FROM golang:1.22-alpine AS builder

# Install build dependencies
RUN apk add --no-cache git ca-certificates tzdata

# Set working directory
WORKDIR /app

# Copy go mod files and vendor directory first for better caching
COPY go.mod go.sum ./
COPY vendor/ vendor/

# Use vendor mode instead of downloading dependencies
# RUN go mod download && go mod verify

# Copy source code
COPY . .

# Build with optimizations and version info
ARG VERSION=v0.1.0-mvp
ARG COMMIT_HASH
ARG BUILD_DATE
RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build \
    -mod=vendor \
    -ldflags="-w -s -X main.version=${VERSION} -X main.commitHash=${COMMIT_HASH} -X main.buildDate=${BUILD_DATE}" \
    -a -installsuffix cgo \
    -o whoosh ./cmd/whoosh

# Final stage - minimal security-focused image
FROM scratch

# Copy timezone data and certificates from builder
COPY --from=builder /usr/share/zoneinfo /usr/share/zoneinfo
COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/

# Copy passwd and group for non-root user
COPY --from=builder /etc/passwd /etc/passwd
COPY --from=builder /etc/group /etc/group

# Create app directory structure
WORKDIR /app

# Copy application binary and migrations
COPY --from=builder --chown=65534:65534 /app/whoosh /app/whoosh
COPY --from=builder --chown=65534:65534 /app/migrations /app/migrations

# Use nobody user (UID 65534)
USER 65534:65534

# Expose port
EXPOSE 8080

# Health check using the binary itself
HEALTHCHECK --interval=30s --timeout=10s --start-period=30s --retries=3 \
    CMD ["/app/whoosh", "--health-check"]

# Set metadata
LABEL maintainer="CHORUS Ecosystem" \
      description="WHOOSH - Autonomous AI Development Teams" \
      org.opencontainers.image.title="WHOOSH" \
      org.opencontainers.image.description="Orchestration platform for autonomous AI development teams" \
      org.opencontainers.image.vendor="CHORUS Services"

# Run the application
ENTRYPOINT ["/app/whoosh"]
CMD []