# projector — Catalyst-built Go binary that consumes K8s resource
# events from NATS JetStream catalyst.events and projects them into
# Valkey for cross-replica fan-out to catalyst-api SSE consumers.
#
# Per docs/INVIOLABLE-PRINCIPLES.md the image is statically compiled,
# runs as a non-root numeric UID, and ships nothing beyond the
# binary + CA bundle.
#
# Build context: this Containerfile is invoked by the
# .github/workflows/build-projector.yaml workflow with the
# repository ROOT as the build context.
#
# Two stages:
#   build  — golang:1.23-alpine, vendored stdlib + module cache
#   final  — alpine:3.20 minimal runtime (CA certs + the binary)

FROM docker.io/library/golang:1.23-alpine AS build
WORKDIR /workspace

COPY core/cmd/projector/go.mod core/cmd/projector/go.sum* core/cmd/projector/

WORKDIR /workspace/core/cmd/projector
RUN go mod download

COPY core/cmd/projector /workspace/core/cmd/projector

RUN CGO_ENABLED=0 GOOS=linux go build \
    -ldflags="-s -w" \
    -o /projector .

FROM docker.io/library/alpine:3.20

RUN apk add --no-cache ca-certificates tzdata

COPY --from=build /projector /projector

USER 65534:65534

EXPOSE 8081

ENTRYPOINT ["/projector"]
