# OCI-compliant multi-stage build for Podman
# Handles SELinux contexts and rootless operation

FROM docker.io/library/golang:1.23-alpine AS builder

RUN apk add --no-cache git ca-certificates tzdata

WORKDIR /build

COPY go.mod go.sum* ./
RUN go mod download

COPY . .

# Build static binary with no CGO
RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build \
  -ldflags='-w -s -extldflags "-static"' \
  -a -installsuffix cgo \
  -o argparse-builder \
  .

# Minimal runtime with proper labels
FROM scratch

LABEL maintainer="your-email@example.com" \
  org.opencontainers.image.title="Argparse Builder" \
  org.opencontainers.image.description="Interactive bash argument parser generator" \
  org.opencontainers.image.version="1.0.0" \
  org.opencontainers.image.authors="pynezz" \
  org.opencontainers.image.url="https://git.pynezz.dev/pynezz/argparser" \
  org.opencontainers.image.source="https://git.pynezz.dev/pynezz/argparser"

# Copy certificates and timezone data
COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
COPY --from=builder /usr/share/zoneinfo /usr/share/zoneinfo

# Copy binary
COPY --from=builder /build/argparse-builder /argparse-builder

# Expose port
EXPOSE 8080

# Run as nobody user
USER 65534:65534

# Health check
HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
  CMD ["/argparse-builder", "health"] || exit 1

ENTRYPOINT ["/argparse-builder"]