# ── Build stage ───────────────────────────────────────────────────────────────
FROM golang:1.25.8-alpine3.23@sha256:8e02eb337d9e0ea459e041f1ee5eece41cbb61f1d83e7d883a3e2fb4862063fa AS builder

RUN apk add --no-cache git gcc musl-dev

WORKDIR /src

# Pin to v1.13.0-alpha; update the SHA here when upgrading
# Note: 3572988b is the annotated tag object SHA; c3f60dc1 is the actual commit SHA
RUN git clone --depth 1 --branch v1.13.0-alpha https://tangled.org/tangled.org/core . \
    && [ "$(git rev-parse HEAD)" = "c3f60dc17fd6cc709159974f2815a6d14044a106" ] \
    || { echo "ERROR: commit SHA mismatch — possible supply chain tampering"; exit 1; }

RUN go mod download
RUN go mod verify
RUN CGO_ENABLED=1 go build -o /spindle ./cmd/spindle/main.go

# ── Runtime stage ─────────────────────────────────────────────────────────────
FROM alpine:3.23.3@sha256:25109184c71bdad752c8312a8623239686a9a2071e8825f20acb8f2198c3f659

RUN apk add --no-cache ca-certificates docker-cli sqlite-libs

COPY --from=builder /spindle /usr/local/bin/spindle

RUN mkdir -p /data /var/log/spindle

EXPOSE 6555

ENTRYPOINT ["/usr/local/bin/spindle"]