# Alpine Reproducible Builder
# Creates deterministic builds of Alpine packages for fingerprint diffing
#
# Usage:
#   docker build -t repro-builder-alpine:3.20 --build-arg RELEASE=3.20 .
#   docker run -v ./output:/output repro-builder-alpine:3.20 build openssl 3.0.7-r0

ARG RELEASE=3.20
FROM alpine:${RELEASE}

ARG RELEASE
ENV ALPINE_RELEASE=${RELEASE}

# Install build tools and dependencies
RUN apk add --no-cache \
    alpine-sdk \
    abuild \
    sudo \
    git \
    curl \
    binutils \
    elfutils \
    coreutils \
    tar \
    gzip \
    xz \
    patch \
    diffutils \
    file \
    && rm -rf /var/cache/apk/*

# Create build user (abuild requires non-root)
RUN adduser -D -G abuild builder \
    && echo "builder ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers \
    && mkdir -p /var/cache/distfiles \
    && chown -R builder:abuild /var/cache/distfiles

# Setup abuild
USER builder
WORKDIR /home/builder

# Generate abuild keys
RUN abuild-keygen -a -i -n

# Copy normalization and build scripts
COPY --chown=builder:abuild scripts/normalize.sh /usr/local/bin/normalize.sh
COPY --chown=builder:abuild scripts/build.sh /usr/local/bin/build.sh
COPY --chown=builder:abuild scripts/extract-functions.sh /usr/local/bin/extract-functions.sh

RUN chmod +x /usr/local/bin/*.sh

# Environment for reproducibility
ENV TZ=UTC
ENV LC_ALL=C.UTF-8
ENV LANG=C.UTF-8

# Build output directory
VOLUME /output
WORKDIR /build

ENTRYPOINT ["/usr/local/bin/build.sh"]
CMD ["--help"]