# blueprint-controller — slice C3 of EPIC-0 (#1095).
#
# Distroless-static final image; non-root UID 65532; size ~30-40 MiB.
# Per Inviolable Principle #4a, this image must be built ONLY by the
# GitHub Actions pipeline and tagged with the git SHA. Local builds
# never reach GHCR.
#
# Build context: the repo root (so we can COPY core/controllers/...
# directly).
#
# Slice CC1 (#1095) consolidated the 5 Group C controllers under a
# single shared go.mod at core/controllers/go.mod and shared helpers
# under core/controllers/internal/. The COPY layout below mirrors that.

FROM golang:1.23-alpine AS build
WORKDIR /src

# Cache go.mod / go.sum first — lives at the shared module root.
COPY core/controllers/go.mod core/controllers/go.sum core/controllers/
WORKDIR /src/core/controllers
RUN go mod download

# Copy the controller package tree + shared internal/ helpers.
WORKDIR /src
COPY core/controllers/internal/ core/controllers/internal/
COPY core/controllers/blueprint/ core/controllers/blueprint/

WORKDIR /src/core/controllers/blueprint
RUN CGO_ENABLED=0 GOOS=linux go build \
    -trimpath \
    -ldflags="-s -w" \
    -o /out/blueprint-controller \
    ./cmd

# Runtime stage — distroless static for a minimal, non-root,
# CVE-narrow image.
FROM gcr.io/distroless/static-debian12:nonroot
COPY --from=build /out/blueprint-controller /blueprint-controller
USER 65532:65532
ENTRYPOINT ["/blueprint-controller"]
