Capture Release actions in the audit log page
Problem to solve
For Release Governance, one needs to be able to see what events and actions have been rendered against a release. In #26016 (closed), we added the capability to create and edit releases, add evidence and additional artifacts to the release via API. Audit logs currently only log downloading the source code.
This issue is to address expanding the audit logs to include events
-
create release -
create release with milestones -
edit release event -
download artifacts in release -
milestone was associated with release
Intended users
Primary use case for auditing release events include:
- Tracking when and who created a release from GitLab after a deployment has occurred
- Surfacing records of evidence attached to releases upon request from an auditing firm in the download
- Reviewing content of edits with who made the edits to a release in a retrospective
Proposal
These audit actions will be implemented, based on the example Release screenshot.
-
<name of release>= "New Release" -
<release number>= 'v0.3'
Using the screenshot above, can we confirm we need these audit events created:
Create
When a Release is created (via an API call only, at present), Milestone(s) can be optionally associated. There are different messages in the Audit log for Releases created with/without Milestones.
Without milestone at create
| Author | Action | Target | At |
|---|---|---|---|
<editor> |
Created Release <release number>
|
<name of release> |
<timestamp> |
With milestones at create
| Author | Action | Target | At |
|---|---|---|---|
<editor> |
Created Release <release number> with milestones <milestone>, <milestone>
|
<name of release> |
<timestamp> |
Update
| Author | Action | Target | At |
|---|---|---|---|
<editor> |
Updated Release <release number>
|
<name of release> |
<timestamp> |
- triggered by a change of the release name or description via the UI or API
Release - Milestone association change
| Author | Action | Target | At |
|---|---|---|---|
<editor> |
Milestones associated with release changed to <milestone> , <milestone> , ... <milestone>
|
<name of release> |
<timestamp> |
- triggered by a milestone being added to or removed from release (via API only)
- see also #29020 (closed)
Download artifacts
| Author | Action | Target | At |
|---|---|---|---|
| Orit Golowinski | Repository Download Started | ogolowinski/testing-project | 2019-10-16 16:26:50 UTC |
- Already supported
Future:
- Download external artifacts
- [Delete a Release] (gitlab-foss#58549 (closed))
- [Create a Release via UI] (#32812 (closed))
- [Add Assets/Artifacts] (#36133 (closed))
- [Add package]
Permissions and Security
- Changes to audit logs should follow the normal access/permissions of Audit Logs at GitLab
- Downloads of audit logs should follow the normal access/permissions of Audit Logs at GitLab
- Guests/non-GitLab users should not be able to download, edit, or change audit logs
Documentation
- Audit Events Documentation - for audit events permissions and implementation
- Log System Documentation - Administrations of Audit Logs
Testing
- For the
edit releaseitem, we would want to make sure we capture what was edited in the release if we do not already - the information captured should be logged and then download capable - This audit log content needs to be
view onlyby all users, withedit logpermissions following the audit log permission structure
What does success look like, and how can we measure that?
- The usage of this feature will be related to the downloads of the audit logs, so we should see an increase in audit log downloads for releases when these items are added
- % increase in MAU for release audit logs
Links / references
- #121 (closed) - this API might be leveraged for this issue