FROM --platform=$BUILDPLATFORM node:24-alpine AS webbuilder
RUN corepack enable
WORKDIR /src
COPY package.json pnpm-lock.yaml pnpm-workspace.yaml ./
COPY web ./web
COPY conf/locale ./conf/locale
RUN pnpm install --frozen-lockfile
RUN pnpm --filter gogs-web run build

FROM golang:1.26-alpine3.23 AS binarybuilder
RUN apk --no-cache --no-progress add --virtual \
  build-deps \
  build-base \
  git \
  linux-pam-dev

WORKDIR /gogs.io/gogs
COPY . .
COPY --from=webbuilder /src/public/dist ./public/dist

RUN go build -v -trimpath -tags "pam prod" \
  -ldflags "-X 'gogs.io/gogs/internal/conf.BuildTime=$(date -u '+%Y-%m-%d %I:%M:%S %Z')' -X 'gogs.io/gogs/internal/conf.BuildCommit=$(git rev-parse HEAD)'" \
  -o .bin/gogs ./cmd/gogs

FROM alpine:3.23

# Create git user and group with fixed UID/GID at build time for better K8s security context support.
# Using 1000:1000 as it's a common non-root UID/GID that works well with most volume permission setups.
ARG GOGS_UID=1000
ARG GOGS_GID=1000
RUN addgroup -g ${GOGS_GID} -S git && \
    adduser -u ${GOGS_UID} -G git -H -D -g 'Gogs Git User' -h /data/git -s /bin/sh git

RUN apk --no-cache --no-progress add \
  bash \
  ca-certificates \
  curl \
  git \
  linux-pam \
  openssh-keygen \
  "zlib>1.3.2"

ENV GOGS_CUSTOM=/data/gogs

WORKDIR /app/gogs
COPY --from=binarybuilder /gogs.io/gogs/.bin/gogs .
COPY docker-next/start.sh .
RUN chmod +x start.sh && \
    mkdir -p /data && \
    ln -s /data/git /home/git && \
    chown -R git:git /app/gogs /data

# Configure Docker Container
VOLUME ["/data", "/backup"]
EXPOSE 22 3000
HEALTHCHECK CMD (curl --noproxy localhost -o /dev/null -sS http://localhost:3000/healthcheck) || exit 1

# Run as non-root user by default for better K8s security context support.
USER git:git

ENTRYPOINT ["/app/gogs/start.sh"]
CMD ["/app/gogs/gogs", "web"]