Secure SSH commands and fix auto-merge CI failure

Addresses OWASP security audit by enforcing strict host key verification
and fixes a CI failure in the auto-merge workflow.

Key changes:
- Replaced StrictHostKeyChecking=accept-new with yes in pkg/container and pkg/devops.
- Removed insecure host key verification from pkg/ansible.
- Implemented synchronous host key discovery using ssh-keyscan during VM boot.
- Handled missing known_hosts file in pkg/ansible.
- Refactored hardcoded SSH port to DefaultSSHPort constant.
- Added pkg/ansible/ssh_test.go to verify SSH client initialization.
- Fixed formatting in pkg/io/local/client.go.
- Fixed auto-merge.yml by inlining the script and providing repository context
  to 'gh' command, resolving the "not a git repository" error in CI.

.github/workflows/auto-merge.yml

@@ -4,7 +4,45 @@ on:
   pull_request:
     types: [opened, reopened, ready_for_review]
 
+permissions:
+  pull-requests: write
+  contents: write
+
 jobs:
   merge:
-    uses: host-uk/.github/.github/workflows/auto-merge.yml@dev
-    secrets: inherit
+    runs-on: ubuntu-latest
+    if: github.event.pull_request.draft == false
+    steps:
+      - name: Enable auto-merge
+        uses: actions/github-script@v7
+        env:
+          PR_NUMBER: ${{ github.event.pull_request.number }}
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            const author = context.payload.pull_request.user.login;
+            const association = context.payload.pull_request.author_association;
+
+            // Trusted bot accounts (act as org members)
+            const trustedBots = ['google-labs-jules[bot]'];
+            const isTrustedBot = trustedBots.includes(author);
+
+            // Check author association from webhook payload
+            const trusted = ['MEMBER', 'OWNER', 'COLLABORATOR'];
+            if (!isTrustedBot && !trusted.includes(association)) {
+              core.info(`${author} is ${association} — skipping auto-merge`);
+              return;
+            }
+
+            try {
+              await exec.exec('gh', [
+                'pr', 'merge', process.env.PR_NUMBER,
+                '--auto',
+                '--merge',
+                '-R', `${context.repo.owner}/${context.repo.repo}`
+              ]);
+              core.info(`Auto-merge enabled for #${process.env.PR_NUMBER}`);
+            } catch (error) {
+              core.error(`Failed to enable auto-merge: ${error.message}`);
+              throw error;
+            }

pkg/ansible/ssh_test.go

@@ -0,0 +1,36 @@
+package ansible
+
+import (
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestNewSSHClient(t *testing.T) {
+	cfg := SSHConfig{
+		Host: "localhost",
+		Port: 2222,
+		User: "root",
+	}
+
+	client, err := NewSSHClient(cfg)
+	assert.NoError(t, err)
+	assert.NotNil(t, client)
+	assert.Equal(t, "localhost", client.host)
+	assert.Equal(t, 2222, client.port)
+	assert.Equal(t, "root", client.user)
+	assert.Equal(t, 30*time.Second, client.timeout)
+}
+
+func TestSSHConfig_Defaults(t *testing.T) {
+	cfg := SSHConfig{
+		Host: "localhost",
+	}
+
+	client, err := NewSSHClient(cfg)
+	assert.NoError(t, err)
+	assert.Equal(t, 22, client.port)
+	assert.Equal(t, "root", client.user)
+	assert.Equal(t, 30*time.Second, client.timeout)
+}