Address PR review feedback from linglp and jaymedina

BryanFauble · BryanFauble · commit 1d63fa119fd3 · 2026-04-01T00:01:24.000Z
- Fix push jobs to load scanned tar instead of rebuilding (build.yml)
- Pin trivy-action to SHA for v0.35.0 to address supply chain attack
- Fix env.repo_name output using $GITHUB_OUTPUT (trivy_periodic_scan.yml)
- Pin all third-party actions to commit SHAs
- Remove unnecessary permissions on get-image-reference job
- Use !cancelled() for SARIF upload condition (trivy.yml)
- Use LOCAL_IMAGE_TAG env var instead of hardcoded string (docker_build.yml)
- Fix IMAGE_REFERENCES YAML line continuation
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -593,6 +593,7 @@ jobs:
           file: ./Dockerfile
           platforms: linux/amd64
           cache-from: type=registry,ref=ghcr.io/sage-bionetworks/synapsepythonclient:build-cache
+          cache-to: type=registry,mode=max,ref=ghcr.io/sage-bionetworks/synapsepythonclient:build-cache
       - name: Save Docker image to tar
         run: docker save synapsepythonclient-release:local -o ${{ env.TARFILE_NAME }}
       - name: Upload tar artifact
@@ -624,28 +625,31 @@ jobs:
       contents: read
       packages: write
 
+    env:
+      TARFILE_NAME: synapsepythonclient-release.tar
+
     steps:
-      - name: Check out the repo
-        uses: actions/checkout@v4
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+      - name: Download scanned tar
+        uses: actions/download-artifact@v4
+        with:
+          name: ${{ env.TARFILE_NAME }}
+          path: /tmp
+      - name: Load Docker image from tar
+        run: docker load -i /tmp/${{ env.TARFILE_NAME }}
       - name: Log in to GitHub Container Registry
         uses: docker/login-action@v2
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Build and push Docker image
-        uses: docker/build-push-action@v5
-        with:
-          context: .
-          push: true
-          provenance: false
-          tags: ${{ needs.ghcr-build-on-release.outputs.image-tags }}
-          file: ./Dockerfile
-          platforms: linux/amd64
-          cache-from: type=registry,ref=ghcr.io/sage-bionetworks/synapsepythonclient:build-cache
-          cache-to: type=registry,mode=max,ref=ghcr.io/sage-bionetworks/synapsepythonclient:build-cache
+      - name: Tag and push Docker image
+        shell: bash
+        run: |
+          IFS=',' read -ra TAGS <<< "${{ needs.ghcr-build-on-release.outputs.image-tags }}"
+          for TAG in "${TAGS[@]}"; do
+            docker tag synapsepythonclient-release:local "$TAG"
+            docker push "$TAG"
+          done
 
   # containerize the package and upload to the GHCR upon commit in develop
   # Step 1: Build the Docker image and save as tar for scanning
@@ -677,6 +681,7 @@ jobs:
           file: ./Dockerfile
           platforms: linux/amd64
           cache-from: type=registry,ref=ghcr.io/sage-bionetworks/synapsepythonclient:build-cache
+          cache-to: type=inline
       - name: Save Docker image to tar
         run: docker save synapsepythonclient-develop:local -o ${{ env.TARFILE_NAME }}
       - name: Upload tar artifact
@@ -709,25 +714,24 @@ jobs:
       contents: read
       packages: write
 
+    env:
+      TARFILE_NAME: synapsepythonclient-develop.tar
+
     steps:
-      - name: Check out the repo
-        uses: actions/checkout@v4
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+      - name: Download scanned tar
+        uses: actions/download-artifact@v4
+        with:
+          name: ${{ env.TARFILE_NAME }}
+          path: /tmp
+      - name: Load Docker image from tar
+        run: docker load -i /tmp/${{ env.TARFILE_NAME }}
       - name: Log in to GitHub Container Registry
         uses: docker/login-action@v2
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Build and push Docker image
-        uses: docker/build-push-action@v5
-        with:
-          context: .
-          push: true
-          provenance: false
-          tags: ghcr.io/sage-bionetworks/synapsepythonclient:develop-${{ github.sha }}
-          file: ./Dockerfile
-          platforms: linux/amd64
-          cache-from: type=registry,ref=ghcr.io/sage-bionetworks/synapsepythonclient:build-cache
-          cache-to: type=inline
+      - name: Tag and push Docker image
+        run: |
+          docker tag synapsepythonclient-develop:local "${{ needs.ghcr-build-on-develop.outputs.image-tag }}"
+          docker push "${{ needs.ghcr-build-on-develop.outputs.image-tag }}"
diff --git a/.github/workflows/docker_build.yml b/.github/workflows/docker_build.yml
@@ -40,12 +40,12 @@ jobs:
           context: .
           push: false
           load: true
-          tags: rebuild-image:local
+          tags: ${{ env.LOCAL_IMAGE_TAG }}
           file: ./Dockerfile
           platforms: linux/amd64
 
