feat: Add Docker containerization with CI/CD pipeline

- Add Dockerfile with Python 3.11-slim, non-root user, health checks
- Add docker-compose.yml with environment variables and volume mounts
- Add .dockerignore for clean builds excluding sensitive files
- Add GitHub Actions workflow for multi-platform builds (amd64/arm64)
- Support ghcr.io and Docker Hub registries with manual approval for main
- Add pre-commit hooks for code quality and security validation
- Update CLAUDE.md with Docker deployment documentation

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <[email protected]>

Author: bakerboy448

.dockerignore

@@ -0,0 +1,90 @@
+# Git
+.git
+.gitignore
+
+# Python
+__pycache__/
+*.py[cod]
+*$py.class
+*.so
+.Python
+build/
+develop-eggs/
+dist/
+downloads/
+eggs/
+.eggs/
+lib/
+lib64/
+parts/
+sdist/
+var/
+wheels/
+*.egg-info/
+.installed.cfg
+*.egg
+
+# Virtual environments
+venv/
+ENV/
+env/
+.venv
+.env
+
+# IDE
+.vscode/
+.idea/
+*.swp
+*.swo
+*~
+.DS_Store
+
+# Sensitive files
+config.json
+*.config.json
+config.*.json
+
+# Database files (will be mounted as volume)
+*.db
+*.db-journal
+*.sqlite
+*.sqlite3
+
+# Logs (will be mounted as volume)
+*.log
+logs/
+log/
+
+# Testing
+.coverage
+.pytest_cache/
+.tox/
+htmlcov/
+.hypothesis/
+
+# Documentation
+*.md
+docs/
+
+# Backup files
+*.bak
+*.backup
+*.old
+
+# Temporary files
+tmp/
+temp/
+.tmp/
+
+# System files
+Thumbs.db
+desktop.ini
+
+# Docker
+Dockerfile
+docker-compose.yml
+.dockerignore
+
+# Reddit specific
+processed_actions.json
+modlog_backup_*.json

.github/workflows/docker-build.yml

@@ -0,0 +1,86 @@
+name: Build and Push Docker Images
+
+on:
+  push:
+    tags:
+      - 'v*'
+  pull_request:
+    branches:
+      - main
+  workflow_dispatch:
+    inputs:
+      deploy_to_main:
+        description: 'Deploy to main branch registries'
+        required: true
+        default: false
+        type: boolean
+
+env:
+  REGISTRY_GHCR: ghcr.io
+  REGISTRY_DOCKERHUB: docker.io
+  IMAGE_NAME: ${{ github.repository }}
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Login to GitHub Container Registry
+        if: github.event_name != 'pull_request' && (github.ref_type == 'tag' || inputs.deploy_to_main == true)
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY_GHCR }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Login to Docker Hub
+        if: github.event_name != 'pull_request' && (github.ref_type == 'tag' || inputs.deploy_to_main == true)
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY_DOCKERHUB }}
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Extract metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: |
+            ${{ env.REGISTRY_GHCR }}/${{ env.IMAGE_NAME }}
+            ${{ env.REGISTRY_DOCKERHUB }}/${{ env.IMAGE_NAME }}
+          tags: |
+            type=ref,event=branch
+            type=ref,event=pr
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=semver,pattern={{major}}
+            type=raw,value=latest,enable={{is_default_branch}}
+
+      - name: Build and push
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          platforms: linux/amd64,linux/arm64
+          push: ${{ github.event_name != 'pull_request' && (github.ref_type == 'tag' || inputs.deploy_to_main == true) }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      - name: Update Docker Hub description
+        if: github.event_name != 'pull_request' && (github.ref_type == 'tag' || inputs.deploy_to_main == true)
+        uses: peter-evans/dockerhub-description@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+          repository: ${{ env.IMAGE_NAME }}
+          readme-filepath: ./README.md

.pre-commit-config.yaml

@@ -0,0 +1,57 @@
+repos:
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v4.4.0
+    hooks:
+      - id: trailing-whitespace
+      - id: end-of-file-fixer
+      - id: check-yaml
+      - id: check-added-large-files
+      - id: check-merge-conflict
+      - id: debug-statements
+      - id: check-executables-have-shebangs
+
+  - repo: https://github.com/psf/black
+    rev: 23.7.0
+    hooks:
+      - id: black
+        language_version: python3
+        args: [--line-length=88]
+
+  - repo: https://github.com/pycqa/flake8
+    rev: 6.0.0
+    hooks:
+      - id: flake8
+        args: [--max-line-length=88, --extend-ignore=E203,W503]
+
+  - repo: https://github.com/pycqa/isort
+    rev: 5.12.0
+    hooks:
+      - id: isort
+        args: [--profile=black]
+
+  - repo: https://github.com/Yelp/detect-secrets
+    rev: v1.4.0
+    hooks:
+      - id: detect-secrets
+        args: ['--baseline', '.secrets.baseline']
+        exclude: |
+          (?x)^(
+              config_template\.json|
+              \.secrets\.baseline
+          )$
+
+  - repo: https://github.com/pre-commit/mirrors-mypy
+    rev: v1.4.1
+    hooks:
+      - id: mypy
+        additional_dependencies: [types-requests]
+        args: [--ignore-missing-imports]
+
+  - repo: local
+    hooks:
+      - id: reddit-config-check
+        name: Check Reddit config safety
+        entry: python -c "import json; config = json.load(open('config.json')) if __import__('os').path.exists('config.json') else {}; exit(1) if not config.get('anonymize_moderators', True) else exit(0)"
+        language: system
+        files: config\.json$
+        pass_filenames: false

