Tag PR image build as latest before scanning

This is less effort than passing the tag across steps 🤷‍♂️

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>

.github/workflows/trivy.yaml

@@ -27,11 +27,12 @@ jobs:
       run: |
         make local
         make package-image
+        make tag-image-latest
 
     - name: Run Trivy vulnerability scanner
       uses: aquasecurity/trivy-action@0.24.0
       with:
-        image-ref: 'rancher/k3s'
+        image-ref: 'rancher/k3s:latest'
         format: 'table'
         severity: "HIGH,CRITICAL"
         output: "trivy-report.txt"

scripts/tag-image-latest

@@ -0,0 +1,15 @@
+#!/bin/bash
+set -e
+
+cd $(dirname $0)/..
+
+. ./scripts/version.sh
+
+TAG=${TAG:-${VERSION_TAG}${SUFFIX}}
+REPO=${REPO:-rancher}
+IMAGE_NAME=${IMAGE_NAME:-k3s}
+
+IMAGE=${REPO}/${IMAGE_NAME}:${TAG}
+LATEST=${REPO}/${IMAGE_NAME}:latest
+docker image tag ${IMAGE} ${LATEST}
+echo Tagged ${IMAGE} as ${LATEST}