feat(metrics): add v1 of chronos prometheus metrics

.dockerignore

@@ -0,0 +1,13 @@
+target/
+.git/
+.github/
+.codex/
+
+.env
+healthcheck/
+dev/lgtm/runtime-logs/
+
+.DS_Store
+*.iml
+.idea/
+.vscode/

.env.example

@@ -1,11 +1,11 @@
 # WHEN DEVELOPING LOCALLY, WE NEED TO ACCESS THE HOST NETWORK FROM K8S (FOR POSTGRES/KAFKA/ELASTIC/ETC)
-LOCAL_HOST_IP=$(ifconfig en0 | grep inet | grep -v inet6 | awk '{print $2}')
+LOCAL_HOST_IP=127.0.0.1
 
 # RUST version
 RUST_VERSION=stable
 
 # KAFKA
-KAFKA_HOST="localhost\,$LOCAL_HOST_IP"
+KAFKA_HOST="localhost,$LOCAL_HOST_IP"
 KAFKA_PORT="9094"
 KAFKA_CLIENT_ID="chronos"
 KAFKA_GROUP_ID="chronos"

.github/config.json

@@ -0,0 +1,40 @@
+{
+  "repository": {
+    "allow_auto_merge": true,
+    "allow_merge_commit": false,
+    "allow_rebase_merge": true,
+    "allow_squash_merge": true,
+    "delete_branch_on_merge": true,
+    "squash_merge_commit_message": "PR_BODY",
+    "squash_merge_commit_title": "PR_TITLE",
+    "web_commit_signoff_required": false
+  },
+  "actions": {
+    "default_workflow_permissions": "read",
+    "can_approve_pull_request_reviews": false
+  },
+  "branches": {
+    "master": {
+      "protection": {
+        "required_status_checks": {
+          "strict": true,
+          "contexts": [
+            "CI"
+          ]
+        },
+        "enforce_admins": true,
+        "required_pull_request_reviews": {
+          "dismiss_stale_reviews": true,
+          "require_code_owner_reviews": false,
+          "required_approving_review_count": 1
+        },
+        "restrictions": null,
+        "required_linear_history": true,
+        "allow_force_pushes": false,
+        "allow_deletions": false,
+        "block_creations": false,
+        "required_conversation_resolution": true
+      }
+    }
+  }
+}

.github/workflows/CI.yaml

@@ -0,0 +1,33 @@
+name: CI
+
+on:
+  push:
+    branches-ignore:
+      - main
+
+permissions:
+  contents: read
+  security-events: write
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  pre-commit:
+    uses: ./.github/workflows/pre-commit.yml
+
+  test:
+    uses: ./.github/workflows/test.yml
+
+  weaver-live-check:
+    uses: ./.github/workflows/weaver-live-check.yml
+
+  scan:
+    uses: ./.github/workflows/scan.yml
+
+  build-binary:
+    uses: ./.github/workflows/build-binary.yml
+
+  build-container:
+    uses: ./.github/workflows/build-container.yml

.github/workflows/build-binary.yml

@@ -0,0 +1,37 @@
+name: build-binary
+
+on:
+  workflow_call:
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-build-binary-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  build-binary:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Build binary image stage
+        run: docker build --target builder -f docker/Dockerfile.chronos-slim -t chronos-binary-builder:${{ github.sha }} .
+
+      - name: Extract binary
+        run: |
+          mkdir -p dist
+          container_id="$(docker create chronos-binary-builder:${{ github.sha }})"
+          trap 'docker rm -f "${container_id}" >/dev/null 2>&1 || true' EXIT
+          docker cp "${container_id}:/build/target/release/chronos" dist/chronos-linux-x86_64-alpine
+          chmod 0755 dist/chronos-linux-x86_64-alpine
+
+      - name: Upload binary artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: chronos-linux-x86_64-alpine
+          path: dist/chronos-linux-x86_64-alpine
+          if-no-files-found: error

.github/workflows/build-container.yml

@@ -0,0 +1,25 @@
+name: build-container
+
+on:
+  workflow_call:
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-build-container-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  build-container:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Build regular container
+        run: docker build -f docker/Dockerfile.chronos -t chronos:${{ github.sha }} .
+
+      - name: Build scratch container
+        run: docker build -f docker/Dockerfile.chronos-slim -t chronos-scratch:${{ github.sha }} .

