backstage
fix: Scaffolder audit Log now includes taskId and createdBy
Hey, I just made a Pull Request!
The auditor log for the scaffolder plugin did not include the taskId as get taskId was not defined in the TaskManager and so was returning undefined.
createdBy was also added to the auditor log to identify who triggered the run as the actor is the scaffolder plugin.
Before
2025-06-02T20:05:53.932Z scaffolder info scaffolder.task
isAuditEvent=true
eventId="task"
severityLevel="medium"
actor={"actorId":"plugin:scaffolder"}
request=undefined
meta={"actionType":"execution",
"taskParameters":{
"recipients":"entity",
"entityRefs":["api:default/wayback-archive"],
"severity":"normal",
"title":"Demo",
"link":"https://backstage.io/"
},
"templateRef":"template:default/notifications-demo"
}
status="initiated"
After
2025-06-11T18:54:02.721Z scaffolder info scaffolder.task
isAuditEvent=true
eventId="task"
severityLevel="medium"
actor={"actorId":"plugin:scaffolder"}
request=undefined
meta={"actionType":"execution",
"taskId":"5a2b0261-230f-4985-9aca-00d9ed6537fd",
"createdBy":"user:development/guest",
"taskParameters":{
"recipients":"entity",
"entityRefs":["api:default/hello-world"],
"severity":"normal",
"title":"Demo",
"link":"https://backstage.io/"
},
"templateRef":"template:default/notifications-demo"
}
status="initiated"
:heavy_check_mark: Checklist
- [x] A changeset describing the change and affected packages. (more info)
- [ ] Added or updated documentation
- [ ] Tests for new functionality and regression tests for bug fixes
- [ ] Screenshots attached (for UI changes)
- [x] All your commits have a
Signed-off-byline in the message. (more info)
Changed Packages
| Package Name | Package Path | Changeset Bump | Current Version |
|---|---|---|---|
| @backstage/plugin-scaffolder-backend | plugins/scaffolder-backend | patch | v2.0.1-next.0 |
![backstage-goalie[bot] avatar](https://avatars.githubusercontent.com/u/72526453?v=4 "Published by a pub.dev verified publisher"){kind=small}
@schultzp2020 shouldn't actor be the correct user here? Is this a bug? :pray:
This is my first pr so forgive me if I am a bit unclear or not fully correct.
When looking at it myself a scaffolder run has two auditor events. The first is here: https://github.com/backstage/backstage/blob/f7e7469944a6cfe3a3aa8a1728dd305d45c2bb7f/plugins/scaffolder-backend/src/service/router.ts#L419-L427 This is when the api request is made and tracks if the task run has been scheduled in the queue/db store. This does have the actor set correctly as the user's ref.
The Second is the one edited in the PR and that is the audit for the actual run. The reason why the actor is the plugin is because the scaffolder run is done in the context of the plugin pulling things from the store to run them and not as a direct consequence of the api request.
I went for the minimum change within the pr and didn't look at it too closely but I think to get the actor to reflect createdBy would require a significant change to the auditor service.
@schultzp2020 shouldn't
actorbe the correct user here? Is this a bug? 🙏
Technically it's a "feature" because of what @LoudShadow pointed out in this comment. Unfortunately the API context and consequently the actor is not available to the Auditor service.
This PR has been automatically marked as stale because it has not had recent activity from the author. It will be closed if no further activity occurs. If the PR was closed and you want it re-opened, let us know and we'll re-open the PR so that you can continue the contribution!
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
@schultzp2020 Are you able to merge this please.
I'll merge it on Monday to give one last chance for others to give some input. 🙂 cc: @benjdlambert
Thank you for contributing to Backstage! The changes in this pull request will be part of the 1.41.0 release, scheduled for Tue, 15 Jul 2025.