Capture Release actions in the audit log page - download external artifacts
Problem to solve
For Release Governance, one needs to be able to see what events and actions have been rendered against a release. In #26016 (closed), we added the capability to create and edit releases, add evidence and additional artifacts to the release via API. Audit logs currently only log downloading the source code.
This issue is to address expanding the audit logs to include events
-
download external artifacts
Intended users
Primary use case for auditing release events include:
- Tracking when and who created a release from GitLab after a deployment has occurred
- Surfacing records of evidence attached to releases upon request from an auditing firm in the download
- Reviewing content of edits with who made the edits to a release in a retrospective
Proposal
These audit actions will be implemented, based on the example Release screenshot.
-
<name of release>= "New Release" -
<release number>= 'v0.3'
Using the screenshot above, can we confirm we need these audit events created:
Download external artifacts
Do we want to have an additional audit triggered external artifacts are downloaded. ie: the existing audit for project code and a new audit for external resources. In the example release screenshot above, this would be the an external file (external source) link. If so it could be like this:
| Author | Action | Target | At |
|---|---|---|---|
| Orit Golowinski | Repository External Resource Download Started | an external file | 2019-10-16 16:26:50 UTC |
-
Create a new API endpoint to track the downloads -
Front-end would have a pass-through link that would be followed but also register the download
Future:
- [Delete a Release] (gitlab-foss#58549 (closed))
- [Create a Release via UI] (#32812 (closed))
- [Add Assets/Artifacts] (#36133 (closed))
- [Add package]
Permissions and Security
- Changes to audit logs should follow the normal access/permissions of Audit Logs at GitLab
- Downloads of audit logs should follow the normal access/permissions of Audit Logs at GitLab
- Guests/non-GitLab users should not be able to download, edit, or change audit logs
Documentation
- Audit Events Documentation - for audit events permissions and implementation
- Log System Documentation - Administrations of Audit Logs
Testing
- For the
edit releaseitem, we would want to make sure we capture what was edited in the release if we do not already - the information captured should be logged and then download capable - This audit log content needs to be
view onlyby all users, withedit logpermissions following the audit log permission structure
What does success look like, and how can we measure that?
- The usage of this feature will be related to the downloads of the audit logs, so we should see an increase in audit log downloads for releases when these items are added
- % increase in MAU for release audit logs
Links / references
- #121 (closed) - this API might be leveraged for this issue