FROM golang:1.23 AS builder
ENV GO111MODULE=on \
  CGO_ENABLED=0 \
  GOOS=linux \
  GOARCH=amd64
WORKDIR /src
COPY . .
RUN go build \
  -ldflags "-s -w -extldflags '-static'" \
  -o /bin/app \
  . 
RUN echo "nobody:x:65534:65534:Nobody:/:" > /etc_passwd

FROM alpine:3.21 as compressor
RUN apk add --no-cache upx binutils
COPY --from=builder --chown=65534:0 /bin/app /app
RUN strip /app && upx -q -9 /app

FROM scratch
COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
COPY --from=builder /etc_passwd /etc/passwd
COPY --from=compressor --chown=65534:0 /app /app
USER nobody
ENTRYPOINT ["/app"]