.github/workflows/pre-commit.yml

@@ -0,0 +1,31 @@
+name: pre-commit
+
+on:
+  workflow_call:
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-pre-commit-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  pre-commit:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Install Rust toolchain
+        uses: dtolnay/rust-toolchain@master
+        with:
+          toolchain: 1.94
+          components: rustfmt,clippy
+
+      - name: Install system dependencies
+        run: scripts/ubuntu-setup.sh
+
+      - name: Run pre-commit checks
+        run: make pre-commit

.github/workflows/release.yml

@@ -25,24 +25,24 @@ jobs:
       if: needs.build.result == 'success'
       steps:
         - name: Checkout the repo
-          uses: actions/checkout@v3
+          uses: actions/checkout@v4
         - name: Login to GitHub Container Registry
-          uses: docker/login-action@v1
+          uses: docker/login-action@v3
           with:
             registry: ghcr.io
             username: ${{ github.actor }}
             password: ${{ secrets.AMN_PAT }}
 
         - name: Build and publish chronos for chronos image with ver
           run: |
-            docker build -f Dockerfile.chronos . --tag ghcr.io/$GITHUB_REPOSITORY:$GITHUB_REF_NAME --tag ghcr.io/$GITHUB_REPOSITORY:latest
-            docker push ghcr.io/$GITHUB_REPOSITORY:$GITHUB_REF_NAME 
+            docker build -f Dockerfile.chronos . --tag "ghcr.io/${GITHUB_REPOSITORY}:${GITHUB_REF_NAME}" --tag "ghcr.io/${GITHUB_REPOSITORY}:latest"
+            docker push "ghcr.io/${GITHUB_REPOSITORY}:${GITHUB_REF_NAME}"
 
         - name: publish chronos latest for chronos image replace latest
           run: |
-            docker push ghcr.io/$GITHUB_REPOSITORY:latest
+            docker push "ghcr.io/${GITHUB_REPOSITORY}:latest"
 
         - name: Build and publish the chronos-pg-migration Docker image
           run: |
-            docker build -f Dockerfile.chronos-pg-migrations . --tag ghcr.io/$GITHUB_REPOSITORY/db-migration:$GITHUB_REF_NAME
-            docker push ghcr.io/$GITHUB_REPOSITORY/db-migration:$GITHUB_REF_NAME
+            docker build -f Dockerfile.chronos-pg-migrations . --tag "ghcr.io/${GITHUB_REPOSITORY}/db-migration:${GITHUB_REF_NAME}"
+            docker push "ghcr.io/${GITHUB_REPOSITORY}/db-migration:${GITHUB_REF_NAME}"

.github/workflows/rust_build.yml

@@ -8,7 +8,7 @@ jobs:
     build:
         runs-on: ubuntu-latest
         steps:
-            - uses: actions/checkout@v3
+            - uses: actions/checkout@v4
             - uses: dtolnay/rust-toolchain@stable
               with:
                   toolchain: stable
@@ -18,4 +18,4 @@ jobs:
               run: |
                 cargo clean
                 cargo build --release
-            - run: scripts/pre-commit-checks.sh
+            - run: make pre-commit

.github/workflows/sbom.yml

@@ -0,0 +1,72 @@
+name: sbom
+
+on:
+  workflow_call:
+    inputs:
+      target-type:
+        description: Use "container" for an image SBOM or "release" for a filesystem/release artifact SBOM.
+        required: true
+        type: string
+      target-ref:
+        description: Container image reference or release artifact path to scan.
+        required: true
+        type: string
+  workflow_dispatch:
+    inputs:
+      target-type:
+        description: Use "container" for an image SBOM or "release" for a filesystem/release artifact SBOM.
+        required: true
+        type: choice
+        options:
+          - container
+          - release
+      target-ref:
+        description: Container image reference or release artifact path to scan.
+        required: true
+        type: string
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-sbom-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  sbom:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Validate inputs
+        run: |
+          case "${{ inputs.target-type }}" in
+            container|release) ;;
+            *) echo "target-type must be container or release" >&2; exit 2 ;;
+          esac
+
+      - name: Generate container SBOM
+        if: inputs.target-type == 'container'
+        uses: aquasecurity/trivy-action@v0.32.0
+        with:
+          scan-type: image
+          scan-ref: ${{ inputs.target-ref }}
+          format: cyclonedx
+          output: chronos-sbom.cdx.json
+
+      - name: Generate release SBOM
+        if: inputs.target-type == 'release'
+        uses: aquasecurity/trivy-action@v0.32.0
+        with:
+          scan-type: fs
+          scan-ref: ${{ inputs.target-ref }}
+          format: cyclonedx
+          output: chronos-sbom.cdx.json
+
+      - name: Upload SBOM artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: chronos-sbom-${{ inputs.target-type }}
+          path: chronos-sbom.cdx.json
+          if-no-files-found: error

.github/workflows/scan.yml

@@ -0,0 +1,43 @@
+name: scan
+
+on:
+  workflow_call:
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  security-events: write
+
+concurrency:
+  group: ${{ github.workflow }}-scan-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  scan:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Install Rust toolchain
+        uses: dtolnay/rust-toolchain@master
+        with:
+          toolchain: 1.94
+
+      - name: Install system dependencies
+        run: scripts/ubuntu-setup.sh
+
+      - name: Build release binary
+        run: cargo build --release -p chronos_bin
+
+      - name: Scan Rust build output
+        run: |
+          docker run --rm \
+            -v "$PWD:/work:ro" \
+            aquasec/trivy:0.64.1 \
+            fs \
+            --scanners vuln \
+            --severity CRITICAL,HIGH \
+            --ignore-unfixed \
+            --exit-code 1 \
+            /work/target/release/chronos