How to track “Who edited a workflow” when UI saves files as st2 user?

[019AKHIL]

I am working with a StackStorm setup running in Docker, and I need to implement proper auditability for workflow editing. All workflow editing will be performed only through the StackStorm Web UI. No one will edit files through SSH, CLI, or Git directly.
The main issue I am facing is that when a workflow is saved, the workflow YAML file is written to disk under the st2 system user. Because of this:

Git version history shows st2 as the author instead of the actual human user.
The StackStorm API does not log workflow file edits.
Audit logs only track API calls such as enabling/disabling rules, not workflow content changes.
There is no workflow edit history or change tracking endpoint in the API.
Even if Git is enabled inside the packs directory, it cannot identify who actually edited the workflow because the OS-level writer is always st2.

I need a reliable way to track:

Which authenticated StackStorm UI user edited a workflow
When the workflow was edited
What workflow was modified
Optionally commit the workflow to Git with the correct author
Store the edit logs externally (for example in MSSQL)

[fdrab]

There's currently no reliable way of doing this AFAIK. I've created a set of python actions for git interaction and every person that pushes flows / scripts to repository with these actions uses their own tokens, so I have history of who pushed changes to git. For deployment to prod I just do git clone / git fetch and pack load. Even if the files were not owned by st2user, there'd be no reliable way of tracking who changed what, just who did the last change at the time of checking.

[skiedude]

I do something similar to fdrab in that all our packs are git repos which provides pull requests as a gate to merge in a change with an audit history of who did it. However rather then manually checking out and clone the packs, I just have automation that runs
st2 pack install https://github.com/org/pack_name=branchname