# -- <worker_dependencies> --
FROM debian:stable-slim AS worker_dependencies

RUN apt-get update && apt-get install -yqq unzip curl

ARG BITWARDEN_VERSION=2025.4.0
RUN curl -L -o /bw-linux.zip "https://github.com/bitwarden/clients/releases/download/cli-v${BITWARDEN_VERSION}/bw-linux-${BITWARDEN_VERSION}.zip"
RUN unzip /bw-linux.zip -d / \
    && chmod +x /bw

COPY --from=docker:dind /usr/local/bin/docker /usr/local/bin/
# -- </worker_dependencies> --

# -- <ci_worker> --
FROM oci.liz.coffee/emprespresso/ci_base:release AS worker

RUN apt-get update && apt-get install -yqq git jq

ENV PIPELINE_PATH=/app/worker/dist/scripts
RUN chmod +x /app/worker/dist/scripts/*

RUN mkdir -p /var/lib/laminar/cfg
RUN cp -r /app/worker/jobs /var/lib/laminar/cfg
# see: https://github.com/nodejs/docker-node/blame/89b29ef06b421598ec007605a2604ede0348b298/22/bullseye-slim/Dockerfile#L3-L4
RUN chown -R node:node /var/lib/laminar

# adding a user to only the group"docker" doesn't deterministically give it access to the
# docker socket of the host.
# e.g. host has /etc/groups: docker:995, container has /etc/groups: docker:996
# because i'm likely the only one to ever touch this, and i FORCE "docker" to be 996, this will
# be hardcoded defaulting to 995.
ARG DOCKER_GID="995" # but it may be overridden via this `DOCKER_GID` build arg.
RUN groupadd -g ${DOCKER_GID} docker
RUN usermod -a -d /var/lib/laminar -G docker node

COPY --from=worker_dependencies /bw /usr/local/bin/
COPY --from=worker_dependencies /usr/local/bin/docker /usr/local/bin/

USER node
WORKDIR /var/lib/laminar
EXPOSE 8080

CMD [ "/usr/sbin/laminard" ]
# -- </ci_worker> --