Merge branch 'dev' into enable-registry-cleaning

.github/CODEOWNERS

@@ -1,5 +1,5 @@
 # format per https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners#about-code-owners
-* @colearendt @ianpittwood @bschwedler
+* @ianpittwood @bschwedler @costrouc
 
 /connect/* @rstudio/connect
 /connect-content-init/* @rstudio/connect

.github/actions/bake-test-push/action.yml

@@ -0,0 +1,161 @@
+name: 'Build/Test/Scan/Push Image'
+inputs:
+  target:
+    description: Target or group to bake
+    required: true
+    type: string
+  bakefile:
+    description: Path to the bakefile
+    required: true
+    default: "docker-bake.hcl"
+    type: string
+  env-vars:
+    description: A semicolon delimited list of environment variables to set as overrides for the bake definition
+    required: false
+    type: string
+  test-image:
+    description: Flag to test image once built
+    default: true
+    type: boolean
+  scan-image:
+    description: Flag to scan image for vulnerabilities once built
+    default: true
+    type: boolean
+  push-image:
+    description: Flag to push image once built
+    default: false
+    type: boolean
+  ghcr-token:
+    description: Username for authentication with GHCR.io
+    required: true
+    type: string
+  dockerhub-username:
+    description: Username for authentication with DockerHub
+    required: true
+    type: string
+  dockerhub-token:
+    description: Username for authentication with DockerHub
+    required: true
+    type: string
+  gcp-json:
+    description: JSON for authenticating Google Cloud Platform
+    default: ""
+    type: string
+  snyk-org:
+    description: Organization ID for Snyk
+    default: ""
+    type: string
+  snyk-token:
+    description: Token for authenticating with Snyk
+    default: ""
+    type: string
+
+runs:
+  using: "composite"
+  steps:
+    # Setup dependencies and tools
+    - name: Set up Just
+      uses: extractions/setup-just@v2
+      env:
+        GITHUB_TOKEN: ${{ inputs.ghcr-token }}
+
+    - uses: snyk/actions/setup@master
+
+    - name: Snyk auth
+      shell: bash
+      run: |
+        snyk auth ${{ inputs.snyk-token }}
+
+    - uses: actions/setup-python@v5
+      with:
+        python-version: '3.12'
+
+    # Authenticate to registries
+    - name: Login to ghcr.io
+      uses: docker/login-action@v3
+      with:
+        registry: ghcr.io
+        username: ${{ github.actor }}
+        password: ${{ inputs.ghcr-token }}
+
+    - name: Login to Docker Hub
+      uses: docker/login-action@v3
+      with:
+        username: ${{ inputs.dockerhub-username }}
+        password: ${{ inputs.dockerhub-token }}
+
+    - name: Login to GCAR us-central1
+      continue-on-error: true
+      uses: docker/login-action@v3
+      with:
+        registry: us-central1-docker.pkg.dev
+        username: _json_key
+        password: '${{ inputs.gcp-json }}'
+
+    - name: Login to GCAR us
+      continue-on-error: true
+      uses: docker/login-action@v3
+      with:
+        registry: us-docker.pkg.dev
+        username: _json_key
+        password: '${{ inputs.gcp-json }}'
+
+    - name: Login to GCAR asia
+      continue-on-error: true
+      uses: docker/login-action@v3
+      with:
+        registry: asia-docker.pkg.dev
+        username: _json_key
+        password: '${{ inputs.gcp-json }}'
+
+    - name: Login to GCAR europe
+      continue-on-error: true
+      uses: docker/login-action@v3
+      with:
+        registry: europe-docker.pkg.dev
+        username: _json_key
+        password: '${{ inputs.gcp-json }}'
+
+    # Build, test, and push image
+    - name: Build
+      id: build
+      uses: docker/bake-action@v4
+      with:
+        targets: "${{ inputs.target }}"
+        push: false
+        files: ${{ inputs.bakefile }}
+
+    - name: Test
+      shell: bash
+      run: |
+        if [[ "${{ inputs.test-image }}" == "true" ]]; then
+          just test "${{ inputs.target }}" "${{ inputs.bakefile }}"
+        fi
+
+    - name: Scan
+      continue-on-error: true
+      env:
+        SNYK_ORG: ${{ inputs.snyk-org }}
+      shell: bash
+      run: |
+        if [[ "${{ inputs.scan-image }}" == "true" ]]; then
+          if [[ "${{ inputs.push-image }}" == "true" ]]; then
+            just snyk-monitor "${{ inputs.target }}" "${{ inputs.bakefile }}"
+          else
+            just snyk-test "${{ inputs.target }}" "${{ inputs.bakefile }}"
+          fi
+        fi
+
+    - name: Upload results
+      uses: github/codeql-action/upload-sarif@v3
+      continue-on-error: true
+      with:
+          sarif_file: "container.sarif"
+          category: "${{ inputs.target }}-snyk-vulnerabilities"
+
+    - name: Push - ${{ inputs.push-image }}
+      uses: docker/bake-action@v4
+      with:
+        targets: "${{ inputs.target }}"
+        push: ${{ inputs.push-image }}
+        files: ${{ inputs.bakefile }}