# Lint stage
# golangci/golangci-lint:v2.1.6-alpine, 2025-04-22
FROM golangci/golangci-lint:v2.1.6-alpine@sha256:b122e5b85ddc99f62cb750039b5137247dda2327cbb96cac617bc0987be4f575 AS lint

RUN apk add --no-cache make build-base

WORKDIR /src

# Copy go mod files first for better layer caching
COPY go.mod go.sum ./
RUN go mod download

# Copy source code
COPY . .

# Run formatting check and linter
RUN make fmt-check
RUN make lint

# Build stage
# golang:1.24.4-alpine, 2026-03-17
FROM golang:1.24.4-alpine@sha256:68932fa6d4d4059845c8f40ad7e654e626f3ebd3706eef7846f319293ab5cb7a AS builder

# Depend on lint stage passing
COPY --from=lint /src/go.sum /dev/null

ARG VERSION=dev

# Install build dependencies for CGO (mattn/go-sqlite3) and sqlite3 CLI (tests)
RUN apk add --no-cache make build-base sqlite

WORKDIR /src

# Copy go mod files first for better layer caching
COPY go.mod go.sum ./
RUN go mod download

# Copy source code
COPY . .

# Run tests
RUN make test

# Build with CGO enabled (required for mattn/go-sqlite3)
RUN CGO_ENABLED=1 go build -ldflags "-X 'git.eeqj.de/sneak/vaultik/internal/globals.Version=${VERSION}' -X 'git.eeqj.de/sneak/vaultik/internal/globals.Commit=$(git rev-parse HEAD 2>/dev/null || echo unknown)'" -o /vaultik ./cmd/vaultik

# Runtime stage
# alpine:3.21, 2026-02-25
FROM alpine:3.21@sha256:c3f8e73fdb79deaebaa2037150150191b9dcbfba68b4a46d70103204c53f4709

RUN apk add --no-cache ca-certificates sqlite

# Copy binary from builder
COPY --from=builder /vaultik /usr/local/bin/vaultik

# Create non-root user
RUN adduser -D -H -s /sbin/nologin vaultik

USER vaultik

ENTRYPOINT ["/usr/local/bin/vaultik"]