## Problem to solve Currently, there is limited traceability for a user downloading a CI artifact within GitLab. In scenarios where a user needs to, or choose to, download an artifact, an organization would be unable to prove who did so at any point in time which creates a gap in their traceability posture. ## Use Case > Within their CI/CD process, they compile their code down to a "desired file" which is then consumed by a field engineer. This field engineer would download this "desired file" which is then installed on customer sites. > Although there is not an auditable solution at the time, the UX workflow they are considering is to use the release-cli in their CI/CD process, create a release artifact that includes a link pointed to download the compiled file. The field engineer would visit the releases page of the project and download the desired file from there. > what if that "desired file" was marked as a `never_expire` artifact and then logged for each download? ## Proposal Add an audit event for CI artifact downloads | Author | Object | Action | Target | IP Address | Date | | ------ | ------ | ------ | ------ | ------ | ------ | | Daffy Duck | `pipeline_id/job_id` | Downloaded `artifact` (expiration: `never`) | `pipeline_id/job_id` | 127.0.0.1 | 2020-07-15 00:03:53 |