Add usage metrics for protected container repositories and protected/immutable tags

Context

This issue was identified during the Core DevOps Instrumentation Audit (#547656 (closed)). See the full audit report at https://instrumentation-audit-054c5e.gitlab.io/ for additional details.

Problem

Immutable Container Tags (Ultimate, Beta) currently has no instrumentation:

  • No tracking of feature enablement
  • No rule creation metrics
  • No visibility into usage

Impact

  • Cannot validate feature adoption before GA
  • No data for Ultimate tier value proposition
  • Unable to track customer usage patterns

Service Ping Metrics (9 metrics)

Protected Container Repositories:

  • counts.projects_with_container_registry_protection_rules - Count of projects with protection rules
  • counts.container_registry_protection_rules - Total count of rules
  • counts.distinct_top_level_groups_with_container_registry_protection_rules - Count of top-level groups (customers)

Protected Container Tags (mutable):

  • counts.projects_with_container_registry_protected_tag_rules - Count of projects with mutable tag rules
  • counts.container_registry_protected_tag_rules - Total count of mutable tag rules

Immutable Container Tags:

  • counts.projects_with_container_registry_immutable_tag_rules - Count of projects with immutable tag rules
  • counts.container_registry_immutable_tag_rules - Total count of immutable tag rules
  • counts.distinct_top_level_groups_with_container_registry_immutable_tag_rules - Count of top-level groups
  • settings.container_registry_immutable_tag_rules_enabled - Boolean indicating if feature is enabled

Internal Event Tracking

Added event tracking in service classes for rule lifecycle:

  • create_container_repository_protection_rule - Tracked in CreateRuleService
  • delete_container_repository_protection_rule - Tracked in DeleteRuleService
  • create_container_registry_protected_tag_rule - Tracked in CreateTagRuleService (mutable rules)
  • create_container_registry_immutable_tag_rule - Tracked in EE CreateTagRuleService (immutable rules)
  • delete_container_registry_protected_tag_rule - Tracked in DeleteTagRuleService (with rule_type context)

All events include context: project, namespace, user, and additional_properties where relevant.

Edited by Tim Rizzi