Implement the Docker environment to run the script in Mozilla Infra

.dockerignore

@@ -0,0 +1,34 @@
+# Include any files or directories that you don't want to be copied to your
+# container here (e.g., local build artifacts, temporary files, etc.).
+#
+# For more help, visit the .dockerignore file reference guide at
+# https://docs.docker.com/go/build-context-dockerignore/
+
+**/.DS_Store
+**/__pycache__
+**/.venv
+**/.classpath
+**/.dockerignore
+**/.env
+**/.git
+**/.gitignore
+**/.project
+**/.settings
+**/.toolstarget
+**/.vs
+**/.vscode
+**/*.*proj.user
+**/*.dbmdl
+**/*.jfm
+**/bin
+**/charts
+**/docker-compose*
+**/compose.y*ml
+**/Dockerfile*
+**/node_modules
+**/npm-debug.log
+**/obj
+**/secrets.dev.yaml
+**/values.dev.yaml
+LICENSE
+README.md

.github/workflows/cd.yaml

@@ -0,0 +1,25 @@
+name: Continuous Deployment
+
+on:
+  pull_request:
+    branches:
+    - main
+  push:
+    branches:
+    - main
+    tags:
+    - v[0-9]+.[0-9]+.[0-9]+
+
+permissions:
+  contents: read
+  id-token: write
+
+jobs:
+  build-and-publish:
+    name: Build and publish the container image
+    uses: mozilla/remote-settings/.github/workflows/ingestion-job-publish.yaml@main
+    with:
+      # Publish `main` branch to `nonprod` and tags to `prod`
+      realm: ${{ github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v') && 'prod' || 'nonprod' }}
+      # Build but do not publish the container on pull-requests
+      publish: ${{ github.event_name != 'pull_request' }}

Dockerfile

@@ -0,0 +1,34 @@
+FROM python:3.13.3-slim
+
+ARG UID=10001
+ARG GID=10001
+
+# Create group and user in a single RUN command to reduce layers
+RUN groupadd -g ${GID} app && \
+    useradd -m -u ${UID} -g ${GID} -s /usr/sbin/nologin app && \
+    mkdir /app && chown -R app:app /app
+
+# Switch to the non-root user
+USER app
+
+# Clone the URLClassifier exceptions manager
+WORKDIR /app
+
+# Copy requirements and install dependencies
+COPY --chown=app:app requirements.txt .
+RUN python -m pip install --no-cache-dir -r requirements.txt
+
+# Copy the rest of the application code
+COPY --chown=app:app . .
+
+# Install the package for the app user only (no root needed)
+RUN python -m pip install --no-cache-dir . --upgrade --user
+
+# Add user's local bin to PATH
+ENV PATH="/home/app/.local/bin:$PATH"
+
+# Make the entrypoint script executable
+RUN chmod +x /app/entrypoint.sh
+
+# Set the entrypoint to use our startup script
+ENTRYPOINT ["/app/entrypoint.sh"]

entrypoint.sh

@@ -0,0 +1,32 @@
+#!/bin/bash
+
+set -e
+
+get_env_var() {
+    local var_name="$1"
+    local value="${!var_name}"
+
+    if [ -z "$value" ]; then
+        echo "Error: environment variable '$var_name' not set" >&2
+        return 1
+    else
+        echo "$value"
+    fi
+}
+
+# The environment should be either "stage" or "prod" to indicate the server to
+# use.
+ENVIRONMENT=$(get_env_var "ENVIRONMENT")
+
+# The authorization token to use for connecting to the Remote Settings server.
+AUTHORIZATION=$(get_env_var "AUTHORIZATION")
+
+# Whether to run the command in dry-run mode.
+DRY_RUN="${DRY_RUN:-}"
+
+# Check for Bugzilla API key. We need the API key to interact with Bugzilla
+# bugs.
+BZ_API_KEY=$(get_env_var "BZ_API_KEY")
+
+# Execute the command
+uce-manager auto --server "$ENVIRONMENT" --server-location "$SERVER" --auth "$AUTHORIZATION" ${DRY_RUN:+--dry-run} ${FORCE:+--force}