Skip to content

Capture Release actions in the audit log page

Problem to solve

For Release Governance, one needs to be able to see what events and actions have been rendered against a release. In #26016 (closed), we added the capability to create and edit releases, add evidence and additional artifacts to the release via API. Audit logs currently only log downloading the source code. This issue is to address expanding the audit logs to include events

  • create release
  • create release with milestones
  • edit release event
  • download artifacts in release
  • milestone was associated with release

Intended users

Primary use case for auditing release events include:

  • Tracking when and who created a release from GitLab after a deployment has occurred
  • Surfacing records of evidence attached to releases upon request from an auditing firm in the download
  • Reviewing content of edits with who made the edits to a release in a retrospective

Proposal

These audit actions will be implemented, based on the example Release screenshot.

  • <name of release> = "New Release"
  • <release number> = 'v0.3'

Screenshot_2019-12-30_at_17.53.00

Using the screenshot above, can we confirm we need these audit events created:

Create

When a Release is created (via an API call only, at present), Milestone(s) can be optionally associated. There are different messages in the Audit log for Releases created with/without Milestones.

Without milestone at create
Author Action Target At
<editor> Created Release <release number> <name of release> <timestamp>
With milestones at create
Author Action Target At
<editor> Created Release <release number> with milestones <milestone>, <milestone> <name of release> <timestamp>

Update

Author Action Target At
<editor> Updated Release <release number> <name of release> <timestamp>
  • triggered by a change of the release name or description via the UI or API

Release - Milestone association change

Author Action Target At
<editor> Milestones associated with release changed to <milestone> , <milestone> , ... <milestone> <name of release> <timestamp>
  • triggered by a milestone being added to or removed from release (via API only)
  • see also #29020 (closed)

Download artifacts

Author Action Target At
Orit Golowinski Repository Download Started ogolowinski/testing-project 2019-10-16 16:26:50 UTC
  • Already supported

Future:

Permissions and Security

  • Changes to audit logs should follow the normal access/permissions of Audit Logs at GitLab
  • Downloads of audit logs should follow the normal access/permissions of Audit Logs at GitLab
  • Guests/non-GitLab users should not be able to download, edit, or change audit logs

Documentation

Testing

  • For the edit release item, we would want to make sure we capture what was edited in the release if we do not already - the information captured should be logged and then download capable
  • This audit log content needs to be view only by all users, with edit log permissions following the audit log permission structure

What does success look like, and how can we measure that?

  • The usage of this feature will be related to the downloads of the audit logs, so we should see an increase in audit log downloads for releases when these items are added
  • % increase in MAU for release audit logs

Links / references

Edited by Sean Carroll