Remove sorting functionality (#1358)

* [SYNPY-1798]: updated black to 26.3.1 and reran pre-commit (#1341)

* update black to 26.3.1 and rerun pre-commit

* update the tutorial line

---------

Co-authored-by: Lingling Peng <lpeng@w290.local>
Co-authored-by: Lingling Peng <lpeng@Mac.SageCorpWiFi>

* [SYNPY-1764] Add Trivy container vulnerability scanning (#1346)

* [SYNPY-1764] Add Trivy container vulnerability scanning to Docker build

Add Trivy scanning to gate Docker image publication on GHCR. Both release
and develop Docker jobs now follow a build→scan→push pattern where images
are only pushed if no Critical/High unfixed vulnerabilities are found.

New workflows:
- trivy.yml: reusable Trivy scanning workflow with SARIF upload to GitHub Security tab
- docker_build.yml: reusable build/scan/push workflow for image rebuilds
- trivy_periodic_scan.yml: daily rescan of latest published image with auto-remediation

* Address PR review feedback from linglp and jaymedina

- Fix push jobs to load scanned tar instead of rebuilding (build.yml)
- Pin trivy-action to SHA for v0.35.0 to address supply chain attack
- Fix env.repo_name output using $GITHUB_OUTPUT (trivy_periodic_scan.yml)
- Pin all third-party actions to commit SHAs
- Remove unnecessary permissions on get-image-reference job
- Use !cancelled() for SARIF upload condition (trivy.yml)
- Use LOCAL_IMAGE_TAG env var instead of hardcoded string (docker_build.yml)
- Fix IMAGE_REFERENCES YAML line continuation

* Prevent infinite rebuild loop in periodic Trivy scan

Restructure trivy_periodic_scan.yml so the git tag is only created
after a successful rebuild (not before). If the rebuild still has
vulnerabilities, a GitHub issue is opened for manual triage instead
of looping endlessly.

- Rename bump-tag → compute-next-version (dry_run: true)
- Add create-tag job gated on update-image success
- Add alert-on-failure job that opens a GitHub issue with
  duplicate prevention when remediation fails

* pre-commit

* Update Trivy scan workflow to use previous tag and adjust image references

* Address PR review feedback

- Pin codeql-action/upload-sarif to SHA and upgrade to v3.35.1
- Guard update-image job on compute-next-version success
- Use absolute URL for Security tab link in auto-created issues

* Add actions read permission for Trivy scan job (#1355)

* Add optional ARTIFACT_NAME_SUFFIX input to Trivy workflow and update artifact naming (#1357)

* remove sort

---------

Co-authored-by: Lingling <55448354+linglp@users.noreply.github.com>
Co-authored-by: Lingling Peng <lpeng@w290.local>
Co-authored-by: Lingling Peng <lpeng@Mac.SageCorpWiFi>
Co-authored-by: BryanFauble <17128019+BryanFauble@users.noreply.github.com>

Author: 5 people

.github/workflows/build.yml

@@ -552,87 +552,186 @@ jobs:
           exit 1
 
   # containerize the package and upload to the GHCR upon new release (whether pre-release or not)
-  ghcr-build-and-push-on-release:
+  # Step 1: Build the Docker image and save as tar for scanning
+  ghcr-build-on-release:
     needs: deploy
     runs-on: ubuntu-latest
     permissions:
       contents: read
       packages: write
+    outputs:
+      image-tags: ${{ steps.set-tags.outputs.tags }}
+      image-name: synapsepythonclient-release
+    env:
+      TARFILE_NAME: synapsepythonclient-release.tar
 
