Add GitOps runtime image drift alert

services/posture-check/export-prometheus-textfile.sh

@@ -15,6 +15,51 @@ trap cleanup EXIT
 
 now="$(date +%s)"
 
+emit_gitops_runtime_image_metrics() {
+  cat <<'EOF'
+# HELP homelab_gitops_runtime_image_match Whether a running Compose container uses the image currently declared by its Compose config.
+# TYPE homelab_gitops_runtime_image_match gauge
+EOF
+
+  if ! command -v jq >/dev/null 2>&1; then
+    return
+  fi
+
+  docker ps \
+    --filter label=com.docker.compose.project \
+    --format '{{.Names}}\t{{.Label "com.docker.compose.project"}}\t{{.Label "com.docker.compose.service"}}\t{{.Label "com.docker.compose.project.config_files"}}\t{{.Label "com.docker.compose.project.environment_file"}}' |
+    while IFS="$(printf '\t')" read -r container project service config_files env_file; do
+      [ -n "$container" ] || continue
+      [ -n "$service" ] || continue
+      [ -n "$config_files" ] || continue
+
+      config_file="${config_files%%,*}"
+      [ -f "$config_file" ] || continue
+
+      compose_args=(-f "$config_file")
+      if [ -n "$env_file" ] && [ -f "$env_file" ]; then
+        compose_args+=(--env-file "$env_file")
+      fi
+
+      expected="$(
+        docker compose "${compose_args[@]}" config --format json 2>/dev/null |
+          jq -r --arg service "$service" '.services[$service].image // empty' 2>/dev/null || true
+      )"
+      [ -n "$expected" ] || continue
+
+      running="$(docker inspect -f '{{.Config.Image}}' "$container" 2>/dev/null || true)"
+      [ -n "$running" ] || continue
+
+      match="0"
+      if [ "$running" = "$expected" ]; then
+        match="1"
+      fi
+
+      printf 'homelab_gitops_runtime_image_match{name="%s",project="%s",service="%s"} %s\n' \
+        "$container" "$project" "$service" "$match"
+    done
+}
+
 {
   cat <<'EOF'
 # HELP homelab_textfile_exporter_last_run_timestamp_seconds Unix timestamp of the last successful homelab textfile exporter run.
@@ -34,6 +79,8 @@ EOF
     printf 'homelab_critical_container_running{name="%s"} %s\n' "$container" "$running"
   done
 
+  emit_gitops_runtime_image_metrics
+
   cat <<'EOF'
 # HELP homelab_borg_last_completed_timestamp_seconds Unix timestamp of the most recent completed Borg backup job known to Borg UI.
 # TYPE homelab_borg_last_completed_timestamp_seconds gauge