# KollectAI CI — Java Builder Image
#
# Pre-baked build environment for backend + plugin CI jobs.
# Contains: Java 25, Maven 3.9.x, Node.js 24 + pnpm 11, buf CLI, OWASP NVD
# database, ORAS CLI, common dependencies.
#
# Build:
#   docker build -t kcr.kollect.biz/kollect-tools/ci/java-builder:latest ci/java-builder/
#
# Usage in CI:
#   container:
#     image: kcr.kollect.biz/kollect-tools/ci/java-builder:latest
#
# RUN order is cache-optimised: most stable / most expensive layers come
# first, most volatile / cheapest layers come last. Bumping a version
# only invalidates that layer and everything below it, so volatile pins
# (pnpm, buf) live near the bottom to avoid forcing OWASP NVD or Maven
# downloads to re-run.

ARG JAVA_VERSION=25
FROM eclipse-temurin:${JAVA_VERSION}-jdk-jammy

# ─────────────────────────────────────────────────────────────────────
# System dependencies + Node.js
# ─────────────────────────────────────────────────────────────────────
ARG NODE_MAJOR=24

RUN apt-get update && apt-get install -y --no-install-recommends \
        ca-certificates \
        curl \
        git \
        gnupg \
        jq \
        unzip \
    && mkdir -p /etc/apt/keyrings \
    && curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key \
        | gpg --dearmor -o /etc/apt/keyrings/nodesource.gpg \
    && echo "deb [signed-by=/etc/apt/keyrings/nodesource.gpg] https://deb.nodesource.com/node_${NODE_MAJOR}.x nodistro main" \
        > /etc/apt/sources.list.d/nodesource.list \
    && apt-get update && apt-get install -y --no-install-recommends nodejs \
    && rm -rf /var/lib/apt/lists/*

# ─────────────────────────────────────────────────────────────────────
# Maven
# ─────────────────────────────────────────────────────────────────────
ARG MAVEN_VERSION=3.9.15
ENV MAVEN_HOME=/opt/maven
ENV PATH="${MAVEN_HOME}/bin:${PATH}"

RUN curl -fsSL "https://dlcdn.apache.org/maven/maven-3/${MAVEN_VERSION}/binaries/apache-maven-${MAVEN_VERSION}-bin.tar.gz" \
    | tar -xz -C /opt \
    && mv "/opt/apache-maven-${MAVEN_VERSION}" "${MAVEN_HOME}"

# ─────────────────────────────────────────────────────────────────────
# OWASP Dependency-Check — pre-download NVD database
#
# This is the single biggest CI time saver. The NVD database download
# takes 5-10 minutes on a cold cache (with API key) or 20-30 min cold.
# Pre-baking it into the image means audit jobs start with a warm DB.
#
# Best-effort: if NVD is flaky and the update fails, the build still
# succeeds without a warm cache. Consumers (CI scan jobs) can detect
# this by checking for ${OWASP_DATA_DIR}/.warm — present means the
# pre-warm worked, missing means scans will need to download on demand.
#
# Rebuild this image weekly to keep the NVD database fresh.
# ─────────────────────────────────────────────────────────────────────
ARG OWASP_DC_VERSION=12.2.1
ARG NVD_API_KEY=""
ENV OWASP_DATA_DIR=/opt/owasp/dependency-check-data

RUN if [ -n "${NVD_API_KEY}" ]; then \
        echo "NVD API key: set (length=$(printf %s "${NVD_API_KEY}" | wc -c))"; \
    else \
        echo "WARNING: NVD_API_KEY is empty — NVD will rate-limit at 5 req / 30s"; \
    fi \
    && mkdir -p "${OWASP_DATA_DIR}" \
    && ( timeout 1800 mvn -B -ntp -N \
            org.owasp:dependency-check-maven:${OWASP_DC_VERSION}:update-only \
            -DdataDirectory="${OWASP_DATA_DIR}" \
            -DnvdMaxRetryCount=30 \
            -DnvdApiDelay=2000 \
            ${NVD_API_KEY:+-DnvdApiKey="${NVD_API_KEY}"} \
         && touch "${OWASP_DATA_DIR}/.warm" \
         && echo "NVD pre-warm: complete" \
       || echo "WARNING: NVD pre-warm did NOT complete — image built without a warm cache. CI scans will download on demand. (NVD API was flaky at build time; retry the image build later.)" ) \
    && du -sh "${OWASP_DATA_DIR}" 2>/dev/null || true

# ─────────────────────────────────────────────────────────────────────
# ORAS CLI — for uploading artifacts to Harbor.
# Low-volatility static binary; placed before buf/pnpm so a bump here
# (rare) doesn't invalidate them.
# ─────────────────────────────────────────────────────────────────────
ARG ORAS_VERSION=1.3.2

RUN curl -fsSL "https://github.com/oras-project/oras/releases/download/v${ORAS_VERSION}/oras_${ORAS_VERSION}_linux_amd64.tar.gz" \
    | tar -xz -C /usr/local/bin oras

# ─────────────────────────────────────────────────────────────────────
# buf CLI — single static binary used for `buf lint` in CI and pre-push
# parity. Backend Java codegen lives in the Maven build (protobuf-maven-
# plugin), not buf, so no protoc plugins are needed in this image.
# ─────────────────────────────────────────────────────────────────────
ARG BUF_VERSION=1.69.0

RUN curl -fsSL "https://github.com/bufbuild/buf/releases/download/v${BUF_VERSION}/buf-Linux-x86_64" \
    -o /usr/local/bin/buf \
    && chmod +x /usr/local/bin/buf

# ─────────────────────────────────────────────────────────────────────
# pnpm — via corepack (ships with Node.js).
# Last because it's the most volatile pin and corepack prepare is the
# cheapest layer; bumping pnpm shouldn't force any other layer to rebuild.
# ─────────────────────────────────────────────────────────────────────
ARG PNPM_VERSION=11.0.1

RUN corepack enable \
    && corepack prepare "pnpm@${PNPM_VERSION}" --activate

WORKDIR /workspace

# Verify installation
RUN java -version \
    && mvn -version \
    && node --version \
    && pnpm --version \
    && buf --version \
    && oras version \
    && jq --version