Skip to content

Send audit event for packages creation

Moaz Khalifarequested to merge
329588-add-the-package-registry-to-the-list-of-audited-events into master

Context

GitLab provides audit events which allow users to track a variety of different actions within GitLab. In Add the Package Registry to the list of audited... (#329588 - closed), it was proposed to implement audit events for the package registry. The scope of the implementation is detailed in this comment. This MR is the 1st part of the implementation: Add audit logs for Package publishing.

What does this MR do and why?

  • When a package of any format is published to the package registry, an audit event is created. The audit events is a GitLab Premium feature, so its code is added to the ee folder.

  • Instead of hooking into each package format creation flow to send the audit event, we preferred to centralise the logic in a model after_commit callback.

  • The audit events are saved on the direct parent group. So when a package is published in a project, the event will be available/visible in the parent group of the project. In case the project doesn't have a parent group (belongs to a user namespace), the events will be available in the project.

  • The feature is behind a WIP feature flag package_registry_audit_events, so that we can add the rest of the implementation behind the same feature flag.

  • The implementation is guided by this documentation page: https://docs.gitlab.com/ee/development/audit_event_guide/#how-to-instrument-new-audit-events

References

Please include cross links to any resources that are relevant to this MR. This will give reviewers and future readers helpful context to give an efficient review of the changes introduced.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

Screenshot_2025-01-17_at_11.50.30

How to set up and validate locally

  1. Make sure the feature flag package_registry_audit_events is enabled.
  2. Make sure your GDK has enterprise license: https://gitlab.com/gitlab-org/gitlab-development-kit/blob/main/doc/index.md#use-gitlab-enterprise-features
  3. Publish different package formats and then navigate to their group audit events page in the UI. Each published/created package should have an audit event on the page.
    • This tool can be handy to help publishing different package formats.

Related to #329588 (closed)

Edited by Moaz Khalifa

Merge request reports