# SilverMetal Linux — reproducible-build runner image.
#
# This image is the "build host" for the ISO. Pinning it by digest is the
# only thing keeping host-toolchain drift out of the reproducibility gate, so
# do NOT replace the FROM line with a tag-only reference.
#
# Build & push (run from repo root):
#   docker build \
#     -f linux/build/docker/Dockerfile.builder \
#     -t docker-registry:5000/silvermetal-builder:<commit> \
#     -t docker-registry:5000/silvermetal-builder:latest \
#     linux/build/docker
#   docker push docker-registry:5000/silvermetal-builder:<commit>
#
# To bump the base image: replace the digest, rebuild, push, update
# BUILDER_IMAGE in linux/build/scripts/build.sh, run a full reproducibility
# check, commit all four changes together.

# debian:bookworm-slim — pinned by digest.
# Resolved 2026-04-26 via `docker pull debian:bookworm-slim`.
# Bumping this requires rebuilding + pushing the silvermetal-builder image
# AND updating BUILDER_IMAGE in linux/build/scripts/build.sh in the same commit.
FROM debian:bookworm-slim@sha256:f9c6a2fd2ddbc23e336b6257a5245e31f996953ef06cd13a59fa0a1df2d5c252

# Reproducibility-friendly apt configuration.
ENV DEBIAN_FRONTEND=noninteractive \
    LC_ALL=C.UTF-8 \
    LANG=C.UTF-8 \
    SOURCE_DATE_EPOCH=0

# Pinned package versions. These come from the same snapshot.debian.org
# timestamp as the ISO build, so a Dockerfile rebuild against that snapshot
# produces the same toolchain bit-for-bit. The actual snapshot URL is
# substituted at build time via --build-arg APT_SNAPSHOT_URL=...
ARG APT_SNAPSHOT_URL="https://snapshot.debian.org/archive/debian/20260415T000000Z"
ARG APT_SECURITY_SNAPSHOT_URL="https://snapshot.debian.org/archive/debian-security/20260415T000000Z"

# Two-phase install:
#   1. Use the base image's default mirror to seed ca-certificates so HTTPS
#      to snapshot.debian.org works. (slim images don't ship CA bundles.)
#   2. Pin sources.list to the snapshot and install the actual toolchain.
# The first phase touches deb.debian.org without a pin; that's fine because
# nothing it installs ends up in the final ISO — only the toolchain installed
# in phase 2 does, and that is fully snapshot-pinned.
RUN set -eux; \
    apt-get update; \
    apt-get install -y --no-install-recommends ca-certificates; \
    rm -f /etc/apt/sources.list.d/*; \
    printf 'deb [check-valid-until=no] %s bookworm main\n' "$APT_SNAPSHOT_URL" >  /etc/apt/sources.list; \
    printf 'deb [check-valid-until=no] %s bookworm-security main\n' "$APT_SECURITY_SNAPSHOT_URL" >> /etc/apt/sources.list; \
    apt-get -o Acquire::Check-Valid-Until=false update; \
    apt-get install -y --no-install-recommends \
        debootstrap \
        diffoscope-minimal \
        dosfstools \
        git \
        gnupg \
        isolinux \
        live-build \
        mtools \
        reprepro \
        rsync \
        squashfs-tools \
        syslinux-common \
        xorriso; \
    apt-get clean; \
    rm -rf /var/lib/apt/lists/*

# Non-root user for the parts of the build that don't need privilege.
# live-build itself still needs root inside the container for chroot/mount,
# so build.sh runs the container as root; this user exists for diagnostic
# tooling and matches uid 1000 to play nicely with bind mounts.
RUN useradd --uid 1000 --create-home --shell /bin/bash builder

WORKDIR /work