# Job container image for Android workflows. Inherits forgejo-stack/job:latest
# (Node 22 + yarn + Playwright stack) and adds JDK 21 + Android SDK so
# Capacitor / Gradle workflows skip the ~3-5 min SDK install on every run.
#
# Built locally by setup.sh and tagged forgejo-stack/job-android:latest.
# Workflows opt in via `container: forgejo-stack/job-android:latest` at the
# job level — the main job image stays slim for non-Android jobs.
#
# Cold-build win vs. installing setup-java@v4 + setup-android@v3 per job:
#   - JDK 17 install:           ~15s saved
#   - cmdline-tools download:   ~30s saved
#   - platforms;android-35:     ~1m saved
#   - build-tools;35.0.0:       ~1m saved
#   - License acceptance:       ~30s saved
#   Total saved per cold run:   ~3-5 min
#
# Bump ANDROID_API_LEVEL + ANDROID_BUILD_TOOLS_VERSION when targeting newer
# Android SDKs; bump CMDLINE_TOOLS_VERSION + CMDLINE_TOOLS_REVISION when
# upstream Android cmdline-tools ships a new revision.
FROM forgejo-stack/job:latest

USER root

# JDK 21 (Temurin) via Eclipse Adoptium apt repo. Capacitor 7.6.x's
# capacitor-android library compiles against Java 21 source level
# (`sourceCompatibility = VERSION_21`); JDK 17 errors out at the javac
# stage with `invalid source release: 21`. Verified on exifcleaner-web
# run #160 (the first dispatch after wiring up the prebaked image).
RUN apt-get update \
 && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
      wget gnupg ca-certificates apt-transport-https \
 && wget -qO - https://packages.adoptium.net/artifactory/api/gpg/key/public \
      | gpg --dearmor -o /usr/share/keyrings/adoptium.gpg \
 && echo "deb [signed-by=/usr/share/keyrings/adoptium.gpg] https://packages.adoptium.net/artifactory/deb $(awk -F= '/^VERSION_CODENAME/{print$2}' /etc/os-release) main" \
      > /etc/apt/sources.list.d/adoptium.list \
 && apt-get update \
 && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
      temurin-21-jdk unzip \
 && rm -rf /var/lib/apt/lists/*

ENV JAVA_HOME=/usr/lib/jvm/temurin-21-jdk-amd64
ENV PATH=$JAVA_HOME/bin:$PATH

# Sanity check — fail the build if JDK isn't reachable.
RUN java -version && javac -version

# Android SDK. Path matches GitHub-hosted runner convention so workflows
# written against that environment work without modification.
ENV ANDROID_HOME=/usr/local/lib/android/sdk
ENV ANDROID_SDK_ROOT=$ANDROID_HOME

# Pin the cmdline-tools revision so image rebuilds are reproducible. Bump
# both values when refreshing — the URL changes alongside the in-archive
# version label.
ARG CMDLINE_TOOLS_VERSION=11076708
ARG ANDROID_API_LEVEL=35
ARG ANDROID_BUILD_TOOLS_VERSION=35.0.0

RUN mkdir -p "$ANDROID_HOME/cmdline-tools" \
 && cd /tmp \
 && wget -q "https://dl.google.com/android/repository/commandlinetools-linux-${CMDLINE_TOOLS_VERSION}_latest.zip" -O cmdline-tools.zip \
 && unzip -q cmdline-tools.zip -d "$ANDROID_HOME/cmdline-tools" \
 && mv "$ANDROID_HOME/cmdline-tools/cmdline-tools" "$ANDROID_HOME/cmdline-tools/latest" \
 && rm cmdline-tools.zip

ENV PATH=$ANDROID_HOME/cmdline-tools/latest/bin:$ANDROID_HOME/platform-tools:$PATH

# Accept all SDK licenses non-interactively, then install the platform +
# build-tools the Capacitor 7 default targets (compileSdk 35).
#
# We pipe through a brace group `{ yes || true; }` rather than bare `yes`
# because Docker's RUN shell runs with `-o pipefail`: `sdkmanager` closes
# the pipe as soon as it's done reading, `yes` gets SIGPIPE → exits 141,
# and pipefail propagates that 141 to the RUN. The brace group swallows
# yes's exit, leaving sdkmanager's exit code as the pipeline's exit.
RUN { yes || true; } | sdkmanager --licenses >/dev/null \
 && sdkmanager --update >/dev/null \
 && sdkmanager \
      "platform-tools" \
      "platforms;android-${ANDROID_API_LEVEL}" \
      "build-tools;${ANDROID_BUILD_TOOLS_VERSION}" \
 && chmod -R a+rX "$ANDROID_HOME"

# Sanity check — fail the build if any of the three Android tools aren't
# reachable. (aapt2 lives in build-tools; adb in platform-tools.)
RUN sdkmanager --list_installed | grep -E "platforms;android-${ANDROID_API_LEVEL}|build-tools;${ANDROID_BUILD_TOOLS_VERSION}|platform-tools"

# Note on Gradle: we don't bake Gradle itself or AGP plugins into the image.
# Consumer projects ship a Gradle wrapper (`gradlew`) that downloads the
# project-pinned Gradle version on first use, and AGP plugins are pulled
# transitively by `assembleDebug`. Workflows cache `~/.gradle` via
# actions/cache@v4 — second runs on the same host are warm. We could
# pre-warm AGP plugin metadata here, but doing it well requires coupling
# the image to a specific AGP version; not worth the maintenance burden.

# Document the toolchain versions baked in (handy for `docker inspect`).
LABEL org.metascrub.runner.jdk="21"
LABEL org.metascrub.runner.android-api-level="35"
LABEL org.metascrub.runner.android-build-tools="35.0.0"
LABEL org.metascrub.runner.cmdline-tools="11076708"
