bump image and test trivy scan

Author: bertiethorpe

.github/workflows/trivyscan.yml

@@ -8,37 +8,56 @@ on:
 jobs:
   scan:
     concurrency:
-      group: ${{ github.workflow }}-${{ github.ref }}-${{ matrix.os_version }}-${{ matrix.build }} # to branch/PR + OS + build
+      group: ${{ github.workflow }}-${{ github.ref }}-${{ matrix.build }} # to branch/PR + OS + build
       cancel-in-progress: true
     runs-on: ubuntu-latest
     strategy:
       fail-fast: false
       matrix:
-        os_version:
-          - RL8
-          - RL9
-        build:
-          - openstack.openhpc
-          - openstack.openhpc-cuda
-        exclude:
-          - os_version: RL8
-            build: openstack.openhpc-cuda
+        build: ["RL8", "RL9", "RL9-cuda"]
     env:
-      BUILD: ${{ matrix.build }}-${{ matrix.os_version }}
+      JSON_PATH: environments/.stackhpc/terraform/cluster_image.json
+      OS_CLOUD: openstack
+      CI_CLOUD: ${{ vars.CI_CLOUD }}
 
     steps:
-      - name: Download image details artifact
-        uses: actions/download-artifact@v4
-        with:
-          name: image-details-${{ env.BUILD }}
+      - uses: actions/checkout@v2
+
+      - name: Record settings for CI cloud
+        run: |
+          echo CI_CLOUD: ${{ env.CI_CLOUD }}
+
+      - name: Setup ssh
+        run: |
+          set -x
+          mkdir ~/.ssh
+          echo "${{ secrets[format('{0}_SSH_KEY', env.CI_CLOUD)] }}" > ~/.ssh/id_rsa
+          chmod 0600 ~/.ssh/id_rsa
+        shell: bash
+
+      - name: Add bastion's ssh key to known_hosts
+        run: cat environments/.stackhpc/bastion_fingerprints >> ~/.ssh/known_hosts
+        shell: bash
+
+      - name: setup environment
+        run: |
+          python3 -m venv venv
+          . venv/bin/activate
+          pip install -U pip
+          pip install $(grep -o 'python-openstackclient[><=0-9\.]*' requirements.txt)
+        shell: bash
+
+      - name: Write clouds.yaml
+        run: |
+          mkdir -p ~/.config/openstack/
+          echo "${{ secrets[format('{0}_CLOUDS_YAML', env.CI_CLOUD)] }}" > ~/.config/openstack/clouds.yaml
+        shell: bash
 
-      - name: Use the downloaded artifact
+      - name: Parse image name json
         id: manifest
         run: |
-          IMAGE_ID=$(cat image-id.txt)
-          IMAGE_NAME=$(cat image-name.txt)
+          IMAGE_NAME=$(jq --arg version "${{ matrix.build }}" -r '.[$version]' "${{ env.JSON_PATH }}")
           echo "image-name=${IMAGE_NAME}" >> "$GITHUB_OUTPUT"
-          echo "image-id=${IMAGE_ID}" >> "$GITHUB_OUTPUT"
 
       - name: Download image
         run: |
@@ -70,6 +89,8 @@ jobs:
           format: sarif
           output: "${{ steps.manifest.outputs.image-name }}.sarif"
           # turn off secret scanning to speed things up
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Upload Trivy scan results to GitHub Security tab
         uses: github/codeql-action/upload-sarif@v3
@@ -87,3 +108,5 @@ jobs:
           exit-code: '1'
           severity: 'CRITICAL'
           ignore-unfixed: true
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

environments/.stackhpc/terraform/cluster_image.json

@@ -0,0 +1,5 @@
+{
+    "RL8": "openhpc-RL8-241003-1241-a256bce2",
+    "RL9": "openhpc-RL9-241003-1241-a256bce2",
+    "RL9-cuda": "openhpc-cuda-RL9-241003-1242-a256bce2"
+}

environments/.stackhpc/terraform/main.tf

@@ -28,11 +28,7 @@ variable "os_version" {
 variable "cluster_image" {
     description = "single image for all cluster nodes, keyed by os_version - a convenience for CI"
     type = map(string)
-    default = {
-        # https://github.com/stackhpc/ansible-slurm-appliance/pull/427
-        RL8: "openhpc-RL8-241003-1122-348c1508"
-        RL9: "openhpc-RL9-241003-1122-348c1508"
-    }
+    default = jsondecode(file("./cluster_image.json"))
 }
 
 variable "cluster_net" {}