# syntax=docker/dockerfile:1

# ===== STAGE 1: Build =====
FROM golang:1.24-alpine AS builder

# Instala certificados SSL para HTTPS
RUN apk add --no-cache ca-certificates tzdata

WORKDIR /build

# Cache de dependências - só rebuild se go.mod/go.sum mudar
COPY go.mod go.sum ./
RUN --mount=type=cache,target=/go/pkg/mod \
    go mod download && go mod verify

# Copia código fonte
COPY . .

# Build otimizado com cache
RUN --mount=type=cache,target=/go/pkg/mod \
    --mount=type=cache,target=/root/.cache/go-build \
    CGO_ENABLED=0 GOOS=linux GOARCH=amd64 \
    go build -trimpath -ldflags="-s -w -extldflags '-static'" \
    -o /app/server ./cmd/api

# ===== STAGE 2: Runtime (scratch - imagem mínima ~5MB) =====
FROM scratch

# Certificados SSL e timezone
COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
COPY --from=builder /usr/share/zoneinfo /usr/share/zoneinfo

# Binary
COPY --from=builder /app/server /server

# Usuário não-root (UID 65534 = nobody)
USER 65534:65534

EXPOSE 8080

ENTRYPOINT ["/server"]