Merge branch 'main' into fix/ipa-hostkeys

Author: sjpb

.github/workflows/extra.yml

@@ -18,7 +18,7 @@ permissions:
 jobs:
   doca:
     name: extra-build
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     strategy:
       fail-fast: false # allow other matrix jobs to continue even if one fails
       matrix: # build RL8, RL9

.github/workflows/fatimage.yml

@@ -29,7 +29,7 @@ jobs:
     concurrency:
       group: ${{ github.workflow }}-${{ github.ref }}-${{ matrix.build.image_name }} # to branch/PR + OS
       cancel-in-progress: true
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     strategy:
       fail-fast: false # allow other matrix jobs to continue even if one fails
       matrix: # build RL8, RL9

.github/workflows/lint.yml

@@ -13,7 +13,7 @@ permissions:
 jobs:
   lint:
     name: Lint
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     permissions:
       contents: read
       packages: read

.github/workflows/main.yml

@@ -19,6 +19,8 @@ permissions:
   # To report GitHub Actions status checks
   statuses: write
   id-token: write
+  # upload trivy scan results
+  security-events: write
 
 on:
   push:
@@ -38,7 +40,7 @@ jobs:
   files_changed:
     name: Determine files changed
     needs: lint
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     # Map a step output to a job output, this allows other jobs to be gated on the filter results
     outputs:
         # The 'stackhpc' output will be 'true' if either of the two stackhpc filters below matched
@@ -143,6 +145,6 @@ jobs:
     name: Trivy scan image for vulnerabilities
     needs: files_changed
     if: |
-      needs.files_changed.outputs.trivyscan == 'true'
+      needs.files_changed.outputs.trivyscan == 'true' || github.event_name != 'pull_request'
     uses: ./.github/workflows/trivyscan.yml
     secrets: inherit

.github/workflows/nightly-cleanup.yml

@@ -21,7 +21,7 @@ jobs:
           - LEAFCLOUD
           - SMS
           - ARCUS
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     env:
       OS_CLOUD: openstack
       CI_CLOUD: ${{ matrix.cloud }}

.github/workflows/nightlybuild.yml

@@ -26,7 +26,7 @@ jobs:
     concurrency:
       group: ${{ github.workflow }}-${{ github.ref }}-${{ matrix.build.image_name }} # to branch/PR + OS
       cancel-in-progress: true
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     strategy:
       fail-fast: false # allow other matrix jobs to continue even if one fails
       matrix: # build RL8, RL9
@@ -131,7 +131,7 @@ jobs:
     concurrency:
       group: ${{ github.workflow }}-${{ github.ref }}-${{ matrix.build.image_name }}-${{ matrix.target_cloud }}
       cancel-in-progress: true
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     strategy:
       fail-fast: false
       matrix:

.github/workflows/release-image.yml

@@ -16,7 +16,7 @@ permissions:
 jobs:
   ci-image-release:
     name: ci-image-release
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     concurrency: ${{ github.workflow }}-${{ github.ref }}
     strategy:
       fail-fast: false

.github/workflows/s3-image-sync.yml

@@ -19,7 +19,7 @@ permissions:
 
 jobs:
   s3_cleanup:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     concurrency: ${{ github.workflow }}-${{ github.ref }}
     strategy:
       fail-fast: false
@@ -41,7 +41,7 @@ jobs:
           s3cmd rm s3://${{ env.S3_BUCKET }} --recursive --force
 
   image_upload:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     needs: s3_cleanup
     concurrency: ${{ github.workflow }}-${{ github.ref }}-${{ matrix.build }}
     strategy:
@@ -118,7 +118,7 @@ jobs:
 
   image_sync:
     needs: image_upload
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     concurrency: ${{ github.workflow }}-${{ github.ref }}-${{ matrix.cloud }}-${{ matrix.build }}
     strategy:
       fail-fast: false

.github/workflows/stackhpc.yml

@@ -18,7 +18,7 @@ permissions:
 jobs:
   openstack:
     name: openstack-ci
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     strategy:
       fail-fast: false # allow other matrix jobs to continue even if one fails
       matrix:
@@ -75,8 +75,14 @@ jobs:
         run: cat environments/.stackhpc/bastion_fingerprints >> ~/.ssh/known_hosts
         shell: bash
 
+      - uses: actions/setup-python@v6
+        with:
+          python-version: '3.10'  #TODO: bump to 3.12 once release cut including this PR
+
       - name: Install ansible, pip and galaxy requirements
         run: dev/setup-env.sh
+        env:
+           PYTHON_VERSION: python3 # overrides os-release discovery logic
 
       - name: Install OpenTofu
         uses: opentofu/[email protected]
@@ -101,6 +107,12 @@ jobs:
         env:
           DEMO_USER_PASSWORD: ${{ secrets.TEST_USER_PASSWORD }}
 
+      - name: Cleanup any OpenStack resources from previous attempts
+        run: |
+          . venv/bin/activate
+          . environments/.stackhpc/activate
+          ./dev/delete-cluster.py ${{ env.TF_VAR_cluster_name }} --force
+
       - name: Provision nodes using latest release image
         id: provision_servers
         run: |
@@ -146,8 +158,14 @@ jobs:
       - name: Checkout current branch
         run: git checkout ${{ github.head_ref || github.ref_name }}
 
+      - uses: actions/setup-python@v6
+        with:
+          python-version: '3.12'
+
       - name: Update ansible, pip and galaxy requirements
         run: dev/setup-env.sh
+        env:
+          PYTHON_VERSION: python3 # overrides os-release discovery logic
 
       - name: Reimage login and control nodes to image in current branch
         id: reimage_non_compute

.github/workflows/trivyscan.yml

@@ -14,10 +14,12 @@ permissions:
   packages: write
   # To report GitHub Actions status checks
   statuses: write
+  # upload trivy scan results
+  security-events: write
 
 jobs:
   scan:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     strategy:
       fail-fast: false
       matrix: