# Build stage
FROM golang:1.23-alpine AS builder

WORKDIR /app

# Copy go.mod and go.sum first to leverage Docker cache
# We need to check if go.sum exists, but COPY fails if it doesn't. 
# Since we just ran go mod init, go.sum might not exist yet if no deps.
# SAFE PATTERN: COPY go.mod and optional go.sum
COPY go.mod go.sum* ./
RUN go mod download

# Copy the rest of the source code
COPY . .

# Build the application
# -ldflags="-w -s" strips debug information for smaller binary
RUN CGO_ENABLED=0 GOOS=linux go build -ldflags="-w -s" -o /go/bin/app ./cmd/app

# Final stage
# Use distroless static image for security and minimal footprint
FROM gcr.io/distroless/static-debian12:nonroot

WORKDIR /

COPY --from=builder /go/bin/app /app
USER nonroot:nonroot

ENTRYPOINT ["/app"]