# syntax=docker/dockerfile:1

ARG NODE_VERSION=latest
ARG NODE_MAJOR_VERSION=20

# Base image using the correct version of Node and npm.
FROM node:${NODE_VERSION} AS node-base

ARG NPM_VERSION=latest

RUN npm install -g npm@${NPM_VERSION}
USER node
WORKDIR /home/node

# Image with dev dependencies, used to build the TypeScript code.
FROM node-base AS builder

# `.npmr[c]` will only copy `.npmrc`, but allows the file to be missing.
COPY .npmr[c] package*.json /home/node/

# If the `NPM_TOKEN` secret is not passed, the environment variable will simply be empty due to the `cat` failing.
# However `npm ci` will still run.
# The npm cache will be reused across stages, but also across builds.
# The uid of the `node` user is 1000, as defined in:
# https://github.com/nodejs/docker-node/blob/main/Dockerfile-debian.template
RUN --mount=type=secret,id=NPM_TOKEN,uid=1000 \
  --mount=type=cache,target=/home/node/.npm,uid=1000 \
  NPM_TOKEN=$(cat /run/secrets/NPM_TOKEN) npm ci

COPY nest-cli.jso[n] tsconfig*.json /home/node/
COPY src/ /home/node/src/
RUN npm run build

# Image to get production dependencies.
FROM node-base AS builder-prod-dependencies

COPY --from=builder /home/node/.npmr[c] /home/node/package*.json /home/node/

RUN --mount=type=secret,id=NPM_TOKEN,uid=1000 \
  --mount=type=cache,target=/home/node/.npm,uid=1000 \
  NPM_TOKEN=$(cat /run/secrets/NPM_TOKEN) npm ci --omit=dev

# Final image, only containing production dependencies and the compiled JavaScript code.
FROM gcr.io/distroless/nodejs${NODE_MAJOR_VERSION}

WORKDIR /app

COPY --from=builder /home/node/package.json /app/package.json
COPY --from=builder-prod-dependencies /home/node/node_modules /app/node_modules
COPY --from=builder /home/node/dist /app/dist

CMD ["/app/dist/index.js"]
