# syntax = docker/dockerfile:experimental

# Copyright 2020-2026 the Pinniped contributors. All Rights Reserved.
# SPDX-License-Identifier: Apache-2.0

# we need a separate dockerfile for the fips test image so that the integration tests
# use the right ciphers etc.

FROM golang:1.26.3-bookworm as build-env
WORKDIR /work
COPY . .
ARG GOPROXY
# build the cli with strict fips
RUN \
  --mount=target=. \
  --mount=type=cache,target=/cache/gocache \
  --mount=type=cache,target=/cache/gomodcache \
  export GOCACHE=/cache/gocache GOMODCACHE=/cache/gomodcache && \
  mkdir /tmp/out && \
  export GOOS=linux && \
  export GOARCH=amd64 && \
  export GOEXPERIMENT=boringcrypto && \
  CGO_ENABLED=1 go build -tags fips_strict,osusergo,netgo -v -trimpath -ldflags "$(hack/get-ldflags.sh) -w -linkmode=external -extldflags -static" -o /tmp/out/pinniped ./cmd/pinniped/main.go && \
  CGO_ENABLED=1 go test -tags fips_strict,osusergo,netgo -c -ldflags "$(hack/get-ldflags.sh) -w -linkmode=external -extldflags -static" -vet=off -race ./test/integration -o /tmp/out/pinniped-integration-test  # need cgo for race detector

FROM scratch
COPY --from=build-env /tmp/out/ /usr/local/bin/
