# syntax=docker/dockerfile:1

# -------- Build stage (static binary) --------
FROM alpine:latest AS build

RUN apk add --no-cache build-base zlib-dev zlib-static

WORKDIR /src
COPY src ./src

RUN mkdir -p /out

# Build small static binaries. For production, we also enable common hardening flags.
RUN cc \
  -std=c11 \
  -O2 -pipe \
  -D_FORTIFY_SOURCE=2 \
  -fstack-protector-strong \
  -Wformat -Wformat-security -Werror=format-security \
  -Wl,-z,relro,-z,now \
  -static \
  -s \
  -o /out/heapitup \
  ./src/main.c \
  -lz

# -------- Runtime stage (minimal) --------
FROM scratch

# Run as non-root
USER 65532:65532

COPY --from=build /out/heapitup /heapitup

ENTRYPOINT ["/heapitup"]

EXPOSE 8080
