate
     def test_no_changes_needed(self, _: MagicMock) -> None:
         with assume_test_silo_mode(SiloMode.CELL):

tests/sentry/integrations/github/tasks/test_sync_repos_on_install_change.py

@@ -1,14 +1,16 @@
 from unittest.mock import MagicMock, patch
 
+from sentry import audit_log
 from sentry.constants import ObjectStatus
 from sentry.integrations.github.integration import GitHubIntegrationProvider
 from sentry.integrations.github.tasks.sync_repos_on_install_change import (
     sync_repos_on_install_change,
 )
+from sentry.models.auditlogentry import AuditLogEntry
 from sentry.models.repository import Repository
 from sentry.silo.base import SiloMode
 from sentry.testutils.cases import IntegrationTestCase
-from sentry.testutils.silo import assume_test_silo_mode, control_silo_test
+from sentry.testutils.silo import assume_test_silo_mode, assume_test_silo_mode_of, control_silo_test
 
 FEATURE_FLAG = "organizations:github-repo-auto-sync"
 
@@ -50,6 +52,13 @@ def test_repos_added(self, _: MagicMock) -> None:
         assert repos[0].integration_id == self.integration.id
         assert repos[1].name == "getsentry/snuba"
 
+        with assume_test_silo_mode_of(AuditLogEntry):
+            entries = AuditLogEntry.objects.filter(
+                organization_id=self.organization.id,
+                event=audit_log.get_event_id("REPO_ADDED"),
+            )
+            assert entries.count() == 2
+
     def test_repos_removed(self, _: MagicMock) -> None:
         with assume_test_silo_mode(SiloMode.CELL):
             repo = Repository.objects.create(
@@ -74,6 +83,12 @@ def test_repos_removed(self, _: MagicMock) -> None:
             repo.refresh_from_db()
             assert repo.status == ObjectStatus.DISABLED
 
+        with assume_test_silo_mode_of(AuditLogEntry):
+            assert AuditLogEntry.objects.filter(
+                organization_id=self.organization.id,
+                event=audit_log.get_event_id("REPO_DISABLED"),
+            ).exists()
+
     def test_mixed_add_and_remove(self, _: MagicMock) -> None:
         with assume_test_silo_mode(SiloMode.CELL):
             old_repo = Repository.objects.create(