     steps:
       - name: Check out the repo
         uses: actions/checkout@v4
       - name: Extract Release Version
         run: echo "RELEASE_VERSION=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV
         shell: bash
+      - name: Set image tags
+        id: set-tags
+        shell: bash
+        run: |
+          if [[ "${{ github.event.release.prerelease }}" == "true" ]]; then
+            echo "tags=ghcr.io/sage-bionetworks/synapsepythonclient:${{ env.RELEASE_VERSION }}-prerelease" >> $GITHUB_OUTPUT
+          else
+            echo "tags=ghcr.io/sage-bionetworks/synapsepythonclient:latest,ghcr.io/sage-bionetworks/synapsepythonclient:${{ env.RELEASE_VERSION }}" >> $GITHUB_OUTPUT
+          fi
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v2
-      - name: Log in to GitHub Container Registry
-        uses: docker/login-action@v2
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Build and push Docker image (official release)
-        id: docker_build
-        if: '!github.event.release.prerelease'
-        uses: docker/build-push-action@v3
+      - name: Build Docker image
+        uses: docker/build-push-action@v5
         with:
-          push: true
+          context: .
+          push: false
+          load: true
           provenance: false
-          tags: ghcr.io/sage-bionetworks/synapsepythonclient:latest,ghcr.io/sage-bionetworks/synapsepythonclient:${{ env.RELEASE_VERSION }}
+          tags: synapsepythonclient-release:local
           file: ./Dockerfile
           platforms: linux/amd64
           cache-from: type=registry,ref=ghcr.io/sage-bionetworks/synapsepythonclient:build-cache
-          cache-to: type=registry,mode=max,ref=ghcr.io/sage-bionetworks/synapsepythonclient:build-cache
-      - name: Build and push Docker image (pre-release)
-        id: docker_build_prerelease
-        if: 'github.event.release.prerelease'
-        uses: docker/build-push-action@v3
+          cache-to: type=inline
+      - name: Save Docker image to tar
+        run: docker save synapsepythonclient-release:local -o ${{ env.TARFILE_NAME }}
+      - name: Upload tar artifact
+        uses: actions/upload-artifact@v4
         with:
-          push: true
-          provenance: false
-          tags: ghcr.io/sage-bionetworks/synapsepythonclient:${{ env.RELEASE_VERSION }}-prerelease
-          file: ./Dockerfile
-          platforms: linux/amd64
-          cache-from: type=registry,ref=ghcr.io/sage-bionetworks/synapsepythonclient:build-cache-prerelease
-          cache-to: type=registry,mode=max,ref=ghcr.io/sage-bionetworks/synapsepythonclient:build-cache-prerelease
-      - name: Output image digest (official release)
-        if: '!github.event.release.prerelease'
-        run: echo "The image digest for official release is ${{ steps.docker_build.outputs.digest }}"
-      - name: Output image digest (pre-release)
-        if: 'github.event.release.prerelease'
-        run: echo "The image digest for pre-release is ${{ steps.docker_build_prerelease.outputs.digest }}"
+          name: ${{ env.TARFILE_NAME }}
+          path: ${{ env.TARFILE_NAME }}
+          retention-days: 1
+
+  # Step 2: Scan the built image with Trivy before pushing
+  trivy-scan-release:
+    needs: [ghcr-build-on-release]
+    uses: ./.github/workflows/trivy.yml
+    with:
+      SOURCE_TYPE: tar
+      TARFILE_NAME: synapsepythonclient-release.tar
+      IMAGE_NAME: synapsepythonclient-release:local
+      EXIT_CODE: 1
+    permissions:
+      contents: read
+      security-events: write
+      actions: read
 
-  # containerize the package and upload to the GHCR upon commit in develop
-  ghcr-build-and-push-on-develop:
+  # Step 3: Push the image to GHCR only if Trivy scan passes
+  ghcr-push-on-release:
+    needs: [ghcr-build-on-release, trivy-scan-release]
     runs-on: ubuntu-latest
-    if: github.ref == 'refs/heads/develop'
     permissions:
       contents: read
       packages: write
 
