Merge pull request #60 from chainguard-dev/create-pull-request/patch

jmeridth · web-flow · commit beeb99abbcb8 · 2026-04-13T15:12:23.000-05:00
Export mono/public/terraform-infra-common: refs/heads/main
diff --git a/pkg/httpmetrics/transport.go b/pkg/httpmetrics/transport.go
@@ -32,6 +32,30 @@ const (
 	OriginalTraceHeader   string = "original-traceparent"
 )
 
+// contextKey is an unexported type for context keys in this package, preventing
+// collisions with keys defined in other packages.
+type contextKey string
+
+const (
+	githubAppIDKey          contextKey = "github_app_id"
+	githubInstallationIDKey contextKey = "github_installation_id"
+)
+
+// WithGitHubAppID returns a copy of ctx with the GitHub App ID attached.
+// The transport reads this value to label rate limit metrics with the app
+// that made the request, enabling per-app visibility into quota consumption.
+func WithGitHubAppID(ctx context.Context, appID int64) context.Context {
+	return context.WithValue(ctx, githubAppIDKey, strconv.FormatInt(appID, 10))
+}
+
+// WithGitHubInstallationID returns a copy of ctx with the GitHub installation
+// ID attached. The transport reads this value to label rate limit metrics with
+// the installation that made the request. GitHub enforces rate limits per
+// installation, so this label identifies which (app, org) pair is consuming quota.
+func WithGitHubInstallationID(ctx context.Context, installationID int64) context.Context {
+	return context.WithValue(ctx, githubInstallationIDKey, strconv.FormatInt(installationID, 10))
+}
+
 var (
 	mReqCount = promauto.NewCounterVec(
 		prometheus.CounterOpts{
@@ -283,50 +307,50 @@ var (
 			Name: "github_rate_limit_remaining",
 			Help: "The number of requests remaining in the current rate limit window",
 		},
-		[]string{"resource", "organization"},
+		[]string{"resource", "organization", "app_id", "installation_id"},
 	)
 	mGitHubRateLimit = promauto.NewGaugeVec(
 		prometheus.GaugeOpts{
 			Name: "github_rate_limit",
 			Help: "The number of requests allowed during the rate limit window",
 		},
-		[]string{"resource", "organization"},
+		[]string{"resource", "organization", "app_id", "installation_id"},
 	)
 	mGitHubRateLimitReset = promauto.NewGaugeVec(
 		prometheus.GaugeOpts{
 			Name: "github_rate_limit_reset",
 			Help: "The timestamp at which the current rate limit window resets",
 		},
-		[]string{"resource", "organization"},
+		[]string{"resource", "organization", "app_id", "installation_id"},
 	)
 	mGitHubRateLimitUsed = promauto.NewGaugeVec(
 		prometheus.GaugeOpts{
 			Name: "github_rate_limit_used",
 			Help: "The fraction of the rate limit window used",
 		},
-		[]string{"resource", "organization"},
+		[]string{"resource", "organization", "app_id", "installation_id"},
 	)
 	mGitHubRateLimitTimeToReset = promauto.NewGaugeVec(
 		prometheus.GaugeOpts{
 			Name: "github_rate_limit_time_to_reset",
 			Help: "The number of minutes until the current rate limit window resets",
 		},
-		[]string{"resource", "organization"},
+		[]string{"resource", "organization", "app_id", "installation_id"},
 	)
 	mGitHubRateLimitErrors = promauto.NewCounterVec(
 		prometheus.CounterOpts{
 			Name: "github_rate_limit_errors_total",
 			Help: "GitHub API requests rejected due to rate limiting (403/429 with rate limit headers)",
 		},
-		[]string{"resource", "organization", "service_name", "code", "rate_limit_type"},
+		[]string{"resource", "organization", "app_id", "installation_id", "service_name", "code", "rate_limit_type"},
 	)
 	mGitHubRetryAfterSeconds = promauto.NewHistogramVec(
 		prometheus.HistogramOpts{
 			Name:    "github_retry_after_seconds",
 			Help:    "Retry-After values from GitHub rate limit responses",
 			Buckets: []float64{1, 5, 15, 30, 60, 120, 300, 900, 1800, 3600},
 		},
-		[]string{"organization", "service_name", "rate_limit_type"},
+		[]string{"organization", "app_id", "installation_id", "service_name", "rate_limit_type"},
 	)
 )
 
@@ -368,6 +392,13 @@ func instrumentGitHubRateLimits(next http.RoundTripper) promhttp.RoundTripperFun
 			// Extract organization from the request URL
 			organization := extractOrgFromGitHubURL(r.URL.Path)
 
