feat: Docker containerization with multi-arch support

.dockerignore

@@ -0,0 +1,56 @@
+# Git files
+.git
+.gitignore
+.github
+
+# Documentation
+README.md
+CLAUDE.md
+LICENSE
+CHANGELOG.md
+*.md
+
+# Development files
+*.pyc
+__pycache__
+.pytest_cache
+.coverage
+htmlcov
+.env
+.env.*
+
+# IDE files
+.vscode
+.idea
+*.swp
+*.swo
+*.swn
+.DS_Store
+
+# Local data and logs
+data/
+logs/
+*.db
+*.log
+
+# Config files (except template)
+config.json
+
+# Test files
+test_*.py
+tests/
+debug_*.py
+
+# Build artifacts
+build/
+dist/
+*.egg-info/
+
+# Systemd files
+systemd/
+*.service
+
+# Docker files (not needed in build context)
+docker-compose.yml
+docker-compose.*.yml
+Dockerfile.*

.editorconfig

@@ -0,0 +1,55 @@
+# EditorConfig is awesome: https://EditorConfig.org
+
+# top-most EditorConfig file
+root = true
+
+# Unix-style newlines with a newline ending every file
+[*]
+charset = utf-8
+end_of_line = lf
+insert_final_newline = true
+trim_trailing_whitespace = true
+
+# Python files
+[*.py]
+indent_style = space
+indent_size = 4
+
+# JSON files
+[*.json]
+indent_style = space
+indent_size = 2
+
+# YAML files
+[*.{yml,yaml}]
+indent_style = space
+indent_size = 2
+
+# Markdown files
+[*.md]
+trim_trailing_whitespace = false
+max_line_length = off
+
+# Shell scripts
+[*.sh]
+indent_style = space
+indent_size = 2
+
+# Dockerfile
+[Dockerfile*]
+indent_style = space
+indent_size = 2
+
+# Docker Compose
+[docker-compose*.yml]
+indent_style = space
+indent_size = 2
+
+# Makefile
+[Makefile]
+indent_style = tab
+
+# Configuration files
+[*.{cfg,ini,toml}]
+indent_style = space
+indent_size = 2

.github/workflows/docker-build.yml

@@ -0,0 +1,123 @@
+name: Docker Build and Publish
+
+on:
+  push:
+    branches:
+      - main
+      - develop
+      - 'feature/docker-*'
+    tags:
+      - 'v*'
+  pull_request:
+    branches:
+      - main
+  workflow_dispatch:
+    inputs:
+      push:
+        description: 'Push images to registry'
+        required: false
+        default: 'false'
+        type: choice
+        options:
+          - 'true'
+          - 'false'
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: bakerboy448/redditmodlog
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+    outputs:
+      image-tag: ${{ steps.meta.outputs.version }}
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to GitHub Container Registry
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          tags: |
+            type=ref,event=branch
+            type=ref,event=pr
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=semver,pattern={{major}}
+            type=raw,value=latest,enable={{is_default_branch}}
+            type=sha
+          labels: |
+            org.opencontainers.image.title=Reddit ModLog Wiki Publisher
+            org.opencontainers.image.description=Automated Reddit moderation log publisher to wiki pages
+            org.opencontainers.image.vendor=bakerboy448
+            org.opencontainers.image.licenses=GPL-3.0
+
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          platforms: linux/amd64,linux/arm64
+          push: ${{ github.event_name != 'pull_request' || github.event.inputs.push == 'true' }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          build-args: |
+            BUILD_DATE=${{ github.event.head_commit.timestamp }}
+            VCS_REF=${{ github.sha }}
+            VERSION=${{ steps.meta.outputs.version }}
+
+      - name: Generate SBOM
+        if: github.event_name != 'pull_request'
+        uses: anchore/sbom-action@v0
+        with:
+          image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.meta.outputs.version }}
+          format: spdx-json
+          output-file: sbom.spdx.json
+
+      - name: Upload SBOM
+        if: github.event_name != 'pull_request'
+        uses: actions/upload-artifact@v4
+        with:
+          name: sbom
+          path: sbom.spdx.json
+
+  security-scan:
+    needs: build
+    runs-on: ubuntu-latest
+    if: github.event_name != 'pull_request'
+    permissions:
+      contents: read
+      security-events: write
+
+    steps:
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ needs.build.outputs.image-tag }}
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+
+      - name: Upload Trivy results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        if: always()
+        with:
+          sarif_file: 'trivy-results.sarif'

.gitignore

@@ -2,12 +2,16 @@
 config.json
 *.config.json
 config.*.json
+/etc/redditmodlog/*.json
+!config_template.json
+!*.json.example
 
 # Database files
 *.db
 *.db-journal
 *.sqlite
 *.sqlite3
+data/
 
 # Python
 __pycache__/
@@ -38,7 +42,13 @@ venv/
 ENV/
 env/
 .venv
+
+# Environment files with credentials
 .env
+.env.*
+*.env
+!example.env
+!*.env.example
 
 # IDE
 .vscode/

.pre-commit-config.yaml

@@ -0,0 +1,60 @@
+repos:
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v4.4.0
+    hooks:
+      - id: trailing-whitespace
+      - id: end-of-file-fixer
+      - id: check-yaml
+      - id: check-added-large-files
+      - id: check-merge-conflict
+      - id: debug-statements
+      - id: check-executables-have-shebangs
+
+  - repo: https://github.com/psf/black
+    rev: 23.7.0
+    hooks:
+      - id: black
+        language_version: python3
+        args: [--line-length=180]
+
+  - repo: https://github.com/pycqa/flake8
+    rev: 6.0.0
+    hooks:
+      - id: flake8
+        args: ['--max-line-length=180', '--ignore=E203,W503,E231,E226,E241,E722,F401,F403,F405,F541,F811,E402']
+
+  - repo: https://github.com/pycqa/isort
+    rev: 5.12.0
+    hooks:
+      - id: isort
+        args: [--profile=black]
+
+  - repo: https://github.com/Yelp/detect-secrets
+    rev: v1.4.0
+    hooks:
+      - id: detect-secrets
+        args: ['--baseline', '.secrets.baseline']
+        exclude: |
+          (?x)^(
+              config_template\.json|
+              \.secrets\.baseline|
+              systemd/.*|
+              README\.md|
+              CLAUDE\.md
+          )$
+
+  - repo: https://github.com/pre-commit/mirrors-mypy
+    rev: v1.4.1
+    hooks:
+      - id: mypy
+        additional_dependencies: [types-requests]
+        args: [--ignore-missing-imports]
+
+  - repo: local
+    hooks:
+      - id: reddit-config-check
+        name: Check Reddit config safety
+        entry: python -c "import json; config = json.load(open('config.json')) if __import__('os').path.exists('config.json') else {}; exit(1) if not config.get('anonymize_moderators', True) else exit(0)"
+        language: system
+        files: config\.json$
+        pass_filenames: false

.secrets.baseline

@@ -0,0 +1,6 @@
+{
+  "version": "1.4.0",
+  "plugins_used": [],
+  "filters_used": [],
+  "results": {}
+}