# syntax=docker/dockerfile:1.7
ARG NODE_VERSION=22

FROM node:${NODE_VERSION}-alpine AS deps
RUN corepack enable && corepack prepare pnpm@9 --activate
WORKDIR /repo
COPY pnpm-workspace.yaml pnpm-lock.yaml package.json ./
COPY tehriehlbudget-backend/package.json  tehriehlbudget-backend/
COPY tehriehlbudget-frontend/package.json tehriehlbudget-frontend/
RUN --mount=type=cache,id=pnpm-store,target=/root/.local/share/pnpm/store \
    pnpm install --frozen-lockfile --filter tehriehlbudget-frontend...

FROM deps AS build
WORKDIR /repo
COPY tehriehlbudget-frontend/ tehriehlbudget-frontend/
# Build with no VITE_* env: import.meta.env values resolve to "" so the bundle
# carries no compile-time secrets. window.__RUNTIME_CONFIG__ supplies them.
RUN pnpm --filter tehriehlbudget-frontend run build

FROM nginxinc/nginx-unprivileged:1.27-alpine AS runtime
USER root
# Pull current Alpine package patches before adding anything else. The
# base image lags behind upstream Alpine's security backports (openssl,
# libxml2, libpng, musl, etc. were all flagged HIGH/CRITICAL on the
# stock 3.21.3 packages). `apk upgrade` picks up the fixed -r versions
# without bumping the nginx version itself.
RUN apk upgrade --no-cache && apk add --no-cache gettext
COPY --from=build --chown=nginx:nginx /repo/tehriehlbudget-frontend/dist /usr/share/nginx/html
COPY --chown=nginx:nginx tehriehlbudget-frontend/nginx.conf            /etc/nginx/conf.d/default.conf
COPY --chown=nginx:nginx tehriehlbudget-frontend/docker-entrypoint.sh  /docker-entrypoint.d/40-render-config.sh
RUN chmod +x /docker-entrypoint.d/40-render-config.sh
USER nginx
EXPOSE 8080
# nginx-unprivileged can't bind privileged ports; the image listens on 8080,
# so a healthcheck targeting :80 will always fail. Bake in a sensible default
# that any orchestrator (compose, k8s, Portainer) inherits unless overridden.
HEALTHCHECK --interval=30s --timeout=5s --start-period=10s --retries=3 \
  CMD wget -qO /dev/null http://127.0.0.1:8080/ || exit 1
