FROM docker.io/golang:1.25.7-trixie AS builder

ENV DEBIAN_FRONTEND=noninteractive

RUN apt-get update && \
    apt-get install -y --no-install-recommends sqlite3 libsqlite3-dev && \
    rm -rf /var/lib/apt/lists/*

WORKDIR /build

# Disable workspace mode — go.work references modules not in the Docker context
ENV GOWORK=off

# Copy module definitions first for layer caching
COPY go.mod go.sum ./
COPY scanner/go.mod scanner/go.sum ./scanner/

RUN cd scanner && go mod download

# Copy full source
COPY . .

RUN cd scanner && CGO_ENABLED=1 go build \
    -ldflags="-s -w -linkmode external -extldflags '-static'" \
    -trimpath \
    -o /build/atcr-scanner ./cmd/scanner

# ==========================================
# Stage 2: Minimal FROM scratch runtime
# ==========================================
FROM scratch

# Copy CA certificates for HTTPS (presigned URL downloads)
COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
# Copy timezone data for timestamp formatting
COPY --from=builder /usr/share/zoneinfo /usr/share/zoneinfo
# Copy binary
COPY --from=builder /build/atcr-scanner /atcr-scanner

# Expose health endpoint port
EXPOSE 9090

# OCI image annotations
LABEL org.opencontainers.image.title="ATCR Scanner" \
      org.opencontainers.image.description="ATCR Scanner - container image vulnerability scanner with Syft and Grype" \
      org.opencontainers.image.authors="ATCR Contributors" \
      org.opencontainers.image.source="https://tangled.org/evan.jarrett.net/at-container-registry" \
      org.opencontainers.image.documentation="https://tangled.org/evan.jarrett.net/at-container-registry" \
      org.opencontainers.image.licenses="MIT" \
      org.opencontainers.image.version="0.1.0"

ENTRYPOINT ["/atcr-scanner"]
CMD ["serve"]