# Build stage
FROM golang:1.23-alpine AS builder
WORKDIR /app

# Install build dependencies
RUN apk add --no-cache git ca-certificates

# Copy dependency files first for better layer caching
COPY go.mod go.sum ./
RUN go mod download

# Copy source code
COPY . .

# Build the binary
RUN CGO_ENABLED=0 GOOS=linux go build -ldflags="-w -s" -o /bin/server ./cmd/server

# ── Final stage ─────────────────────────────────────────────────────────
FROM alpine:latest
WORKDIR /app

# Install ca-certificates for HTTPS outbound calls
RUN apk --no-cache add ca-certificates

# Copy binary from builder
COPY --from=builder /bin/server /app/server

# Expose the default port (overridden by PORT env var)
EXPOSE 8080

# Run as non-root
RUN adduser -D -s /bin/sh appuser
USER appuser

ENTRYPOINT ["/app/server"]