Add audit event for downloading CI artifacts
Problem to solve
Currently, there is limited traceability for a user downloading a CI artifact within GitLab. In scenarios where a user needs to, or choose to, download an artifact, an organization would be unable to prove who did so at any point in time which creates a gap in their traceability posture.
Use Case
Within their CI/CD process, they compile their code down to a "desired file" which is then consumed by a field engineer. This field engineer would download this "desired file" which is then installed on customer sites.
Although there is not an auditable solution at the time, the UX workflow they are considering is to use the release-cli in their CI/CD process, create a release artifact that includes a link pointed to download the compiled file. The field engineer would visit the releases page of the project and download the desired file from there.
what if that "desired file" was marked as a
never_expireartifact and then logged for each download?
Proposal
Add an audit event for CI artifact downloads
| Author | Object | Action | Target | IP Address | Date |
|---|---|---|---|---|---|
| Daffy Duck | pipeline_id/job_id |
Downloaded artifact (expiration: never) |
pipeline_id/job_id |
127.0.0.1 | 2020-07-15 00:03:53 |