diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 6787afce11..ad9b26be7c 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -154,13 +154,17 @@ jobs:
     - name: Make Release Build
       env:
         DEBIAN_FRONTEND: noninteractive
+        BROWSERSLIST_IGNORE_OLD_DATA: 1
       run: |
         echo "PKG_VERSION: $PKG_VERSION"
         echo "GITHUB_SHA: $GITHUB_SHA"
         echo "GITHUB_REF_NAME: $GITHUB_REF_NAME"
-        echo "Running build script..."
-        chmod +x ./dev/deploy/build.sh
-        sh ./dev/deploy/build.sh
+        echo "Running frontend build script..."
+        echo "Compiling native node packages..."
+        yarn rebuild
+        echo "Packaging static assets..."
+        yarn build --base=https://static.ietf.org/dt/$PKG_VERSION/
+        yarn legacy:build
         echo "Setting version $PKG_VERSION..."
         sed -i -r -e "s|^__version__ += '.*'$|__version__ = '$PKG_VERSION'|" ietf/__init__.py
         sed -i -r -e "s|^__release_hash__ += '.*'$|__release_hash__ = '$GITHUB_SHA'|" ietf/__init__.py
@@ -178,7 +182,7 @@ jobs:
       run: |
         echo "Build release tarball..."
         mkdir -p /home/runner/work/release
-        tar -czf /home/runner/work/release/release.tar.gz -X dev/deploy/exclude-patterns.txt .
+        tar -czf /home/runner/work/release/release.tar.gz -X dev/build/exclude-patterns.txt .
 
     - name: Collect + Push Statics
       env:
@@ -189,10 +193,33 @@ jobs:
         AWS_ENDPOINT_URL: ${{ secrets.CF_R2_ENDPOINT }}
       run: |
         echo "Collecting statics..."
-        docker run --rm --name collectstatics -v $(pwd):/workspace ghcr.io/ietf-tools/datatracker-app-base:latest sh dev/deploy/collectstatics.sh
+        docker run --rm --name collectstatics -v $(pwd):/workspace ghcr.io/ietf-tools/datatracker-app-base:latest sh dev/build/collectstatics.sh
         echo "Pushing statics..."
         cd static
         aws s3 sync . s3://static/dt/$PKG_VERSION --only-show-errors
+
+    - name: Augment dockerignore for docker image build
+      env:
+        DEBIAN_FRONTEND: noninteractive
+      run: |
+        cat >> .dockerignore <<EOL
+        .devcontainer
+        .github
+        .vscode
+        helm
+        playwright
+        svn-history
+        docker-compose.yml
+        EOL
+
+    - name: Build Release Docker Image
+      uses: docker/build-push-action@v5
+      with:
+        context: .
+        file: dev/build/Dockerfile
+        platforms: linux/amd64,linux/arm64
+        push: true
+        tags: ghcr.io/ietf-tools/datatracker:${{ env.PKG_VERSION }}
         
     - name: Update CHANGELOG
       id: changelog
diff --git a/dev/build/Dockerfile b/dev/build/Dockerfile
new file mode 100644
index 0000000000..2ffce35495
--- /dev/null
+++ b/dev/build/Dockerfile
@@ -0,0 +1,17 @@
+FROM ghcr.io/ietf-tools/datatracker-app-base:latest
+LABEL maintainer="IETF Tools Team <tools-discuss@ietf.org>"
+
+ENV DEBIAN_FRONTEND=noninteractive
+
+COPY . .
+COPY ./dev/build/start.sh ./start.sh
+RUN pip3 --disable-pip-version-check --no-cache-dir install -r requirements.txt
+RUN chmod +x start.sh && \
+    chmod +x docker/scripts/app-create-dirs.sh && \
+    sh ./docker/scripts/app-create-dirs.sh
+
+VOLUME [ "/assets" ]
+
+EXPOSE 8000
+
+CMD ["./start.sh"]
\ No newline at end of file
diff --git a/dev/build/collectstatics.sh b/dev/build/collectstatics.sh
new file mode 100644
index 0000000000..44f1c608a9
--- /dev/null
+++ b/dev/build/collectstatics.sh
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+# Copy temp local settings
+cp dev/build/settings_local_collectstatics.py ietf/settings_local.py
+
+# Install Python dependencies
+pip --disable-pip-version-check --no-cache-dir install -r requirements.txt
+
+# Collect statics
+ietf/manage.py collectstatic
+
+# Delete temp local settings
+rm ietf/settings_local.py
\ No newline at end of file
diff --git a/dev/deploy/exclude-patterns.txt b/dev/build/exclude-patterns.txt
similarity index 100%
rename from dev/deploy/exclude-patterns.txt
rename to dev/build/exclude-patterns.txt
diff --git a/dev/deploy/settings_local_collectstatics.py b/dev/build/settings_local_collectstatics.py
similarity index 100%
rename from dev/deploy/settings_local_collectstatics.py
rename to dev/build/settings_local_collectstatics.py
diff --git a/dev/build/start.sh b/dev/build/start.sh
new file mode 100644
index 0000000000..ef64ca7b30
--- /dev/null
+++ b/dev/build/start.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+
+echo "Running Datatracker checks..."
