# ====== STAGE 1: build (Chainguard/Wolfi -> usa apk) ======
FROM cgr.dev/chainguard/go:latest AS builder

#RUN apk add --no-cache git ca-certificates
WORKDIR /src

# (consigliato: scarica mod prima per caching)
#COPY go.mod go.sum ./
#RUN go mod download
#RUN go mod vendor

COPY . .
RUN go mod tidy
RUN go mod vendor
ENV CGO_ENABLED=0 GOOS=linux GOARCH=amd64
RUN go build -trimpath -ldflags="-s -w" -o /out/money ./...

# ====== STAGE 2: runtime (Debian da ECR Public) ======
FROM public.ecr.aws/docker/library/debian:bookworm-slim

RUN set -eux; \
    apt-get update; \
    DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
      ca-certificates tzdata bash curl git; \
    rm -rf /var/lib/apt/lists/*

# crea utente non-root (USER appuser ti falliva perché non esisteva)
RUN useradd -r -u 10001 -g root appuser

WORKDIR /app
COPY --from=builder /out/money /app/money

USER 10001

ENV DATA_DIR=/app/data \
    STATE_DIR=/app/state

ENTRYPOINT ["/app/money"]