# blueprint-controller — slice C3 of EPIC-0 (#1095).
#
# Distroless-static final image; non-root UID 65532; size ~30-40 MiB.
# Per Inviolable Principle #4a, this image must be built ONLY by the
# GitHub Actions pipeline and tagged with the git SHA. Local builds
# never reach GHCR.
#
# Build context: the repo root (so we can COPY core/controllers/...
# directly).
#
# Slice CC1 (#1095) consolidated the 5 Group C controllers under a
# single shared go.mod at core/controllers/go.mod and shared helpers
# under core/controllers/internal/. The COPY layout below mirrors that.

FROM golang:1.23-alpine AS build
WORKDIR /src

# Cache go.mod / go.sum first — lives at the shared module root.
COPY core/controllers/go.mod core/controllers/go.sum core/controllers/
WORKDIR /src/core/controllers
RUN go mod download

# Copy the controller package tree + shared internal/ helpers.
WORKDIR /src
COPY core/controllers/internal/ core/controllers/internal/
# core/controllers/pkg/ holds the shared HTTP-client tree (gitea,
# keycloak, kc-mappers, …) used by every Group C controller.
# blueprint-controller imports core/controllers/pkg/gitea from
# cmd/main.go + internal/controller/blueprint_controller.go.
# Without this COPY the `go build` step fails with `no required module
# provides package github.com/openova-io/openova/core/controllers/pkg/gitea`
# — the build for every push-to-main has failed silently since slice
# CC1 (#1095) promoted pkg/ to the shared tree, so the
# blueprint-controller image has NEVER been published to GHCR
# (Refs TBD-V28 #2047). Mirrors the COPY layout used by application,
# environment, and organization Containerfiles.
COPY core/controllers/pkg/ core/controllers/pkg/
COPY core/controllers/blueprint/ core/controllers/blueprint/

WORKDIR /src/core/controllers/blueprint
RUN CGO_ENABLED=0 GOOS=linux go build \
    -trimpath \
    -ldflags="-s -w" \
    -o /out/blueprint-controller \
    ./cmd

# Runtime stage — distroless static for a minimal, non-root,
# CVE-narrow image.
FROM gcr.io/distroless/static-debian12:nonroot
COPY --from=build /out/blueprint-controller /blueprint-controller
USER 65532:65532
ENTRYPOINT ["/blueprint-controller"]
