feat: expose metrics for the git commit

[xcoulon]

new HostOperatorCommitGaugeVec and HostOperatorShortCommitGaugeVec metrics
to reflect the current git commit and short commit of the host-operator

the metrics are named sandbox_host_operator_commit and sandbox_host_operator_short_commit
and the relevant label is commit

also, update the tests to assert the value of the metric.

also, deprecated the HostOperatorVersionGaugeVec metric (will be removed
in a future release, once Grafana is updated to support the new metrics)

Signed-off-by: Xavier Coulon xcoulon@redhat.com

Summary by CodeRabbit

• New Features

  • Introduced new Prometheus gauge metrics for enhanced host-operator commit tracking and reporting.
  • Deprecated the existing version gauge metric in favor of dedicated commit-specific gauges for improved monitoring clarity.

• Tests

  • Added test coverage validating the new commit tracking metrics.

• Chores

  • Fixed README formatting.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 3a236008-df69-431b-8cb9-569d04527c7f

📥 Commits

Reviewing files that changed from the base of the PR and between 7e5f77f and bdecb4d.

📒 Files selected for processing (1)

• README.adoc

✅ Files skipped from review due to trivial changes (1)

• README.adoc

---

Walkthrough

This pull request refactors the metrics system to replace a single version gauge with two separate Prometheus gauge vectors for host-operator commits. Two new gauges (HostOperatorCommitGaugeVec and HostOperatorShortCommitGaugeVec) are introduced while the existing HostOperatorVersionGaugeVec is deprecated. Corresponding test coverage is added, along with a minor README formatting fix.

Changes

Cohort / File(s)	Summary
Metrics Implementation pkg/metrics/metrics.go, pkg/metrics/metrics_test.go	Added two new public Prometheus gauge vectors for commit tracking, deprecated the existing version gauge, and added test coverage with subtests for each new gauge using current Unix time assertions.
Documentation README.adoc	Added trailing newline to ensure proper file formatting.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 20.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'feat: expose metrics for the git commit' directly aligns with the main change: introducing two new Prometheus gauges (HostOperatorCommitGaugeVec and HostOperatorShortCommitGaugeVec) to expose git commit metrics for the host-operator.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

📝 Coding Plan for PR comments

• Generate coding plan

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@pkg/metrics/metrics_test.go`:
- Around line 46-71: The test uses float64(time.Minute) as the delta in
assert.InDelta which is nanoseconds (60,000,000,000) while SetToCurrentTime()
and now.Unix() are in seconds; update the delta in both assertions in
TestGitCommitGauge to a seconds value (e.g. use time.Minute.Seconds() or 60.0)
so the comparison between float64(now.Unix()) and
promtestutil.ToFloat64(metrics.HostOperatorCommitGaugeVec.WithLabelValues(...).SetToCurrentTime())/HostOperatorShortCommitGaugeVec
is done with a correct seconds-based tolerance.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 2fc176c1-c2a0-4bda-bbc0-f521dc77170a

📥 Commits

Reviewing files that changed from the base of the PR and between 452f707 and 08a2be3.

📒 Files selected for processing (2)

• pkg/metrics/metrics.go
• pkg/metrics/metrics_test.go

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.govulncheck.yaml:
- Around line 2-13: The suppression entries in .govulncheck.yaml are incorrectly
silencing stdlib CVEs for your active Go version: remove the suppressions for
GO-2026-4601, GO-2026-4602, and GO-2026-4603 unless you also include a toolchain
bump to go1.25.8 or later in the same change; likewise remove the GO-2026-4599
and GO-2026-4600 suppressions which target go1.26.0 because the repo is
currently on go1.24.13 (or update the repo Go version to 1.26 if that upgrade is
intended), and ensure any remaining suppressions include the correct target Go
version and a planned upgrade note.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 9c66cefb-bffd-487a-bfc1-7543c2440da2

📥 Commits

Reviewing files that changed from the base of the PR and between 08a2be3 and cd28e3e.

📒 Files selected for processing (1)

• .govulncheck.yaml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== Go version declarations =="
rg -n --hidden \
  -g 'go.mod' \
  -g '.github/workflows/*.yml' \
  -g '.github/workflows/*.yaml' \
  -g '**/Dockerfile*' \
  -e '^[[:space:]]*go[[:space:]][0-9]+\.[0-9]+' \
  -e '^[[:space:]]*toolchain[[:space:]]+go[0-9]+\.[0-9]+(\.[0-9]+)?' \
  -e 'go-version:[[:space:]]*["'\'']?[0-9]+\.[0-9]+(\.[0-9]+)?' \
  -e 'golang:[0-9]+\.[0-9]+(\.[0-9]+)?'

echo
echo "== govulncheck config usage =="
rg -n --hidden '\.govulncheck\.yaml|govulncheck'

echo
echo "== Newly added suppressions =="
sed -n '1,20p' .govulncheck.yaml

Repository: codeready-toolchain/host-operator

Length of output: 1393

---

🏁 Script executed:

cat .govulncheck.yaml

Repository: codeready-toolchain/host-operator

Length of output: 1237

---

🏁 Script executed:

# Check if there are any changes to go.mod or toolchain configuration
git diff HEAD~1 go.mod 2>/dev/null | head -50 || echo "No git diff available or go.mod unchanged"

Repository: codeready-toolchain/host-operator

Length of output: 59

---

Don't suppress stdlib CVEs for the currently-used Go version without a corresponding upgrade plan.

This change suppresses three vulnerabilities affecting your current Go version (1.24.13): GO-2026-4601 (net/url), GO-2026-4602 (os), and GO-2026-4603 (html/template), all fixed in go1.25.8+. Suppressing active vulnerabilities keeps vuln scanning green while the vulnerable stdlib remains in production. Either include the toolchain bump to go1.25.8 or later in the same change, or defer these suppressions until the upgrade is merged.

Additionally, GO-2026-4599 and GO-2026-4600 are suppressed for go1.26.0, but the repository is currently on go1.24.13—these suppressions have no effect and should be removed unless a go1.26 upgrade is planned alongside this change.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.govulncheck.yaml around lines 2 - 13, The suppression entries in
.govulncheck.yaml are incorrectly silencing stdlib CVEs for your active Go
version: remove the suppressions for GO-2026-4601, GO-2026-4602, and
GO-2026-4603 unless you also include a toolchain bump to go1.25.8 or later in
the same change; likewise remove the GO-2026-4599 and GO-2026-4600 suppressions
which target go1.26.0 because the repo is currently on go1.24.13 (or update the
repo Go version to 1.26 if that upgrade is intended), and ensure any remaining
suppressions include the correct target Go version and a planned upgrade note.

[mfrancisc]

those should not be needed I think , but there might be other vulnerabilities related to go.1.24.13

[xcoulon]

ok, let me check that

[xcoulon]

removed in bdecb4d
I did not realize that vulns found in go 1.26.0 should not apply for this repository 🤦‍♂️

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: alexeykazakov, drpaneas, mfrancisc, rajivnathan, xcoulon

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [alexeykazakov,mfrancisc,rajivnathan,xcoulon]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud