Capture Release actions in the audit log page
Problem to solve
For Release Governance, one needs to be able to see what events and actions have been rendered against a release. In #26016 (closed), we added the capability to create and edit releases, add evidence and additional artifacts to the release via API. Audit logs currently only log
downloading the source code.
This issue is to address expanding the audit logs to include events
create release with milestones
edit release event
download artifacts in release
milestone was associated with release
Primary use case for auditing release events include:
- Tracking when and who created a release from GitLab after a deployment has occurred
- Surfacing records of evidence attached to releases upon request from an auditing firm in the download
- Reviewing content of edits with who made the edits to a release in a retrospective
These audit actions will be implemented, based on the example Release screenshot.
<name of release>= "New Release"
<release number>= 'v0.3'
Using the screenshot above, can we confirm we need these audit events created:
When a Release is created (via an API call only, at present), Milestone(s) can be optionally associated. There are different messages in the Audit log for Releases created with/without Milestones.
Without milestone at create
With milestones at create
- triggered by a change of the release name or description via the UI or API
Release - Milestone association change
||Milestones associated with release changed to
- triggered by a milestone being added to or removed from release (via API only)
- see also #29020 (closed)
|Orit Golowinski||Repository Download Started||ogolowinski/testing-project||2019-10-16 16:26:50 UTC|
- Already supported
- Download external artifacts
- [Delete a Release] (gitlab-foss#58549 (closed))
- [Create a Release via UI] (#32812 (closed))
- [Add Assets/Artifacts] (#36133 (closed))
- [Add package]
Permissions and Security
- Changes to audit logs should follow the normal access/permissions of Audit Logs at GitLab
- Downloads of audit logs should follow the normal access/permissions of Audit Logs at GitLab
- Guests/non-GitLab users should not be able to download, edit, or change audit logs
- Audit Events Documentation - for audit events permissions and implementation
- Log System Documentation - Administrations of Audit Logs
- For the
edit releaseitem, we would want to make sure we capture what was edited in the release if we do not already - the information captured should be logged and then download capable
- This audit log content needs to be
view onlyby all users, with
edit logpermissions following the audit log permission structure
What does success look like, and how can we measure that?
- The usage of this feature will be related to the downloads of the audit logs, so we should see an increase in audit log downloads for releases when these items are added
- % increase in MAU for release audit logs
Links / references
- #121 (closed) - this API might be leveraged for this issue