# ──────── Stage 1: build ────────
FROM node:22-alpine AS build
WORKDIR /app

COPY package.json package-lock.json ./
RUN npm ci

COPY . .

ARG BUILD_SHA=dev
ARG BUILD_REF=local
ARG BUILD_TIME
ENV PUBLIC_BUILD_SHA=$BUILD_SHA
ENV PUBLIC_BUILD_REF=$BUILD_REF
ENV PUBLIC_BUILD_TIME=$BUILD_TIME

RUN npm run build

# ──────── Stage 2: runtime ────────
FROM node:22-alpine
WORKDIR /app

# Infisical CLI — pinned binary (release tarball, deterministic).
# Bump INFISICAL_CLI_VERSION when upgrading.
ARG INFISICAL_CLI_VERSION=0.43.81
RUN apk add --no-cache bash curl ca-certificates && \
    ARCH=$(uname -m | sed 's/x86_64/amd64/;s/aarch64/arm64/') && \
    curl -fsSL "https://github.com/Infisical/cli/releases/download/v${INFISICAL_CLI_VERSION}/cli_${INFISICAL_CLI_VERSION}_linux_${ARCH}.tar.gz" \
      | tar -xz -C /usr/local/bin infisical && \
    chmod +x /usr/local/bin/infisical && \
    infisical --version && \
    rm -rf /var/cache/apk/*

COPY --from=build /app/dist ./dist
COPY --from=build /app/node_modules ./node_modules
COPY package.json ./
COPY docker/entrypoint.sh /entrypoint.sh
RUN chmod +x /entrypoint.sh

ARG BUILD_SHA=dev
ARG BUILD_REF=local
ARG BUILD_TIME
ENV PUBLIC_BUILD_SHA=$BUILD_SHA
ENV PUBLIC_BUILD_REF=$BUILD_REF
ENV PUBLIC_BUILD_TIME=$BUILD_TIME

ENV HOST=0.0.0.0
ENV PORT=4321
EXPOSE 4321

ENTRYPOINT ["/entrypoint.sh"]