       - name: Save Docker image to tar
-        run: docker save rebuild-image:local -o ${{ env.TARFILE_NAME }}
+        run: docker save ${{ env.LOCAL_IMAGE_TAG }} -o ${{ env.TARFILE_NAME }}
 
       - name: Upload tarball for use by Trivy job
         uses: actions/upload-artifact@v4
@@ -98,6 +98,6 @@ jobs:
         run: |
           IFS=',' read -ra TAGS <<< "${{ inputs.IMAGE_REFERENCES }}"
           for TAG in "${TAGS[@]}"; do
-            docker tag rebuild-image:local "$TAG"
+            docker tag ${{ env.LOCAL_IMAGE_TAG }} "$TAG"
             docker push "$TAG"
           done
diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml
@@ -62,7 +62,7 @@ jobs:
         run: docker load -i ${{ steps.tar-download.outputs.download-path }}/${{ inputs.TARFILE_NAME }}
 
       - name: Run Trivy vulnerability scanner for any major issues
-        uses: aquasecurity/trivy-action@0.32.0
+        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
         id: trivy
         with:
           image-ref: ${{ inputs.IMAGE_NAME }}
@@ -75,14 +75,14 @@ jobs:
 
       - name: Upload Trivy scan results to GitHub Security tab
         uses: github/codeql-action/upload-sarif@v3.25.12
-        if: ${{ success() || steps.trivy.conclusion == 'failure' }}
+        if: ${{ !cancelled() }}
         with:
           sarif_file: ${{ env.sarif_file_name }}
           wait-for-processing: true
 
       - name: Upload Trivy output
         uses: actions/upload-artifact@v4
-        if: ${{ success() || steps.trivy.conclusion == 'failure' }}
+        if: ${{ !cancelled() }}
         with:
           name: ${{ env.sarif_file_name }}
           path: ${{ env.sarif_file_name }}
diff --git a/.github/workflows/trivy_periodic_scan.yml b/.github/workflows/trivy_periodic_scan.yml
@@ -22,20 +22,18 @@ jobs:
           # While GitHub repos can be mixed case,
           # Docker images can only be lower case
           repo_name=$(echo ${{ github.repository }} | tr '[:upper:]' '[:lower:]')
-          echo "repo_name=$repo_name" >> $GITHUB_ENV
+          echo "repo_name=$repo_name" >> $GITHUB_OUTPUT
       - name: Find current version
         id: find_version
-        uses: mathieudutour/github-tag-action@v6.2
+        uses: mathieudutour/github-tag-action@a22cf08638b34d5badda920f9daf6e72c477b07b # v6.2
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           dry_run: true # setting to 'true' means no new version is created
     outputs:
-      image_repo: ghcr.io/${{ env.repo_name }}
+      image_repo: ghcr.io/${{ steps.to_lower_case.outputs.repo_name }}
       image_tag: ${{ steps.find_version.outputs.previous_version }}
     permissions:
       contents: read
-      deployments: write
-      security-events: write
 
   periodic-scan:
     needs: get-image-reference
@@ -57,12 +55,12 @@ jobs:
     steps:
       - name: Bump version and push tag
         id: tag_version
-        uses: mathieudutour/github-tag-action@v6.2
+        uses: mathieudutour/github-tag-action@a22cf08638b34d5badda920f9daf6e72c477b07b # v6.2
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
       - name: Parse new version
         id: parsed
-        uses: booxmedialtd/ws-action-parse-semver@v1
+        uses: booxmedialtd/ws-action-parse-semver@7784200024d6b3fc01253e617ec0168daf603de3 # v1.4.7
         with:
           input_string: ${{ steps.tag_version.outputs.new_version }}
     outputs:
@@ -80,8 +78,7 @@ jobs:
     uses: "./.github/workflows/docker_build.yml"
     with:
       REF_TO_CHECKOUT: ${{ needs.bump-tag.outputs.new_tag }}
-      IMAGE_REFERENCES: "${{ needs.get-image-reference.outputs.image_repo }}:${{ needs.bump-tag.outputs.new_version }},\
-        ${{ needs.get-image-reference.outputs.image_repo }}:${{ needs.bump-tag.outputs.new_major_minor }}"
+      IMAGE_REFERENCES: "${{ needs.get-image-reference.outputs.image_repo }}:${{ needs.bump-tag.outputs.new_version }},${{ needs.get-image-reference.outputs.image_repo }}:${{ needs.bump-tag.outputs.new_major_minor }}"
     permissions:
       contents: read
       deployments: write
