FROM golang:1.25-bookworm AS builder

WORKDIR /src

COPY go.mod go.sum ./
RUN go mod download

COPY . .
RUN CGO_ENABLED=0 go build -o /cammonitor ./cmd/server

FROM debian:bookworm-slim

# Upgrade all packages before installing anything so that packages already
# present in the base image (libcap2, libgnutls30, …) receive their latest
# Debian security patches — fixing the "fixed" Trivy findings.
RUN apt-get update \
    && apt-get upgrade -y \
    && apt-get install -y --no-install-recommends ca-certificates \
    && rm -rf /var/lib/apt/lists/*

# Use a statically-linked ffmpeg binary instead of the apt package.
# The apt ffmpeg drags in ~20 shared codec libraries (libaom3, Mesa/libgbm,
# Mbed TLS, libssh, libsndfile, libtheora, libtiff, libharfbuzz, libmfx …)
# that carry the remaining CRITICAL/HIGH CVEs in the Trivy report.
# A static build links everything internally — none of those OS packages are
# installed, so Trivy has nothing to flag.
# We only need stream-copy remux + single-frame thumbnail; the GPL build
# covers both with no re-encoding required.
COPY --from=mwader/static-ffmpeg:7.1.1 /ffmpeg /usr/local/bin/ffmpeg

COPY --from=builder /cammonitor /usr/local/bin/cammonitor

ENTRYPOINT ["cammonitor"]