# v4d CI build image — a "warm" runner image so CI skips the cold ~12-minute
# dependency compile (and the per-run Go toolchain download). It bakes:
#   - the Go toolchain (matching go.mod),
#   - the module cache (GOMODCACHE), populated from go.mod/go.sum,
#   - the build cache (GOCACHE), pre-warmed by running the SAME build/test
#     commands CI uses — so the expensive aws-sdk/smithy dependency objects are
#     already compiled (content-addressed, so they survive v4d source changes).
#
# Built + pushed to the v4d-ci repo by .gitea/workflows/build-ci-image.yml (weekly +
# on go.mod/go.sum change), via the LAN registry endpoint 192.168.0.2:1234 (Gitea's
# internal :3000) — NOT public git.jpaul.io, which is Cloudflare-fronted with a
# ~100 MB request cap that rejects the multi-hundred-MB image layers. CI/release jobs
# run in this image via `container:` and skip actions/setup-go. Rebuilding on a dep bump keeps the
# baked cache fresh; staleness is never wrong (Go caches are content-addressed),
# only slightly less warm.
FROM golang:1.25-bookworm

# git + CA certs for checkout/module fetch; Node 20 so JS actions (actions/checkout@v4)
# run inside the container.
RUN apt-get update \
 && apt-get install -y --no-install-recommends git ca-certificates curl gnupg \
 && mkdir -p /etc/apt/keyrings \
 && curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key | gpg --dearmor -o /etc/apt/keyrings/nodesource.gpg \
 && echo "deb [signed-by=/etc/apt/keyrings/nodesource.gpg] https://deb.nodesource.com/node_20.x nodistro main" > /etc/apt/sources.list.d/nodesource.list \
 && apt-get update && apt-get install -y --no-install-recommends nodejs \
 && apt-get clean && rm -rf /var/lib/apt/lists/*

# Use the toolchain baked in this image; never auto-download a different one.
ENV GOTOOLCHAIN=local

WORKDIR /warm

# 1) Module cache — depends only on go.mod/go.sum, so this layer (and the big
#    dependency download) is reused across rebuilds unless deps actually change.
COPY go.mod go.sum ./
RUN go mod download

# 2) Build cache — compile deps + packages with the EXACT flag variants CI uses
#    (plain `go test`/consolidate build, and `-trimpath` for the cmd/v4d builds),
#    so both cache-key variants are warm. Tests are run to warm the test-compile
#    cache; a failing test here must not fail the image (the compiled objects are
#    cached regardless), hence `|| true`.
COPY . .
RUN go test ./... -count=1 >/dev/null 2>&1 || true
RUN GOOS=linux GOARCH=amd64 go build -trimpath -o /tmp/v4d-amd64 ./cmd/v4d \
 && GOOS=linux GOARCH=arm64 go build -trimpath -o /tmp/v4d-arm64 ./cmd/v4d \
 && go build -o /tmp/v4d-consolidate ./cmd/v4d-consolidate \
 && rm -f /tmp/v4d-amd64 /tmp/v4d-arm64 /tmp/v4d-consolidate

# Drop the baked source snapshot; CI checks out fresh source. The warm GOMODCACHE
# (/go/pkg/mod) and GOCACHE (/root/.cache/go-build) remain in the image.
RUN rm -rf /warm/* /warm/.??*
WORKDIR /workspace

# OCI provenance metadata — records the upstream repo on the image itself.
# NOTE: Gitea 1.26.2 does NOT auto-link a container package to a repo from this
# label. The v4d-ci package was linked once via the package-link API:
#   POST /api/v1/packages/justin/container/v4d-ci/-/link/v4d
# That link is stored at the package level and persists across rebuilds, so the
# label here is documentation, not the linking mechanism. Kept last so it doesn't
# invalidate the expensive cached layers.
LABEL org.opencontainers.image.source="https://git.jpaul.io/justin/v4d" \
      org.opencontainers.image.url="https://git.jpaul.io/justin/v4d" \
      org.opencontainers.image.title="v4d-ci" \
      org.opencontainers.image.description="Pre-warmed CI build image for v4d (Go toolchain + warm module/build caches)."
