FROM golang:alpine3.22 AS binarybuilder
RUN apk --no-cache --no-progress add --virtual \
  build-deps \
  build-base \
  git \
  linux-pam-dev

WORKDIR /gogs.io/gogs
COPY . .

RUN ./docker/build/install-task.sh
RUN TAGS="cert pam" task build

FROM alpine:3.22

# Create git user and group with fixed UID/GID at build time for better K8s security context support.
# Using 1000:1000 as it's a common non-root UID/GID that works well with most volume permission setups.
ARG GOGS_UID=1000
ARG GOGS_GID=1000
RUN addgroup -g ${GOGS_GID} -S git && \
    adduser -u ${GOGS_UID} -G git -H -D -g 'Gogs Git User' -h /data/git -s /bin/sh git

RUN apk --no-cache --no-progress add \
  bash \
  ca-certificates \
  git \
  linux-pam \
  openssh-keygen

ENV GOGS_CUSTOM=/data/gogs

WORKDIR /app/gogs
COPY --from=binarybuilder /gogs.io/gogs/gogs .

# Create data directories and set ownership
RUN mkdir -p /data/gogs /data/git /backup && \
    chown -R git:git /app/gogs /data /backup

# Configure Docker Container
VOLUME ["/data", "/backup"]
EXPOSE 22 3000
HEALTHCHECK CMD (curl -o /dev/null -sS http://localhost:3000/healthcheck) || exit 1

# Run as non-root user by default for better K8s security context support.
USER git:git

ENTRYPOINT ["/app/gogs/gogs"]
CMD ["web"]