+    env:
+      TARFILE_NAME: synapsepythonclient-release.tar
+
     steps:
-      - name: Check out the repo
-        uses: actions/checkout@v4
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+      - name: Download scanned tar
+        uses: actions/download-artifact@v4
+        with:
+          name: ${{ env.TARFILE_NAME }}
+          path: /tmp
+      - name: Load Docker image from tar
+        run: docker load -i /tmp/${{ env.TARFILE_NAME }}
       - name: Log in to GitHub Container Registry
         uses: docker/login-action@v2
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Build and push Docker image for develop
-        id: docker_build
+      - name: Tag and push Docker image
+        shell: bash
+        run: |
+          IFS=',' read -ra TAGS <<< "${{ needs.ghcr-build-on-release.outputs.image-tags }}"
+          for TAG in "${TAGS[@]}"; do
+            docker tag synapsepythonclient-release:local "$TAG"
+            docker push "$TAG"
+          done
+
+  # containerize the package and upload to the GHCR upon commit in develop
+  # Step 1: Build the Docker image and save as tar for scanning
+  ghcr-build-on-develop:
+    runs-on: ubuntu-latest
+    if: github.ref == 'refs/heads/develop'
+    permissions:
+      contents: read
+      packages: write
+    outputs:
+      image-tag: ghcr.io/sage-bionetworks/synapsepythonclient:develop-${{ github.sha }}
+      image-name: synapsepythonclient-develop
+    env:
+      TARFILE_NAME: synapsepythonclient-develop.tar
+
+    steps:
+      - name: Check out the repo
+        uses: actions/checkout@v4
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+      - name: Build Docker image
         uses: docker/build-push-action@v5
         with:
-          push: true
+          context: .
+          push: false
+          load: true
           provenance: false
-          tags: ghcr.io/sage-bionetworks/synapsepythonclient:develop-${{ github.sha }}
+          tags: synapsepythonclient-develop:local
           file: ./Dockerfile
           platforms: linux/amd64
           cache-from: type=registry,ref=ghcr.io/sage-bionetworks/synapsepythonclient:build-cache
           cache-to: type=inline
-      - name: Output image digest
-        run: echo "The image digest is ${{ steps.docker_build.outputs.digest }}"
+      - name: Save Docker image to tar
+        run: docker save synapsepythonclient-develop:local -o ${{ env.TARFILE_NAME }}
+      - name: Upload tar artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: ${{ env.TARFILE_NAME }}
+          path: ${{ env.TARFILE_NAME }}
+          retention-days: 1
+
+  # Step 2: Scan the built image with Trivy before pushing
+  trivy-scan-develop:
+    needs: [ghcr-build-on-develop]
+    uses: ./.github/workflows/trivy.yml
+    with:
+      SOURCE_TYPE: tar
+      TARFILE_NAME: synapsepythonclient-develop.tar
+      IMAGE_NAME: synapsepythonclient-develop:local
+      EXIT_CODE: 1
+    permissions:
+      contents: read
+      security-events: write
+      actions: read
+
+  # Step 3: Push the image to GHCR only if Trivy scan passes
+  ghcr-push-on-develop:
+    needs: [ghcr-build-on-develop, trivy-scan-develop]
+    runs-on: ubuntu-latest
+    if: github.ref == 'refs/heads/develop'
+    permissions:
+      contents: read
+      packages: write
+
+    env:
+      TARFILE_NAME: synapsepythonclient-develop.tar
+
+    steps:
+      - name: Download scanned tar
+        uses: actions/download-artifact@v4
+        with:
+          name: ${{ env.TARFILE_NAME }}
+          path: /tmp
+      - name: Load Docker image from tar
+        run: docker load -i /tmp/${{ env.TARFILE_NAME }}
+      - name: Log in to GitHub Container Registry
+        uses: docker/login-action@v2
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Tag and push Docker image
+        run: |
+          docker tag synapsepythonclient-develop:local "${{ needs.ghcr-build-on-develop.outputs.image-tag }}"
+          docker push "${{ needs.ghcr-build-on-develop.outputs.image-tag }}"

.github/workflows/docker_build.yml

@@ -0,0 +1,104 @@
+---
+#
+# Reusable workflow to build, scan, and push a Docker image.
+# Called by the periodic scan workflow to rebuild images
+# when new vulnerabilities are found.
+#
+name: Build and publish a Docker image
+
+on:
+  workflow_call:
+    inputs:
+      REF_TO_CHECKOUT:
+        required: false
+        type: string
+        description: "Reference to checkout, e.g. a tag like v1.0.1. Defaults to the branch/tag of the current event."
+      IMAGE_REFERENCES:
+        required: true
+        type: string
+        description: "Comma-separated image references, e.g., ghcr.io/sage-bionetworks/synapsepythonclient:1.0.1"
+
+env:
+  TARFILE_NAME: image.tar
+  LOCAL_IMAGE_TAG: rebuild-image:local
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ inputs.REF_TO_CHECKOUT }}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+
+      - name: Build Docker image
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          push: false
+          load: true
+          tags: ${{ env.LOCAL_IMAGE_TAG }}
+          file: ./Dockerfile
+          platforms: linux/amd64
+
+      - name: Save Docker image to tar
+        run: docker save ${{ env.LOCAL_IMAGE_TAG }} -o ${{ env.TARFILE_NAME }}
+
+      - name: Upload tarball for use by Trivy job
+        uses: actions/upload-artifact@v4
+        with:
+          name: ${{ env.TARFILE_NAME }}
+          path: ${{ env.TARFILE_NAME }}
+          retention-days: 1
+
+    outputs:
+      tarfile_artifact: ${{ env.TARFILE_NAME }}
+
+  trivy-scan:
+    needs: build
+    uses: "./.github/workflows/trivy.yml"
+    with:
+      SOURCE_TYPE: tar
+      IMAGE_NAME: rebuild-image:local
+      TARFILE_NAME: ${{ needs.build.outputs.tarfile_artifact }}
+      EXIT_CODE: 1
+      ARTIFACT_NAME_SUFFIX: -rebuild
+    permissions:
+      contents: read
+      security-events: write
+      actions: read
+
+  push-image:
+    needs: [build, trivy-scan]
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - name: Download tar artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: ${{ needs.build.outputs.tarfile_artifact }}
+          path: /tmp
+
+      - name: Load Docker image from tar
+        run: docker load -i /tmp/${{ needs.build.outputs.tarfile_artifact }}
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v2
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Tag and push Docker image
+        shell: bash
+        run: |
+          IFS=',' read -ra TAGS <<< "${{ inputs.IMAGE_REFERENCES }}"
+          for TAG in "${TAGS[@]}"; do
+            docker tag ${{ env.LOCAL_IMAGE_TAG }} "$TAG"
+            docker push "$TAG"
+          done