# Multi-stage build for tenant-registry.
# Produces two binaries:
#   /tenant-registry  — long-running API server
#   /migrate          — one-shot schema migrator (Orca init container in prod)

FROM golang:1.24-alpine AS build
WORKDIR /src
COPY go.mod go.sum ./
RUN go mod download
COPY . .
RUN CGO_ENABLED=0 GOOS=linux go build -ldflags="-s -w" -o /out/tenant-registry ./cmd/server && \
    CGO_ENABLED=0 GOOS=linux go build -ldflags="-s -w" -o /out/migrate         ./cmd/migrate

FROM gcr.io/distroless/static-debian12:nonroot
WORKDIR /
COPY --from=build /out/tenant-registry /tenant-registry
COPY --from=build /out/migrate         /migrate
USER nonroot:nonroot
EXPOSE 8090
ENTRYPOINT ["/tenant-registry"]
