FROM rust:1.91.1-alpine AS builder

RUN apk add --no-cache musl-dev openssl-dev openssl-libs-static

WORKDIR /app
COPY executor /app/

RUN cargo build --release

FROM node:25-alpine

RUN mkdir /etc/sigma && head -c 16 /dev/random | xxd -p > /etc/sigma/jwt.secret

WORKDIR /app

COPY package.json yarn.lock .yarnrc.yml ./
COPY .yarn/ ./.yarn/
COPY api/package.json ./api/package.json
COPY common/package.json ./common/package.json

RUN yarn workspaces focus @sigma/api

COPY . .

RUN cd /app/common && yarn build
RUN cd /app/api && yarn build

COPY --from=builder /app/target/release/executor /usr/local/bin/executor
ENV EXECUTOR_BIN_PATH=/usr/local/bin/executor

WORKDIR /app/api
CMD ["sh", "-c", "JWT_SECRET=$(cat /etc/sigma/jwt.secret) exec yarn start"]