Add metrics and event tracking for Protected Container Tags (mutable)

Overview

This MR adds usage metrics and internal event tracking for Protected Container Tags (mutable) feature. This is the second of three MRs to split container registry protection instrumentation into smaller, focused changes.

What's Changed

Metrics Added (CE - tracks usage on Free, Premium, and Ultimate tiers)

Database Metrics (state)

1. counts.projects_with_container_registry_protected_tag_rules

   • Count of distinct projects that have at least one mutable protected container tag rule
   • Instrumentation: CountProjectsWithContainerRegistryProtectedTagRulesMetric

2. counts.container_registry_protected_tag_rules

   • Total count of all mutable protected container tag rules across all projects
   • Instrumentation: CountContainerRegistryProtectedTagRulesMetric

Event-Based Metrics (activity)

3. counts.create_container_registry_protected_tag_rule

   • Count of protected container tag rules created (all-time)
   • Data source: internal_events

4. counts.delete_container_registry_protected_tag_rule

   • Count of protected container tag rules deleted (all-time)
   • Data source: internal_events

5. counts.update_container_registry_protected_tag_rule

   • Count of protected container tag rules updated (all-time)
   • Data source: internal_events

Event Tracking

1. create_container_registry_protected_tag_rule

   • Tracked in ContainerRegistry::Protection::CreateTagRuleService (mutable path)
   • Includes context: project, namespace, user, additional_properties: { rule_type: 'mutable' }

2. delete_container_registry_protected_tag_rule

   • Tracked in ContainerRegistry::Protection::DeleteTagRuleService
   • Includes context: project, namespace, user, additional_properties: { rule_type: 'mutable' | 'immutable' }
   • Note: This event is shared with immutable tag rules; the rule_type context distinguishes between mutable and immutable

3. update_container_registry_protected_tag_rule

   • Tracked in ContainerRegistry::Protection::UpdateTagRuleService
   • Includes context: project, namespace, user, additional_properties: { rule_type: 'mutable' | 'immutable' }

Files Changed

• Metrics: 2 new metric instrumentation classes (CE - in lib/)
• Metric Definitions: 5 new metric YAML files (CE - in config/metrics/)
  • 2 database metrics
  • 3 event-based metrics
• Events: 3 new event YAML definitions
• Service Classes: Added event tracking to CreateTagRuleService, DeleteTagRuleService, and UpdateTagRuleService (mutable path)
• Specs: Added tests for metrics and event tracking (CE - in spec/)

Testing

• ✅ Metric instrumentation specs added
• ✅ Event tracking specs added in service specs
• ✅ All existing tests pass

Database Review

This MR adds two new database metrics for protected container tag rules (mutable). Below are the SQL queries for database review.

Query 1: counts.container_registry_protected_tag_rules

Description: Total count of protected container tag rules (mutable)

SQL Query:

SELECT COUNT("container_registry_protection_tag_rules"."id")
FROM "container_registry_protection_tag_rules"
WHERE NOT ("container_registry_protection_tag_rules"."minimum_access_level_for_push" IS NULL
AND "container_registry_protection_tag_rules"."minimum_access_level_for_delete" IS NULL);

Query Plan: Summary:

• Link: https://postgres.ai/console/gitlab/gitlab-production-main/sessions/45807/commands/140233
• Execution time: 4.711 ms (planning: 0.707 ms, execution: 4.004 ms)
• Uses Sequential Scan on container_registry_protection_tag_rules table
• Found 2831 mutable tag rules in the snapshot
• Very efficient query with minimal I/O

---

Query 2: counts.projects_with_container_registry_protected_tag_rules

Description: Count of distinct projects with protected container tag rules (mutable)

SQL Query:

SELECT COUNT(DISTINCT "container_registry_protection_tag_rules"."project_id")
FROM "container_registry_protection_tag_rules"
WHERE NOT ("container_registry_protection_tag_rules"."minimum_access_level_for_push" IS NULL
AND "container_registry_protection_tag_rules"."minimum_access_level_for_delete" IS NULL);

Query Plan: Summary:

• Link: https://postgres.ai/console/gitlab/gitlab-production-main/sessions/45807/commands/140234
• Execution time: 8.402 ms (planning: 0.594 ms, execution: 7.808 ms)
• Uses Index Only Scan on idx_container_registry_protection_tag_rules_on_min_access_level index
• Found 2831 rows in the snapshot
• Very efficient query using index for the DISTINCT count on project_id

---

Notes

• All metrics use time_frame: all, so they count all records without time constraints
• The queries filter for mutable tag rules only (using the .mutable scope) by excluding rules where both minimum_access_level_for_push and minimum_access_level_for_delete are NULL
• The queries are executed as part of Service Ping collection
• The container_registry_protection_tag_rules table has a foreign key index on project_id which will help with Query 2
• Both queries are simple aggregations that should scale well as the table grows

Related MRs

This MR is part of a series:

• MR 1: Protected Container Repositories - !213721 (diffs)
• MR 2 (this MR): Protected Container Tags (mutable)
• MR 3: Immutable Container Tags - !213725

Feature Information

• Feature: Protected Container Tags (mutable)
• Feature Availability: Free, Premium, Ultimate (CE feature)
• Metrics Tracking: CE (tracks usage on all tiers)
• Product Group: Container Registry
• Product Category: Container Registry