Dockerfile.local-dev

# Local Development Dockerfile - Build binject/binpress with LIEF from source
#
# This Dockerfile is for local development and testing. It builds LIEF from source
# in the same container as binject/binpress to ensure perfect ABI compatibility.
# This matches the Depot.dev configuration (AlmaLinux 8, gcc 8.5.0, glibc 2.28).
#
# Usage:
#   docker buildx build --platform linux/amd64 \
#     -f Dockerfile.local-dev \
#     --target export \
#     --output type=local,dest=./build-output \
#     .
#
# The binaries will be exported to ./build-output/binject and ./build-output/binpress
#
# Requirements:
#   - Git submodules must be initialized (especially packages/lief-builder/upstream/lief)
#   - Run: git submodule update --init --recursive
#
FROM almalinux:8 AS lief-builder

# Socket-registry tool-checksums. Workflows `cp "$SOCKET_TOOL_CHECKSUMS_FILE"
# .build-context/registry-tools.json` before `docker build`, so this
# layer reads the same authoritative pnpm version + per-platform sha256
# that the setup action verified on the runner — no hardcoded SHA
# blocks in this Dockerfile. The file is gitignored; it materializes
# fresh for every CI run from socket-registry's pinned SHA.
COPY .build-context/registry-tools.json /tmp/registry-tools.json

# Install build dependencies (matching Depot.dev exactly)
RUN dnf -y update && \
    dnf -y install epel-release dnf-plugins-core && \
    dnf config-manager --set-enabled powertools && \
    dnf -y install \
        gcc-c++ \
        git \
        ccache \
        ninja-build \
        curl \
        ca-certificates \
        jq \
        python3.11 \
        python3.11-pip \
        cmake \
        patch \
        glibc-static \
        libstdc++-static \
        openssl-devel \
        make \
        && \
    curl -fsSL https://rpm.nodesource.com/setup_current.x | bash - && \
    dnf -y install nodejs && \
    ARCH=$(uname -m | sed 's/x86_64/x64/' | sed 's/aarch64/arm64/') && \
    PLATFORM="linux-${ARCH}" && \
    PNPM_VERSION=$(jq -r .pnpm.version /tmp/registry-tools.json) && \
    PNPM_ASSET=$(jq -r ".pnpm.checksums[\"${PLATFORM}\"].asset" /tmp/registry-tools.json) && \
    PNPM_SHA256=$(jq -r ".pnpm.checksums[\"${PLATFORM}\"].sha256" /tmp/registry-tools.json) && \
    curl -fsSL -o /tmp/pnpm.tar.gz "https://github.com/pnpm/pnpm/releases/download/v${PNPM_VERSION}/${PNPM_ASSET}" && \
    echo "${PNPM_SHA256}  /tmp/pnpm.tar.gz" | sha256sum -c - && \
    tar -xzf /tmp/pnpm.tar.gz -C /usr/local/bin && \
    rm /tmp/pnpm.tar.gz /tmp/registry-tools.json && \
    dnf clean all

WORKDIR /workspace

# Copy workspace config and package files
COPY package.json pnpm-workspace.yaml pnpm-lock.yaml .gitmodules .node-version ./

# Copy packages (but NOT build/downloaded - we'll build LIEF from source)
COPY packages/build-infra/package.json packages/build-infra/
COPY packages/build-infra/lib packages/build-infra/lib
COPY packages/build-infra/make packages/build-infra/make
COPY packages/build-infra/scripts packages/build-infra/scripts
COPY packages/build-infra/src packages/build-infra/src

COPY packages/bin-infra/package.json packages/bin-infra/
COPY packages/bin-infra/src packages/bin-infra/src
COPY packages/bin-infra/scripts packages/bin-infra/scripts
COPY packages/bin-infra/make packages/bin-infra/make
COPY packages/bin-infra/upstream/zstd packages/bin-infra/upstream/zstd
COPY packages/bin-infra/patches packages/bin-infra/patches

COPY packages/lief-builder/package.json packages/lief-builder/
COPY packages/lief-builder/scripts packages/lief-builder/scripts
COPY packages/lief-builder/make packages/lief-builder/make
COPY packages/lief-builder/upstream/lief packages/lief-builder/upstream/lief

COPY packages/binject/package.json packages/binject/
COPY packages/binject/src packages/binject/src
COPY packages/binject/scripts packages/binject/scripts
COPY packages/binject/make packages/binject/make
COPY packages/binject/upstream packages/binject/upstream
COPY packages/binject/Makefile* packages/binject/

COPY packages/binpress/package.json packages/binpress/
COPY packages/binpress/src packages/binpress/src
COPY packages/binpress/scripts packages/binpress/scripts
COPY packages/binpress/Makefile* packages/binpress/

# Ensure zstd source is available
COPY .github/scripts/ensure-zstd.sh .github/scripts/ensure-zstd.sh
COPY .gitmodules .gitmodules
RUN .github/scripts/ensure-zstd.sh

# Build OpenSSL static library (required for SHA256 in smol_segment)
RUN curl -fsSL https://www.openssl.org/source/openssl-1.1.1w.tar.gz -o /tmp/openssl.tar.gz && \
    cd /tmp && tar xzf openssl.tar.gz && cd openssl-1.1.1w && \
    ./config no-shared --prefix=/usr/local/ssl --openssldir=/usr/local/ssl && \
    make -j$(nproc) && \
    make install_sw && \
    cd / && rm -rf /tmp/openssl*

ARG TARGETARCH=amd64

# Set library paths for OpenSSL
ENV PKG_CONFIG_PATH=/usr/local/lib/pkgconfig:$PKG_CONFIG_PATH
ENV LDFLAGS="-L/usr/local/ssl/lib -lcrypto"
ENV CFLAGS="-I/usr/local/ssl/include"
ENV CXXFLAGS=""

# Install dependencies
ENV CI=true
RUN pnpm install --frozen-lockfile

# Build LIEF from source (this ensures ABI compatibility)
WORKDIR /workspace/packages/lief-builder
ENV BUILD_MODE=dev
RUN if [ "$TARGETARCH" = "amd64" ]; then \
        export CFLAGS="$CFLAGS -march=x86-64 -mtune=generic" && \
        export CXXFLAGS="$CXXFLAGS -march=x86-64 -mtune=generic"; \
    fi && \
    pnpm run build

# Build binject
WORKDIR /workspace/packages/binject
ENV BUILD_MODE=dev
RUN pnpm run build

# Build binpress
WORKDIR /workspace/packages/binpress
RUN pnpm run build

# Export binaries
FROM scratch AS export
COPY --from=lief-builder /workspace/packages/binject/build/dev/out/Final/binject /binject
COPY --from=lief-builder /workspace/packages/binpress/build/dev/out/Final/binpress /binpress