# syntax=docker/dockerfile:1
# Multi-stage: Debian build (Node; Chromium deps for Mermaid land in M3) →
# pinned nginx-unprivileged runtime serving the static dist/.

# ---- build stage ----------------------------------------------------------
FROM node:22-bookworm-slim AS build
WORKDIR /app

# Install deps from the lockfile only first (better layer caching).
COPY package.json package-lock.json ./
RUN npm ci

# Build the static site.
COPY . .
RUN npm run build

# ---- runtime stage --------------------------------------------------------
# Same vetted digest used by the k8s Deployment. Renovate keeps it current.
FROM ghcr.io/nginx/nginx-unprivileged:1.28.0-alpine@sha256:c97ff0bf7cbae369953c6da1232ec14ad9f971d66360c5698db0856a4cd657a0

# Custom server config (security headers, caching, SPA-ish routing).
COPY nginx/default.conf /etc/nginx/conf.d/default.conf

# The built site.
COPY --from=build /app/dist /usr/share/nginx/html

EXPOSE 8080