# Self-contained Android build image for MetaScrub APK builds.
#
# This is the local-dev counterpart to forgejo-stack/job-android:latest:
# same JDK 21 + Android SDK 35 toolchain, but based on the public
# node:22-bookworm-slim image so it works on any host with Docker —
# no forgejo-stack, no host JDK, no host Android SDK required.
#
# Built and run by scripts/build-apk-local.sh. Tagged
# metascrub-android-builder:local locally.
#
# Pinning rationale (kept in sync with the CI image; bump together):
#   - JDK 21: Capacitor 7.6+ requires Java 21 source level (its
#     capacitor-android library sets sourceCompatibility = VERSION_21).
#     JDK 17 fails javac with "invalid source release: 21".
#   - Android API 35 + build-tools 35.0.0: Capacitor 7 default compileSdk.
#   - cmdline-tools 11076708: pinned for reproducibility; bump together
#     with ANDROID_API_LEVEL when refreshing the toolchain.
# Pinned by digest for byte-reproducible rebuilds. Bump together with the
# CI image; verify the digest with:
#   docker pull node:22-bookworm-slim && \
#     docker inspect --format='{{index .RepoDigests 0}}' node:22-bookworm-slim
FROM node:22-bookworm-slim@sha256:7af03b14a13c8cdd38e45058fd957bf00a72bbe17feac43b1c15a689c029c732

# JDK 21 (Temurin) via the Eclipse Adoptium apt repo, plus the system
# packages the SDK installer + Gradle wrapper need (unzip, curl, git, file).
RUN apt-get update \
 && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
      wget curl gnupg ca-certificates apt-transport-https git file unzip \
 && wget -qO - https://packages.adoptium.net/artifactory/api/gpg/key/public \
      | gpg --dearmor -o /usr/share/keyrings/adoptium.gpg \
 && echo "deb [signed-by=/usr/share/keyrings/adoptium.gpg] https://packages.adoptium.net/artifactory/deb $(awk -F= '/^VERSION_CODENAME/{print$2}' /etc/os-release) main" \
      > /etc/apt/sources.list.d/adoptium.list \
 && apt-get update \
 && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
      temurin-21-jdk \
 && rm -rf /var/lib/apt/lists/*

# Adoptium's Debian package installs to /usr/lib/jvm/temurin-21-jdk-<arch>
# (amd64 or arm64). Symlink to an arch-independent canonical name so the
# image works on both x86_64 Linux hosts and Apple Silicon (arm64) under
# Docker Desktop. The CI Dockerfile hardcodes -amd64 because GitHub-hosted
# runners are always x86_64; the local image can't make that assumption.
RUN ARCH=$(dpkg --print-architecture) \
 && test -d "/usr/lib/jvm/temurin-21-jdk-${ARCH}" \
 && ln -s "/usr/lib/jvm/temurin-21-jdk-${ARCH}" /usr/lib/jvm/temurin-21-jdk
ENV JAVA_HOME=/usr/lib/jvm/temurin-21-jdk
ENV PATH=$JAVA_HOME/bin:$PATH

# Sanity check — fail the build if JDK isn't reachable.
RUN java -version && javac -version

# Android SDK. Path matches GitHub-hosted runner convention so the same
# workflow steps work without modification.
ENV ANDROID_HOME=/usr/local/lib/android/sdk
ENV ANDROID_SDK_ROOT=$ANDROID_HOME

ARG CMDLINE_TOOLS_VERSION=11076708
ARG ANDROID_API_LEVEL=35
ARG ANDROID_BUILD_TOOLS_VERSION=35.0.0
# AGP 8.7.x (Capacitor 7.6's default) silently requires build-tools 34.0.0
# internally even when compileSdk is 35. Without 34.0.0 installed AND the SDK
# dir writable, `assembleDebug` aborts with "Failed to install the following
# SDK components: build-tools;34.0.0" early in dependency resolution. CI
# tolerates this because Forgejo runs the job container as root (writable
# SDK); the local script runs as the host user, so we pre-install both
# versions instead of leaving runtime to sdkmanager. Bump together with
# ANDROID_BUILD_TOOLS_VERSION when AGP's internal minimum changes.
ARG ANDROID_BUILD_TOOLS_AGP_MIN_VERSION=34.0.0

RUN mkdir -p "$ANDROID_HOME/cmdline-tools" \
 && cd /tmp \
 && wget -q "https://dl.google.com/android/repository/commandlinetools-linux-${CMDLINE_TOOLS_VERSION}_latest.zip" -O cmdline-tools.zip \
 && unzip -q cmdline-tools.zip -d "$ANDROID_HOME/cmdline-tools" \
 && mv "$ANDROID_HOME/cmdline-tools/cmdline-tools" "$ANDROID_HOME/cmdline-tools/latest" \
 && rm cmdline-tools.zip

ENV PATH=$ANDROID_HOME/cmdline-tools/latest/bin:$ANDROID_HOME/platform-tools:$PATH

# Accept all SDK licenses non-interactively, then install the platform +
# build-tools the Capacitor 7 default targets (compileSdk 35).
#
# `{ yes || true; }` swallows the SIGPIPE that bare `yes` gets when
# sdkmanager closes the pipe — Docker's RUN shell uses -o pipefail and
# would otherwise propagate yes's 141 exit code.
RUN { yes || true; } | sdkmanager --licenses >/dev/null \
 && sdkmanager --update >/dev/null \
 && sdkmanager \
      "platform-tools" \
      "platforms;android-${ANDROID_API_LEVEL}" \
      "build-tools;${ANDROID_BUILD_TOOLS_VERSION}" \
      "build-tools;${ANDROID_BUILD_TOOLS_AGP_MIN_VERSION}" \
 && chmod -R a+rX "$ANDROID_HOME"

# Sanity check — fail the build if any of the four Android components
# aren't reachable.
RUN sdkmanager --list_installed | grep -E "platforms;android-${ANDROID_API_LEVEL}|build-tools;${ANDROID_BUILD_TOOLS_VERSION}|build-tools;${ANDROID_BUILD_TOOLS_AGP_MIN_VERSION}|platform-tools"

# Enable yarn via corepack (ships with Node 22). The exact yarn version is
# resolved at runtime from the repo's package.json "packageManager" field
# (currently yarn 1.22.22) — pinning here would drift if the repo bumps.
RUN corepack enable

LABEL org.metascrub.builder.jdk="21"
LABEL org.metascrub.builder.node="22"
LABEL org.metascrub.builder.android-api-level="35"
LABEL org.metascrub.builder.android-build-tools="35.0.0,34.0.0"
LABEL org.metascrub.builder.cmdline-tools="11076708"
