FROM golang:1.26-alpine AS builder

RUN apk add --no-cache git ca-certificates

# Install golang-migrate CLI with postgres driver (pure Go, no CGO needed)
RUN go install -tags 'postgres' github.com/golang-migrate/migrate/v4/cmd/migrate@v4.18.1

WORKDIR /app

COPY go.mod go.sum ./
RUN go mod download

COPY . .

ARG TARGETOS TARGETARCH
RUN CGO_ENABLED=0 GOOS=${TARGETOS} GOARCH=${TARGETARCH} go build -ldflags="-s -w" -o /api ./cmd/api

FROM alpine:3.21

RUN apk add --no-cache ca-certificates tzdata

WORKDIR /app

COPY --from=builder /api .
COPY --from=builder /go/bin/migrate /usr/local/bin/migrate
COPY migrations/ ./migrations/

# alpine:3.21 already ships nobody at UID 65534 — matches podSecurityContext.runAsUser
USER nobody:nobody

EXPOSE 8080

ENTRYPOINT ["./api"]