FROM golang:1.26-alpine AS builder
RUN apk --no-cache upgrade

WORKDIR /app
COPY go.mod go.sum ./
RUN GOPROXY="https://goproxy.cn,direct" go mod download
COPY . .
RUN CGO_ENABLED=0 GOOS=linux go build \
    -ldflags="-s -w" \
    -trimpath \
    -mod=readonly \
    -o eventrt main.go

# prepare runtime dependencies in a pinned alpine stage so they can be
# copied into scratch without pulling any vulnerable os packages at run time.
FROM alpine:3.21 AS certs
ARG USER_ID=1000
RUN apk --no-cache add ca-certificates tzdata && \
    adduser -D -u ${USER_ID} eventrt

FROM scratch
# CA certificates required for TLS connections (RabbitMQ amqps://)
COPY --from=certs /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
# timezone data
COPY --from=certs /usr/share/zoneinfo /usr/share/zoneinfo
# non-root user/group definitions
COPY --from=certs /etc/passwd /etc/passwd
COPY --from=certs /etc/group  /etc/group

WORKDIR /app
COPY --from=builder /app/eventrt ./eventrt

USER eventrt
CMD ["/app/eventrt", "-eventRT_config_dir=/app/configs"]