CLAUDE.md

@@ -240,9 +240,80 @@ User profile links are a privacy concern and not useful for modlog purposes.
 - ✅ Database schema at version 5 with all required columns
 - ✅ Consistent Reddit API field usage (action.details vs action.description)
 
+## Docker Deployment
+
+### Building and Running
+
+```bash
+# Build the Docker image
+docker build -t reddit-modlog:latest .
+
+# Run with docker-compose (recommended)
+docker-compose up -d
+
+# Run directly with Docker
+docker run -d \
+  --name reddit-modlog-bot \
+  --restart unless-stopped \
+  -e REDDIT_CLIENT_ID=your_client_id \
+  -e REDDIT_CLIENT_SECRET=your_client_secret \
+  -e REDDIT_USERNAME=your_username \
+  -e REDDIT_PASSWORD=your_password \
+  -e SOURCE_SUBREDDIT=your_subreddit \
+  -v ./data:/app/data \
+  -v ./logs:/app/logs \
+  reddit-modlog:latest
+```
+
+### Environment Configuration
+
+Create a `.env` file in the project root:
+
+```env
+# Reddit API credentials (REQUIRED)
+REDDIT_CLIENT_ID=your_client_id
+REDDIT_CLIENT_SECRET=your_client_secret
+REDDIT_USERNAME=your_bot_username
+REDDIT_PASSWORD=your_bot_password
+
+# Application settings
+SOURCE_SUBREDDIT=your_subreddit
+WIKI_PAGE=modlog
+RETENTION_DAYS=30
+BATCH_SIZE=50
+UPDATE_INTERVAL=300
+
+# Wiki actions to process
+WIKI_ACTIONS=removelink,removecomment,addremovalreason,spamlink,spamcomment,approvelink,approvecomment
+```
+
+### CI/CD Pipeline
+
+The project includes GitHub Actions for automated Docker builds:
+- **Triggers**: Git tags (v*) and manual workflow dispatch
+- **Registries**: GitHub Container Registry (ghcr.io) and Docker Hub
+- **Platforms**: linux/amd64, linux/arm64
+- **Manual approval required** for main branch deployments
+
+### Pre-commit Hooks
+
+Install and use pre-commit hooks for code quality:
+
+```bash
+# Install pre-commit
+pip install pre-commit
+
+# Install hooks
+pre-commit install
+
+# Run manually
+pre-commit run --all-files
+```
+
 ## Development Guidelines
 
 ### Git Workflow
+- **NEVER push to main without manual approval**
 - If branch is not main, you may commit and push if a PR is draft or not open
 - Use conventional commits for all changes
 - Use multiple commits if needed, or patch if easier

Dockerfile

@@ -0,0 +1,42 @@
+FROM python:3.11-slim
+
+# Set working directory
+WORKDIR /app
+
+# Install system dependencies
+RUN apt-get update && apt-get install -y \
+    sqlite3 \
+    && rm -rf /var/lib/apt/lists/*
+
+# Copy requirements first for better Docker layer caching
+COPY requirements.txt .
+
+# Install Python dependencies
+RUN pip install --no-cache-dir -r requirements.txt
+
+# Copy application files
+COPY modlog_wiki_publisher.py .
+COPY config_template.json .
+
+# Create directories for data persistence
+RUN mkdir -p /app/data /app/logs
+
+# Create non-root user for security
+RUN groupadd -r modlogbot && useradd -r -g modlogbot modlogbot
+RUN chown -R modlogbot:modlogbot /app
+USER modlogbot
+
+# Set environment variables
+ENV PYTHONUNBUFFERED=1
+ENV DB_PATH=/app/data/modlog.db
+ENV LOGS_DIR=/app/logs
+
+# Expose health check port (if we add one)
+EXPOSE 8080
+
+# Health check
+HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \
+    CMD python -c "import sqlite3; conn = sqlite3.connect('${DB_PATH}'); conn.close()" || exit 1
+
+# Default command - can be overridden
+CMD ["python", "modlog_wiki_publisher.py", "--continuous"]