+./ietf/manage.py check
+
+echo "Running Datatracker migrations..."
+./ietf/manage.py migrate --settings=settings_local
+
+echo "Starting Datatracker..."
+./ietf/manage.py runserver 0.0.0.0:8000 --settings=settings_local
diff --git a/dev/deploy/build.sh b/dev/deploy/build.sh
deleted file mode 100644
index 6966955048..0000000000
--- a/dev/deploy/build.sh
+++ /dev/null
@@ -1,11 +0,0 @@
-#!/bin/bash
-
-echo "Compiling native node packages..."
-yarn rebuild
-echo "Packaging static assets..."
-if [ "${SHOULD_DEPLOY}" = "true" ]; then
-    yarn build --base=https://static.ietf.org/dt/$PKG_VERSION/
-else
-    yarn build
-fi
-yarn legacy:build
diff --git a/dev/deploy/collectstatics.sh b/dev/deploy/collectstatics.sh
deleted file mode 100644
index 0d1c683ded..0000000000
--- a/dev/deploy/collectstatics.sh
+++ /dev/null
@@ -1,9 +0,0 @@
-#!/bin/bash
-
-cp dev/deploy/settings_local_collectstatics.py ietf/settings_local.py
-
-# Install Python dependencies
-pip --disable-pip-version-check --no-cache-dir install -r requirements.txt
-
-# Collect statics
-ietf/manage.py collectstatic
\ No newline at end of file
diff --git a/helm/.helmignore b/helm/.helmignore
new file mode 100644
index 0000000000..2252590f2e
--- /dev/null
+++ b/helm/.helmignore
@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
\ No newline at end of file
diff --git a/helm/Chart.yaml b/helm/Chart.yaml
new file mode 100644
index 0000000000..1c19834c06
--- /dev/null
+++ b/helm/Chart.yaml
@@ -0,0 +1,23 @@
+apiVersion: v2
+name: datatracker
+description: The day-to-day front-end to the IETF database for people who work on IETF standards.
+home: https://datatracker.ietf.org
+sources:
+  - https://github.com/ietf-tools/datatracker
+maintainers:
+  - name: IETF Tools Team
+    email: tools-discuss@ietf.org
+    url: https://github.com/ietf-tools
+    
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 1.0.0
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "1.0.0"
\ No newline at end of file
diff --git a/helm/templates/_helpers.tpl b/helm/templates/_helpers.tpl
new file mode 100644
index 0000000000..071e9b824c
--- /dev/null
+++ b/helm/templates/_helpers.tpl
@@ -0,0 +1,62 @@
+{{/*
+  Expand the name of the chart.
