FROM golang:1.25-alpine AS build
WORKDIR /app

# Optional: git + certs for private modules; cache modules and build cache
RUN apk add --no-cache git ca-certificates

# Go deps first (better layer caching)
COPY go.mod go.sum ./
RUN --mount=type=cache,target=/go/pkg/mod go mod download

# App sources (incl. templates for go:embed)
COPY . .

# Build static binary (templates are embedded via //go:embed)
RUN --mount=type=cache,target=/root/.cache/go-build \
    CGO_ENABLED=0 GOOS=linux GOARCH=amd64 \
    go build -trimpath -ldflags "-s -w" -o /out/pgpkeygen ./

### Runtime stage (distroless)
FROM gcr.io/distroless/static:nonroot
WORKDIR /app
COPY --from=build /out/pgpkeygen /app/pgpkeygen
EXPOSE 8080
USER nonroot:nonroot
ENTRYPOINT ["/app/pgpkeygen"]