# syntax=docker/dockerfile:1.7
#
# openlatch-provider runtime daemon container — multi-arch (linux/amd64,
# linux/arm64). Built by `.github/workflows/publish.yml::docker-publish`
# from the same release matrix that produces the npm + crates.io + GH
# Releases binaries; the image's binary is byte-identical to those.
#
# **No in-Docker recompile.** The previous Phase 1 sketch's `uname -m`
# approach was wrong: it didn't install the right Rust target and the
# `docker buildx` build platform differs from the binary's runtime arch.
# We `COPY --chmod=0755` the matching pre-built artefact instead.
#
# Multi-arch is plumbed via the `TARGETARCH` ARG which `docker buildx`
# sets to `amd64` or `arm64` per leg of the build matrix. The CI job
# stages those binaries under `docker/openlatch-provider-{amd64,arm64}`
# before invoking `docker build`.
FROM gcr.io/distroless/cc-debian12:nonroot
# `TARGETARCH` is one of BuildKit's automatic platform ARGs. It is only
# auto-populated when consumed *after* FROM with no prior global ARG of
# the same name — a pre-FROM `ARG TARGETARCH` shadows it to empty and
# breaks the COPY below (`openlatch-provider-` not found).
ARG TARGETARCH
# Image-level metadata for ghcr.io / OCI tooling.
LABEL org.opencontainers.image.source="https://github.com/OpenLatch/openlatch-provider"
LABEL org.opencontainers.image.description="OpenLatch provider runtime daemon"
LABEL org.opencontainers.image.licenses="Apache-2.0"
# Binary copied in by the publish workflow before the buildx invocation.
# The `${TARGETARCH}` interpolation resolves to `amd64` or `arm64`.
COPY --chmod=0755 openlatch-provider-${TARGETARCH} /usr/local/bin/openlatch-provider
USER nonroot
EXPOSE 8443
# Default to listening on 0.0.0.0:8443 with no TLS. Production deployments
# typically run behind a TLS-terminating reverse proxy (Caddy, Nginx). See
# `docs/deploy/caddy-tls-termination.md` for the documented pattern.
ENTRYPOINT ["/usr/local/bin/openlatch-provider", "listen", "--port", "8443", "--no-tls"]