# Multi-stage build pentru ASP.NET Core 8 News Portal API
# Imaginea finala e ~110MB (alpine), fara SDK.

# Stage 1 - Build cu .NET SDK
FROM mcr.microsoft.com/dotnet/sdk:8.0-alpine AS build
WORKDIR /src

# Layer cache: restore dependencies inainte de COPY-ul restului
# (modificarile in cod nu invalideaza layer-ul de restore)
COPY *.csproj ./
RUN dotnet restore Lab12.csproj

# Copy rest si publish
COPY . .
RUN dotnet publish Lab12.csproj -c Release -o /out --no-restore /p:UseAppHost=false

# Stage 2 - Runtime ASP.NET Core
FROM mcr.microsoft.com/dotnet/aspnet:8.0-alpine
WORKDIR /app

# Copy artefactele build-uite
COPY --from=build /out .

# User non-root pentru security (least privilege)
# adduser fara parola, fara shell separat, doar pentru a rula procesul.
# `app` group/user pot fi pre-create in unele versiuni de aspnet:8.0-alpine, deci `|| true`.
RUN mkdir -p /app/logs \
 && (addgroup -S app 2>/dev/null || true) \
 && (adduser -S -G app app 2>/dev/null || true) \
 && chown -R app:app /app

USER app
EXPOSE 8080

# ASPNETCORE_URLS forteaza Kestrel sa asculte pe 0.0.0.0:8080 in container
# (default e localhost:5000 - container nu ar accepta conexiuni externe)
ENV ASPNETCORE_URLS=http://+:8080
ENV ASPNETCORE_ENVIRONMENT=Production

# Healthcheck - foloseste endpoint public (Swagger e disabled in Production)
HEALTHCHECK --interval=30s --timeout=3s --start-period=15s --retries=3 \
  CMD wget --quiet --tries=1 --spider http://localhost:8080/api/categories || exit 1

ENTRYPOINT ["dotnet", "NewsPortal.dll"]
