adding updated version with date

Author: joshjohanning

gh-cli/README.md

@@ -492,7 +492,16 @@ In a 1 year block, return the date of the first non-public contribution
 
 See also: [Another example](https://github.com/orgs/community/discussions/24427#discussioncomment-3244093)
 
-## get-enterprise-id.sh
+### get-enterprise-audit-log-for-organization.sh
+
+This queries the [Enterprise audit log API](https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/using-the-audit-log-api-for-your-enterprise) to specifically return if features have been enabled or disabled in an organization since a given date.
+
+Additional resources:
+
+- [Using the audit log API for your enterprise](https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/using-the-audit-log-api-for-your-enterprise)
+- [Searching the audit log for your enterprise](https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/searching-the-audit-log-for-your-enterprise)
+- [Get the audit log for an enterprise](https://docs.github.com/en/enterprise-cloud@latest/rest/enterprise-admin/audit-log?apiVersion=2022-11-28#get-the-audit-log-for-an-enterprise)
+
 ### get-enterprise-id.sh
 
 Get the enterprise ID used for other GraphQL calls. Use the URL slug of the Enterprise as the input.

gh-cli/get-enterprise-audit-log-for-organization.sh

@@ -1,17 +1,25 @@
 #!/bin/bash
 
+# This queries the Enterprise audit log APIs to specifically return if features have been enabled or disabled in an organization since a given date
+
 if [ -z "$2" ]; then
-  echo "Usage: $0 <enterprise> <org> <optional: actor>"
+  echo "Usage: $0 <enterprise> <org> <date>"
+  echo "Example: ./get-enterprise-audit-log-for-organization.sh avocado-corp joshjohanning-org 2023-09-05"
   exit 1
 fi
 
 enterprise="$1"
 org="$2"
-actor="$3" # this is optional, but adding it can really filter down results
+date="$3"
 
-if [ -z "$actor" ]; then
-  actor_field="-f \"phrase=actor:$actor\""
+# if date is empty, default to yesterdays date
+if [ -z "$date" ]; then
+  date=$(gdate -d "yesterday" +%Y-%m-%d) # if on linux, change from gdate to date
 fi
 
-# we are using JQ to look for when things have specifically been enable[d] or disable[d] at the organization level
-gh api -X GET "/enterprises/$enterprise/audit-log" $actor_field -f per_page=100 | jq --arg org "$org" '.[] | select(.org == $org) | select(.action | test("disable[d]?|enable[d]?")) | {action, actor, org, "@timestamp"} | .["@timestamp"] /= 1000 | .["@timestamp"] |= strftime("%Y-%m-%d %H:%M:%S")'
+# take note of rate limits: Each audit log API endpoint has a rate limit of 1,750 queries per hour for a given combination of user and IP address
+#   - may receive errors and partial results if user does not have admin rights to all organizations / repositories
+
+gh api -X GET --paginate "/enterprises/$enterprise/audit-log" -f "phrase=org:$org+created:>=$date" -f per_page=100 | \
+  sed 's/{"message":"Must have admin rights to Repository.","documentation_url":"https:\/\/docs.github.com\/rest\/enterprise-admin\/audit-log#get-the-audit-log-for-an-enterprise"}/]/g' | \
+  jq '.[] | select(.action | test("disable[d]?|enable[d]?")) | {action, actor, org, "@timestamp"} | .["@timestamp"] /= 1000 | .["@timestamp"] |= strftime("%Y-%m-%d %H:%M:%S")'