+			// Read caller-supplied app/installation IDs from the request context.
+			// These are set by callers via WithGitHubAppID and WithGitHubInstallationID.
+			// Empty string when not set — callers that do not set these values produce
+			// time series with app_id="" and installation_id="".
+			appID, _ := r.Context().Value(githubAppIDKey).(string)
+			installationID, _ := r.Context().Value(githubInstallationIDKey).(string)
+
 			val := func(key string) float64 {
 				val := resp.Header.Get(key)
 				if val == "" {
@@ -380,8 +411,10 @@ func instrumentGitHubRateLimits(next http.RoundTripper) promhttp.RoundTripperFun
 				return float64(i)
 			}
 			labels := prometheus.Labels{
-				"resource":     resource,
-				"organization": organization,
+				"resource":        resource,
+				"organization":    organization,
+				"app_id":          appID,
+				"installation_id": installationID,
 			}
 
 			remaining := val("X-RateLimit-Remaining")
@@ -446,6 +479,8 @@ func instrumentGitHubRateLimits(next http.RoundTripper) promhttp.RoundTripperFun
 				mGitHubRateLimitErrors.With(prometheus.Labels{
 					"resource":        resource,
 					"organization":    organization,
+					"app_id":          appID,
+					"installation_id": installationID,
 					"service_name":    env.KnativeServiceName,
 					"code":            strconv.Itoa(resp.StatusCode),
 					"rate_limit_type": rateLimitType,
@@ -456,6 +491,8 @@ func instrumentGitHubRateLimits(next http.RoundTripper) promhttp.RoundTripperFun
 					if seconds, parseErr := strconv.Atoi(retryAfter); parseErr == nil {
 						mGitHubRetryAfterSeconds.With(prometheus.Labels{
 							"organization":    organization,
+							"app_id":          appID,
+							"installation_id": installationID,
 							"service_name":    env.KnativeServiceName,
 							"rate_limit_type": rateLimitType,
 						}).Observe(float64(seconds))
diff --git a/pkg/httpmetrics/transport_test.go b/pkg/httpmetrics/transport_test.go
@@ -6,6 +6,7 @@ SPDX-License-Identifier: Apache-2.0
 package httpmetrics
 
 import (
+	"context"
 	"errors"
 	"fmt"
 	"net/http"
@@ -123,6 +124,87 @@ func TestTransport_SkipBucketize(t *testing.T) {
 	}
 }
 
+func TestGitHubRateLimitContextLabels(t *testing.T) {
+	// Verify that WithGitHubAppID / WithGitHubInstallationID values are
+	// propagated to the rate limit gauge labels.
+	stub := roundTripFunc(func(_ *http.Request) (*http.Response, error) {
+		return &http.Response{
+			StatusCode: http.StatusOK,
+			Header: http.Header{
+				"X-Ratelimit-Resource":  []string{"core"},
+				"X-Ratelimit-Remaining": []string{"4500"},
+				"X-Ratelimit-Limit":     []string{"5000"},
+				"X-Ratelimit-Reset":     []string{"9999999999"},
+			},
+			Body: http.NoBody,
+		}, nil
+	})
+
+	transport := instrumentGitHubRateLimits(stub)
+
+	ctx := context.Background()
+	ctx = WithGitHubAppID(ctx, 42)
+	ctx = WithGitHubInstallationID(ctx, 1234)
+
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, "https://api.github.com/repos/org/repo/contents/file", nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if _, err := transport.RoundTrip(req); err != nil {
+		t.Fatal(err)
+	}
+
+	labels := prometheus.Labels{
+		"resource":        "core",
+		"organization":    "org",
+		"app_id":          "42",
+		"installation_id": "1234",
+	}
+	if got := testutil.ToFloat64(mGitHubRateLimitRemaining.With(labels)); got != 4500 {
+		t.Errorf("github_rate_limit_remaining: got %v, want 4500", got)
+	}
+	if got := testutil.ToFloat64(mGitHubRateLimit.With(labels)); got != 5000 {
+		t.Errorf("github_rate_limit: got %v, want 5000", got)
+	}
+}
+
+func TestGitHubRateLimitContextLabels_NoContext(t *testing.T) {
+	// Callers that do not set context values get empty-string labels — verifies
+	// backward compatibility with existing consumers of the transport.
+	stub := roundTripFunc(func(_ *http.Request) (*http.Response, error) {
+		return &http.Response{
+			StatusCode: http.StatusOK,
+			Header: http.Header{
+				"X-Ratelimit-Resource":  []string{"core"},
+				"X-Ratelimit-Remaining": []string{"3000"},
+				"X-Ratelimit-Limit":     []string{"5000"},
+				"X-Ratelimit-Reset":     []string{"9999999999"},
+			},
+			Body: http.NoBody,
+		}, nil
+	})
+
+	transport := instrumentGitHubRateLimits(stub)
+
+	req, err := http.NewRequestWithContext(context.Background(), http.MethodGet, "https://api.github.com/repos/org2/repo/contents/file", nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if _, err := transport.RoundTrip(req); err != nil {
+		t.Fatal(err)
+	}
+
+	labels := prometheus.Labels{
+		"resource":        "core",
+		"organization":    "org2",
+		"app_id":          "",
+		"installation_id": "",
+	}
+	if got := testutil.ToFloat64(mGitHubRateLimitRemaining.With(labels)); got != 3000 {
+		t.Errorf("github_rate_limit_remaining: got %v, want 3000", got)
+	}
+}
+
 func TestDockerHubRateLimitParsing(t *testing.T) {
 	// Exercise the actual instrumentDockerHubRateLimit round tripper with a
 	// test server that returns Docker Hub rate limit headers. Before the fix,
