FROM node:20-alpine AS build

ENV NODE_ENV=production

RUN apk add --no-cache python3 make g++
RUN corepack enable

WORKDIR /app

COPY package.json pnpm-lock.yaml ./
RUN corepack prepare pnpm@10.28.0 --activate \
    && pnpm install --frozen-lockfile --prod \
    && pnpm store prune

COPY . .

FROM node:20-alpine

ENV NODE_ENV=production
ENV CHROME_PATH=/usr/bin/chromium-browser
ENV PUPPETEER_EXECUTABLE_PATH=/usr/bin/chromium-browser

RUN apk add --no-cache chromium nss freetype harfbuzz ttf-freefont

# Remove npm/corepack to shrink attack surface and avoid bundled CVEs.
RUN rm -rf /usr/local/lib/node_modules/npm \
    /usr/local/bin/npm \
    /usr/local/bin/npx \
    /usr/local/lib/node_modules/corepack \
    /usr/local/bin/corepack

WORKDIR /app

COPY --from=build /app/docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh
RUN chmod 755 /usr/local/bin/docker-entrypoint.sh

COPY --from=build --chown=node:node /app/package.json /app/package.json
COPY --from=build --chown=node:node /app/index.js /app/index.js
COPY --from=build --chown=node:node /app/endpoints /app/endpoints
COPY --from=build --chown=node:node /app/node_modules /app/node_modules

RUN mkdir -p /app/cache && chown -R node:node /app

USER node

EXPOSE 10000

CMD ["/usr/local/bin/docker-entrypoint.sh"]