predictor/Dockerfile

# syntax=docker/dockerfile:1

# --- build stage ---------------------------------------------------------
FROM golang:1.25 AS builder

WORKDIR /src

# Cache module downloads.
COPY go.mod go.sum ./
RUN go mod download

COPY . .

# Static, stripped binary — no CGO so it runs on distroless/scratch.
ARG VERSION=dev
ARG REVISION=unknown
RUN CGO_ENABLED=0 GOOS=linux go build \
    -trimpath \
    -ldflags="-s -w -X main.version=${VERSION} -X main.revision=${REVISION}" \
    -o /predictor ./cmd/predictor

# --- runtime stage -------------------------------------------------------
# distroless/static:nonroot ships CA certificates (needed for TLS to the
# NOAA S3 mirror) and runs as uid:gid 65532:65532.
FROM gcr.io/distroless/static-debian12:nonroot AS runtime

COPY --from=builder /predictor /predictor

# Default data dir; mount a node-local volume here in production.
ENV PREDICTOR_DATA_DIR=/data
EXPOSE 8080

# Liveness probe via the binary itself — no shell/curl in the image.
HEALTHCHECK --interval=30s --timeout=5s --start-period=120s --retries=3 \
    CMD ["/predictor", "-healthcheck"]

ENTRYPOINT ["/predictor"]