diff --git a/app/graphql/mutations/ci/job_token_scope/autopopulate_allowlist.rb b/app/graphql/mutations/ci/job_token_scope/autopopulate_allowlist.rb
index 202d153e9d018a4c5627b5d5af280e068e7f3432..7172128d410d4cc79edf3c0750411511daa66387 100644
--- a/app/graphql/mutations/ci/job_token_scope/autopopulate_allowlist.rb
+++ b/app/graphql/mutations/ci/job_token_scope/autopopulate_allowlist.rb
@@ -7,6 +7,7 @@ class AutopopulateAllowlist < BaseMutation
         graphql_name 'CiJobTokenScopeAutopopulateAllowlist'
 
         include FindsProject
+        include Gitlab::InternalEventsTracking
 
         authorize :admin_project
 
@@ -22,6 +23,15 @@ class AutopopulateAllowlist < BaseMutation
         def resolve(project_path:)
           project = authorized_find!(project_path)
 
+          track_internal_event(
+            'ci_job_token_autopopulate_allowlist',
+            user: current_user,
+            project: project,
+            additional_properties: {
+              label: 'ui'
+            }
+          )
+
           result = ::Ci::JobToken::ClearAutopopulatedAllowlistService.new(project, current_user).execute
           result = ::Ci::JobToken::AutopopulateAllowlistService.new(project, current_user).execute if result.success?
 
diff --git a/app/models/ci/job_token/allowlist_migration_task.rb b/app/models/ci/job_token/allowlist_migration_task.rb
index 33b3d20b300e4d608170cb6acb7929656e860d4d..d974ab4120f205e13ca84a9930167dd3fb430314 100644
--- a/app/models/ci/job_token/allowlist_migration_task.rb
+++ b/app/models/ci/job_token/allowlist_migration_task.rb
@@ -4,6 +4,7 @@ module Ci
   module JobToken
     class AllowlistMigrationTask
       include Gitlab::Utils::StrongMemoize
+      include Gitlab::InternalEventsTracking
 
       attr_reader :only_ids, :exclude_ids
 
@@ -77,6 +78,14 @@ def log_error(project, message)
       end
 
       def perform_migration!(project)
+        track_internal_event(
+          'ci_job_token_autopopulate_allowlist',
+          user: @user,
+          project: project,
+          additional_properties: {
+            label: 'rake'
+          }
+        )
         ::Ci::JobToken::AutopopulateAllowlistService # rubocop:disable CodeReuse/ServiceClass -- This class is not an ActiveRecord model
           .new(project, @user)
           .unsafe_execute!
diff --git a/config/events/ci_job_token_autopopulate_allowlist.yml b/config/events/ci_job_token_autopopulate_allowlist.yml
new file mode 100644
index 0000000000000000000000000000000000000000..5f22206905840bf5b824759ed67ffc8927d090dd
--- /dev/null
+++ b/config/events/ci_job_token_autopopulate_allowlist.yml
@@ -0,0 +1,20 @@
+---
+description: Tracks when the CI JobToken Allowlist Autopopulation action is performed for a project
+internal_events: true
+action: ci_job_token_autopopulate_allowlist
+identifiers:
+- project
+- namespace
+- user
+additional_properties:
+  label:
+    description: The method of execution, e.g. UI or rake task
+product_group: pipeline_security
+product_categories:
+- secrets_management
+milestone: '17.10'
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/182635
+tiers:
+- free
+- premium
+- ultimate
diff --git a/config/metrics/counts_all/count_total_allowlist_autopopulation.yml b/config/metrics/counts_all/count_total_allowlist_autopopulation.yml
new file mode 100644
index 0000000000000000000000000000000000000000..e2539314d8f6dda10ccf51e435624956f6abb846
--- /dev/null
+++ b/config/metrics/counts_all/count_total_allowlist_autopopulation.yml
@@ -0,0 +1,23 @@
+---
+key_path: counts.count_total_allowlist_autopopulation
+description: Count of times the CI JobToken Allowlist Autopopulation action has been performed
+product_group: pipeline_security
+product_categories:
+- secrets_management
+performance_indicator_type: []
+value_type: number
+status: active
+milestone: '17.10'
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/182635
+time_frame:
+- 28d
+- 7d
+- all
+data_source: internal_events
+data_category: optional
+tiers:
+- free
+- premium
+- ultimate
+events:
+- name: ci_job_token_autopopulate_allowlist
diff --git a/spec/graphql/mutations/ci/job_token_scope/autopopulate_allowlist_spec.rb b/spec/graphql/mutations/ci/job_token_scope/autopopulate_allowlist_spec.rb
index 424d5c8b3fdba32bb05e3ae3d743941cb0752a85..2310f0d1b48b0fb2e9a04b78f4a47134884d3cbf 100644
--- a/spec/graphql/mutations/ci/job_token_scope/autopopulate_allowlist_spec.rb
+++ b/spec/graphql/mutations/ci/job_token_scope/autopopulate_allowlist_spec.rb
@@ -49,6 +49,23 @@
           end.to change { Ci::JobToken::ProjectScopeLink.count }.by(1)
         end
 
+        it 'triggers the tracking events' do
+          expect do
+            resolver
+          end
+          .to trigger_internal_events('ci_job_token_autopopulate_allowlist')
+          .with(
+            user: current_user,
+            project: project,
+            additional_properties: {
+              label: 'ui'
+            }
+          ).exactly(:once)
+          .and increment_usage_metrics(
+            'counts.count_total_allowlist_autopopulation'
+          ).by(1)
+        end
+
         context 'when the clear service returns an error' do
           let(:service) { instance_double(::Ci::JobToken::ClearAutopopulatedAllowlistService) }
 
diff --git a/spec/models/ci/job_token/allowlist_migration_task_spec.rb b/spec/models/ci/job_token/allowlist_migration_task_spec.rb
index d3493d15426dfcb5d1425ecd38083fea1588283c..a80b496d9a2fc912888666b2692c5dcaa0845802 100644
--- a/spec/models/ci/job_token/allowlist_migration_task_spec.rb
+++ b/spec/models/ci/job_token/allowlist_migration_task_spec.rb
@@ -79,6 +79,7 @@
         messages << "Migration complete."
 
         task.execute
+
         messages.each do |message|
           expect(output_stream.string).to include(message)
         end
@@ -86,6 +87,39 @@
         expect(output_stream.string).not_to include("project id(s) failed to migrate:")
       end
 
+      it 'triggers the tracking events' do
+        expect do
+          task.execute
+        end
+        .to trigger_internal_events('ci_job_token_autopopulate_allowlist')
+        .with(
+          user: user,
+          project: accessed_projects[0],
+          additional_properties: {
+            label: 'rake'
+          }
+        ).exactly(:once)
+        .and trigger_internal_events('ci_job_token_autopopulate_allowlist')
+        .with(
+          user: user,
+          project: accessed_projects[1],
+          additional_properties: {
+            label: 'rake'
+          }
+        ).exactly(:once)
+        .and trigger_internal_events('ci_job_token_autopopulate_allowlist')
+        .with(
+          user: user,
+          project: accessed_projects[2],
+          additional_properties: {
+            label: 'rake'
+          }
+        ).exactly(:once)
+        .and increment_usage_metrics(
+          'counts.count_total_allowlist_autopopulation'
+        ).by(3)
+      end
+
       context "when a handled exception is raised" do
         let(:project) { create(:project) }
         let(:only_ids) { project.id.to_s }