+  */}}
+{{- define "datatracker.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "datatracker.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "datatracker.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "datatracker.labels" -}}
+helm.sh/chart: {{ include "datatracker.chart" . }}
+{{ include "datatracker.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "datatracker.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "datatracker.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "datatracker.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "datatracker.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/helm/templates/deployment.yaml b/helm/templates/deployment.yaml
new file mode 100644
index 0000000000..b47c41a970
--- /dev/null
+++ b/helm/templates/deployment.yaml
@@ -0,0 +1,66 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "datatracker.fullname" . }}
+  labels:
+    {{- include "datatracker.labels" . | nindent 4 }}
+spec:
+  replicas: {{ .Values.replicaCount }}
+  revisionHistoryLimit: {{ .Values.revisionHistoryLimit }}
+  selector:
+    matchLabels:
+      {{- include "datatracker.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      labels:
+        {{- include "datatracker.selectorLabels" . | nindent 8 }}
+    spec:
+    {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+    {{- end }}
+      serviceAccountName: {{ include "datatracker.serviceAccountName" . }}
+      securityContext:
+        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      containers:
+        - name: {{ .Chart.Name }}
+          securityContext:
+            {{- toYaml .Values.securityContext | nindent 12 }}
+          image: "{{ .Values.image.repository }}:{{ default "latest" .Values.image.tag }}"
+          imagePullPolicy: {{ default "IfNotPresent" .Values.image.imagePullPolicy }}
+          env:
+            {{- if .Values.env }}
+            {{- toYaml .Values.env | nindent 12 }}
+            {{- end }}
+    {{- with .Values.volumeMounts }}
+          volumeMounts:
+            {{- toYaml . | nindent 12 }}
+    {{- end }}
+          ports:
+            - name: http
+              containerPort: 8000
+              protocol: TCP
+          livenessProbe:
+            {{- toYaml .Values.livenessProbe | nindent 12 }}
+          readinessProbe:
+            {{- toYaml .Values.readinessProbe | nindent 12 }}
+          startupProbe:
+            {{- toYaml .Values.startupProbe | nindent 12 }}
+          resources:
+            {{- toYaml .Values.resources | nindent 12 }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+    {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+    {{- end }}
+    {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+    {{- end }}
+    {{- with .Values.volumes }}
+      volumes:
+        {{- toYaml . | nindent 8 }}
+    {{- end }}
diff --git a/helm/templates/hpa.yaml b/helm/templates/hpa.yaml
new file mode 100644
index 0000000000..518f7e23ab
--- /dev/null
+++ b/helm/templates/hpa.yaml
@@ -0,0 +1,32 @@
+{{- if .Values.autoscaling.enabled }}
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+  name: {{ include "datatracker.fullname" . }}
+  labels:
+    {{- include "datatracker.labels" . | nindent 4 }}
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: {{ include "datatracker.fullname" . }}
+  minReplicas: {{ .Values.autoscaling.minReplicas }}
+  maxReplicas: {{ .Values.autoscaling.maxReplicas }}
+  metrics:
+    {{- if .Values.autoscaling.targetCPUUtilizationPercentage }}
+    - type: Resource
+      resource:
+        name: cpu
+        target:
+          type: Utilization
+          averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }}
+    {{- end }}
+    {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }}
+    - type: Resource
+      resource:
+        name: memory
+        target:
+          type: Utilization
+          averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }}
+    {{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/helm/templates/ingress.yaml b/helm/templates/ingress.yaml
new file mode 100644
index 0000000000..8d9258cd83
--- /dev/null
+++ b/helm/templates/ingress.yaml
@@ -0,0 +1,61 @@
+{{- if .Values.ingress.enabled -}}
+{{- $fullName := include "datatracker.fullname" . -}}
+{{- $svcPort := .Values.service.port -}}
+{{- if and .Values.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }}
+  {{- if not (hasKey .Values.ingress.annotations "kubernetes.io/ingress.class") }}
+  {{- $_ := set .Values.ingress.annotations "kubernetes.io/ingress.class" .Values.ingress.className}}
+  {{- end }}
+{{- end }}
+{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}}
+apiVersion: networking.k8s.io/v1
+{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
+apiVersion: networking.k8s.io/v1beta1
+{{- else -}}
+apiVersion: extensions/v1beta1
+{{- end }}
+kind: Ingress
+metadata:
+  name: {{ $fullName }}
+  labels:
+    {{- include "datatracker.labels" . | nindent 4 }}
+  {{- with .Values.ingress.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  {{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }}
