# golang:1.24 (bookworm) — 2026-03-01
# Using Debian-based image because gorm.io/driver/sqlite pulls in
# mattn/go-sqlite3 (CGO), which does not compile on Alpine musl.
FROM golang@sha256:d2d2bc1c84f7e60d7d2438a3836ae7d0c847f4888464e7ec9ba3a1339a1ee804 AS builder

# gcc is pre-installed in the Debian-based golang image
RUN apt-get update && apt-get install -y --no-install-recommends make && rm -rf /var/lib/apt/lists/*

WORKDIR /build

# Install golangci-lint v1.64.8 — 2026-03-01
# Using v1.x because the repo's .golangci.yml uses v1 config format.
RUN set -eux; \
    GOLANGCI_VERSION="1.64.8"; \
    ARCH="$(uname -m)"; \
    case "${ARCH}" in \
        x86_64) \
            GOARCH="amd64"; \
            GOLANGCI_SHA256="b6270687afb143d019f387c791cd2a6f1cb383be9b3124d241ca11bd3ce2e54e"; \
            ;; \
        aarch64) \
            GOARCH="arm64"; \
            GOLANGCI_SHA256="a6ab58ebcb1c48572622146cdaec2956f56871038a54ed1149f1386e287789a5"; \
            ;; \
        *) echo "unsupported architecture: ${ARCH}" && exit 1 ;; \
    esac; \
    wget -q "https://github.com/golangci/golangci-lint/releases/download/v${GOLANGCI_VERSION}/golangci-lint-${GOLANGCI_VERSION}-linux-${GOARCH}.tar.gz" \
        -O /tmp/golangci-lint.tar.gz; \
    echo "${GOLANGCI_SHA256}  /tmp/golangci-lint.tar.gz" | sha256sum -c -; \
    tar -xzf /tmp/golangci-lint.tar.gz -C /tmp; \
    mv "/tmp/golangci-lint-${GOLANGCI_VERSION}-linux-${GOARCH}/golangci-lint" /usr/local/bin/; \
    rm -rf /tmp/golangci-lint*; \
    golangci-lint --version

# Copy go module files and download dependencies
COPY go.mod go.sum ./
COPY pkg/config/go.mod pkg/config/go.sum ./pkg/config/
RUN go mod download

# Copy source code
COPY . .

# Run all checks (fmt-check, lint, test, build)
RUN make check

# alpine:3.21 — 2026-03-01
FROM alpine@sha256:c3f8e73fdb79deaebaa2037150150191b9dcbfba68b4a46d70103204c53f4709

RUN apk --no-cache add ca-certificates

# Create non-root user
RUN addgroup -g 1000 -S webhooker && \
    adduser -u 1000 -S webhooker -G webhooker

WORKDIR /app

# Copy binary from builder
COPY --from=builder /build/bin/webhooker .

# Create data directory for per-webhook event databases
RUN mkdir -p /data/events

RUN chown -R webhooker:webhooker /app /data/events

USER webhooker

EXPOSE 8080

HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
    CMD wget --no-verbose --tries=1 --spider http://localhost:8080/.well-known/healthcheck || exit 1

CMD ["./webhooker"]