FROM oven/bun:alpine AS base

RUN apk update && apk add --no-cache libc6-compat

## INSTALLER - install deps and build

FROM base AS installer
WORKDIR /app

COPY package.json bun.lock .npmrc ./
# @unom/cms lives in the private gitea npm registry; CI mounts an .npmrc
# with the auth token at /root/.npmrc as a build secret. Fall through to
# the in-repo .npmrc (registry mapping only, no token) if no secret.
RUN --mount=type=cache,target=/root/.bun/install/cache,sharing=shared \
    --mount=type=secret,id=npmrc,target=/root/.npmrc \
    bun install --frozen-lockfile

COPY . .
RUN bun run build

## RUNNER - minimal production image

FROM base AS runner
WORKDIR /app

RUN addgroup --system --gid 1001 bunjs && \
    adduser --system --uid 1001 web

COPY --from=installer --chown=web:bunjs /app/.output ./.output

USER web

CMD ["bun", ".output/server/index.mjs"]