########################
# 1) Build stage
########################
FROM --platform=$BUILDPLATFORM golang:1.23-alpine AS build
WORKDIR /src
ENV CGO_ENABLED=0

# CA certs for TLS to Vault/MinIO
RUN apk add --no-cache ca-certificates && update-ca-certificates

# Cache deps
COPY go.mod go.sum ./
RUN --mount=type=cache,target=/go/pkg/mod \
    go mod download

# Copy source
COPY . .

# Pick your entrypoint package; default assumes ./cmd/api/main.go
# You can override APP_DIR build-arg from compose if needed.
ARG APP_DIR=./cmd/api
ARG TARGETOS TARGETARCH
RUN --mount=type=cache,target=/root/.cache/go-build \
    GOOS=$TARGETOS GOARCH=$TARGETARCH \
    go build -trimpath -ldflags="-s -w -buildid=" -o /out/snoop-api $APP_DIR

########################
# 2) Minimal runtime
########################
FROM gcr.io/distroless/static:nonroot
# Copy CA bundle for HTTPS calls
COPY --from=build /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
COPY --from=build /out/snoop-api /snoop-api
USER nonroot:nonroot
EXPOSE 8080
ENTRYPOINT ["/snoop-api"]