# KollectAI CI — Java Builder Image
#
# Pre-baked build environment for backend + plugin CI jobs.
# Contains: Java 25, Maven 3.9.x, Node.js 24 + pnpm 11, buf CLI, OWASP NVD
# database, ORAS CLI, common dependencies.
#
# Build:
#   docker build -t kcr.kollect.biz/kollect-tools/ci/java-builder:latest ci/java-builder/
#
# Usage in CI:
#   container:
#     image: kcr.kollect.biz/kollect-tools/ci/java-builder:latest
#
# RUN order is cache-optimised: most stable / most expensive layers come
# first, most volatile / cheapest layers come last. Bumping a version
# only invalidates that layer and everything below it, so volatile pins
# (pnpm, buf) live near the bottom to avoid forcing OWASP NVD or Maven
# downloads to re-run.

ARG JAVA_VERSION=25
FROM eclipse-temurin:${JAVA_VERSION}-jdk-jammy

# ─────────────────────────────────────────────────────────────────────
# System dependencies + Node.js
# ─────────────────────────────────────────────────────────────────────
ARG NODE_MAJOR=24

RUN apt-get update && apt-get install -y --no-install-recommends \
        ca-certificates \
        curl \
        git \
        gnupg \
        jq \
        unzip \
    && mkdir -p /etc/apt/keyrings \
    && curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key \
        | gpg --dearmor -o /etc/apt/keyrings/nodesource.gpg \
    && echo "deb [signed-by=/etc/apt/keyrings/nodesource.gpg] https://deb.nodesource.com/node_${NODE_MAJOR}.x nodistro main" \
        > /etc/apt/sources.list.d/nodesource.list \
    && apt-get update && apt-get install -y --no-install-recommends nodejs \
    && rm -rf /var/lib/apt/lists/*

# ─────────────────────────────────────────────────────────────────────
# Maven
# ─────────────────────────────────────────────────────────────────────
ARG MAVEN_VERSION=3.9.15
ENV MAVEN_HOME=/opt/maven
ENV PATH="${MAVEN_HOME}/bin:${PATH}"

RUN curl -fsSL "https://dlcdn.apache.org/maven/maven-3/${MAVEN_VERSION}/binaries/apache-maven-${MAVEN_VERSION}-bin.tar.gz" \
    | tar -xz -C /opt \
    && mv "/opt/apache-maven-${MAVEN_VERSION}" "${MAVEN_HOME}"

# ─────────────────────────────────────────────────────────────────────
# OWASP Dependency-Check — pre-download NVD database
#
# This is the single biggest CI time saver. The NVD database download
# takes 5-10 minutes on a cold cache. Pre-baking it into the image
# means audit jobs start with a warm database.
#
# Rebuild this image weekly to keep the NVD database fresh.
# ─────────────────────────────────────────────────────────────────────
ARG OWASP_DC_VERSION=12.2.1
ARG NVD_API_KEY=""
ENV OWASP_DATA_DIR=/opt/owasp/dependency-check-data

RUN mkdir -p "${OWASP_DATA_DIR}" \
    && mvn org.owasp:dependency-check-maven:${OWASP_DC_VERSION}:update-only \
        -DdataDirectory="${OWASP_DATA_DIR}" \
        ${NVD_API_KEY:+-DnvdApiKey="${NVD_API_KEY}"} \
        -q || true

# ─────────────────────────────────────────────────────────────────────
# ORAS CLI — for uploading artifacts to Harbor.
# Low-volatility static binary; placed before buf/pnpm so a bump here
# (rare) doesn't invalidate them.
# ─────────────────────────────────────────────────────────────────────
ARG ORAS_VERSION=1.3.2

RUN curl -fsSL "https://github.com/oras-project/oras/releases/download/v${ORAS_VERSION}/oras_${ORAS_VERSION}_linux_amd64.tar.gz" \
    | tar -xz -C /usr/local/bin oras

# ─────────────────────────────────────────────────────────────────────
# buf CLI — single static binary used for `buf lint` in CI and pre-push
# parity. Backend Java codegen lives in the Maven build (protobuf-maven-
# plugin), not buf, so no protoc plugins are needed in this image.
# ─────────────────────────────────────────────────────────────────────
ARG BUF_VERSION=1.69.0

RUN curl -fsSL "https://github.com/bufbuild/buf/releases/download/v${BUF_VERSION}/buf-Linux-x86_64" \
    -o /usr/local/bin/buf \
    && chmod +x /usr/local/bin/buf

# ─────────────────────────────────────────────────────────────────────
# pnpm — via corepack (ships with Node.js).
# Last because it's the most volatile pin and corepack prepare is the
# cheapest layer; bumping pnpm shouldn't force any other layer to rebuild.
# ─────────────────────────────────────────────────────────────────────
ARG PNPM_VERSION=11.0.1

RUN corepack enable \
    && corepack prepare "pnpm@${PNPM_VERSION}" --activate

WORKDIR /workspace

# Verify installation
RUN java -version \
    && mvn -version \
    && node --version \
    && pnpm --version \
    && buf --version \
    && oras version \
    && jq --version
