FROM golang:1.25.6-alpine AS builder

WORKDIR /src

# Install git for module downloads
RUN apk add --no-cache git

# Cache modules
COPY go.mod go.sum ./
RUN go mod download

# Copy source and build a static, stripped binary
COPY . .
RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 \
    go build -ldflags="-s -w" -o /bin ./...

FROM alpine:3.19

# Install CA certs for TLS
RUN apk add --no-cache ca-certificates

# Set working directory where config.yaml will live
WORKDIR /opt

# Copy binary into a standard location
COPY --from=builder /bin/telegram-join-approval-nuzzles /usr/local/bin/telegram-join-approval-bot

# Create a non-root user and group with specific UID:GID and set ownership
RUN addgroup -g 65532 app && \
    adduser -D -H -u 65532 -G app -s /sbin/nologin app -h /opt && \
    chown -R app:app /opt /usr/local/bin/telegram-join-approval-bot

# Run as the created non-root user
USER app:app

ENTRYPOINT ["/usr/local/bin/telegram-join-approval-bot"]