(In reply to Sven Marnach from comment #3)
What exactly does "in tree" mean? In mozilla-central on HGMO?
Apologies, I've always heard mozilla-central on HGMO be referred to as "in tree", but yes I mean mozilla-central on HGMO. Thanks for the clarification!
From an ops perspective, all we need is a Docker image we can run. Our usual setup is to have code on GitHub with automated builds that push to Docker Hub, and we pick up the image from there. We also have a few releng tools that live on HGMO which are built on Taskcluster and push images to Docker Hub.
I haven't used Docker too much, so I'm not too familiar with it. It looks like turning a NPM package into a Docker image is trivial though, so hopefully won't be an issue when I need to hand over the update script/docker image.
We will have to discuss the exact setup with security. For images built with Circle CI, we verify that the image pulled from Docker Hub was actually built on Circle CI, so that a breach of Docker Hub alone wouldn't be enough to ran random code in our production envs. How strict we need to be with your use case depends on how sensitive the data in the new RS collection is, and someone from security will make the call what's acceptable.
Copy that. Who do I need to reach out to on security to start this conversation?
Thanks for the info Sven!