+  ingressClassName: {{ .Values.ingress.className }}
+  {{- end }}
+  {{- if .Values.ingress.tls }}
+  tls:
+    {{- range .Values.ingress.tls }}
+    - hosts:
+        {{- range .hosts }}
+        - {{ . | quote }}
+        {{- end }}
+      secretName: {{ .secretName }}
+    {{- end }}
+  {{- end }}
+  rules:
+    {{- range .Values.ingress.hosts }}
+    - host: {{ .host | quote }}
+      http:
+        paths:
+          {{- range .paths }}
+          - path: {{ .path }}
+            {{- if and .pathType (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }}
+            pathType: {{ .pathType }}
+            {{- end }}
+            backend:
+              {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
+              service:
+                name: {{ $fullName }}
+                port:
+                  number: {{ $svcPort }}
+              {{- else }}
+              serviceName: {{ $fullName }}
+              servicePort: {{ $svcPort }}
+              {{- end }}
+          {{- end }}
+    {{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/helm/templates/service.yaml b/helm/templates/service.yaml
new file mode 100644
index 0000000000..f1bdca0ad2
--- /dev/null
+++ b/helm/templates/service.yaml
@@ -0,0 +1,19 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{include "datatracker.fullname" .}}
+  labels: {{- include "datatracker.labels" . | nindent 4 }}
+  {{- with .Values.service.annotations }}
+  annotations:
+    {{- range $key, $value := . }}
+      {{ $key }}: {{ $value | quote }}
+    {{- end }}
+  {{- end }}
+spec:
+  type: {{.Values.service.type}}
+  ports:
+    - port: {{ default "80" .Values.service.port}}
+      targetPort: http
+      protocol: TCP
+      name: http
+  selector: {{- include "datatracker.selectorLabels" . | nindent 4}}
\ No newline at end of file
diff --git a/helm/templates/serviceaccount.yaml b/helm/templates/serviceaccount.yaml
new file mode 100644
index 0000000000..475fcd51f7
--- /dev/null
+++ b/helm/templates/serviceaccount.yaml
@@ -0,0 +1,12 @@
+{{- if .Values.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "datatracker.serviceAccountName" . }}
+  labels:
+    {{- include "datatracker.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end -}}
\ No newline at end of file
diff --git a/helm/values.yaml b/helm/values.yaml
new file mode 100644
index 0000000000..92efbce9dd
--- /dev/null
+++ b/helm/values.yaml
@@ -0,0 +1,118 @@
+# Default values for datatracker.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+
+replicaCount: 1
+
+image:
+  repository: "ghcr.io/ietf-tools/datatracker"
+  pullPolicy: IfNotPresent
+  # Overrides the image tag whose default is the chart appVersion.
+  # tag: "v1.1.0"
+
+imagePullSecrets: []
+nameOverride: ""
+fullnameOverride: ""
+
+serviceAccount:
+  # Specifies whether a service account should be created
+  create: true
+  # Automatically mount a ServiceAccount's API credentials?
+  automount: true
+  # Annotations to add to the service account
+  annotations: {}
+  # The name of the service account to use.
+  # If not set and create is true, a name is generated using the fullname template
+  name: ""
+
+livenessProbe:
+  httpGet:
+    path: /healthz
+    port: http
+
+readinessProbe:
+  httpGet:
+    path: /healthz
+    port: http
+
+startupProbe:
+  initialDelaySeconds: 15
+  periodSeconds: 5
+  timeoutSeconds: 5
+  successThreshold: 1
+  failureThreshold: 60
+  httpGet:
+    path: /healthz
+    port: http
+
+podAnnotations: {}
+podLabels: {}
+
+podSecurityContext: {}
+  # fsGroup: 2000
+
+securityContext: {}
+  # capabilities:
+  #   drop:
+  #   - ALL
+  # readOnlyRootFilesystem: true
+  # runAsNonRoot: true
+  # runAsUser: 1000
+
+service:
+  type: ClusterIP
+  port: 80
+
+ingress:
+  enabled: false
+  className: ""
+  annotations: {}
+    # kubernetes.io/ingress.class: nginx
+    # kubernetes.io/tls-acme: "true"
+  hosts:
+    - host: datatracker.local
+      paths:
+        - path: /
+          pathType: ImplementationSpecific
+  tls: []
+  #  - secretName: chart-example-tls
+  #    hosts:
+  #      - chart-example.local
+
+resources: {}
+  # We usually recommend not to specify default resources and to leave this as a conscious
+  # choice for the user. This also increases chances charts run on environments with little
+  # resources, such as Minikube. If you do want to specify resources, uncomment the following
+  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+  # limits:
+  #   cpu: 100m
+  #   memory: 128Mi
+  # requests:
+  #   cpu: 100m
+  #   memory: 128Mi
+
+autoscaling:
+  enabled: false
+  minReplicas: 1
+  maxReplicas: 100
+  targetCPUUtilizationPercentage: 80
+  # targetMemoryUtilizationPercentage: 80
+
+# Additional volumes on the output Deployment definition.
+volumes: []
+# - name: foo
+#   secret:
+#     secretName: mysecret
+#     optional: false
+
+# Additional volumeMounts on the output Deployment definition.
+volumeMounts: []
+# - name: foo
+#   mountPath: "/etc/foo"
+#   readOnly: true
+
+nodeSelector: {}
+
+tolerations: []
+
+affinity: {}
\ No newline at end of file