{{
	def is_alpine:
		env.variant | startswith("alpine")
	;
	def alpine_version:
		env.variant | ltrimstr("alpine")
-}}
{{ if is_alpine then ( -}}
FROM alpine:{{ alpine_version }} AS build
{{ ) else ( -}}
FROM buildpack-deps:{{ env.variant }}-scm AS build
{{ ) end -}}

ENV PATH /usr/local/go/bin:$PATH

{{ if env.version != "tip" then ( -}}
ENV GOLANG_VERSION {{ .version }}
{{ ) else ( -}}
COPY --from=golang:{{ env.variant }} /usr/local/go /usr/local/goroot-bootstrap

# {{ .version }}: https://github.com/golang/go/tree/{{ .commit.version }}
ARG GOLANG_COMMIT={{ .commit.version | @sh }}
ENV GOLANG_COMMIT $GOLANG_COMMIT
{{ ) end -}}

{{
	def os_arches:
		if is_alpine then
			{
				# https://dl-cdn.alpinelinux.org/alpine/edge/main/
				# https://dl-cdn.alpinelinux.org/alpine/latest-stable/main/
				amd64: "x86_64",
				arm32v6: "armhf",
				arm32v7: "armv7",
				arm64v8: "aarch64",
				i386: "x86",
				ppc64le: "ppc64le",
				riscv64: "riscv64",
				s390x: "s390x",
			}
		else
			{
				# https://salsa.debian.org/dpkg-team/dpkg/-/blob/main/data/cputable
				# https://wiki.debian.org/ArchitectureSpecificsMemo#Architecture_baselines
				# https://deb.debian.org/debian/dists/unstable/Release ("Architectures:")
				# http://deb.debian.org/debian/dists/unstable/main/
				# http://deb.debian.org/debian/dists/stable/main/
				# https://deb.debian.org/debian-ports/dists/unstable/main/
				amd64: "amd64",
				arm32v5: "armel",
				arm32v7: "armhf",
				arm64v8: "arm64",
				i386: "i386",
				mips64le: "mips64el",
				ppc64le: "ppc64el",
				riscv64: "riscv64",
				s390x: "s390x",
			}
		end
-}}
RUN set -eux; \
	now="$(date '+%s')"; \
{{ if is_alpine then ( -}}
	apk add --no-cache --virtual .fetch-deps \
{{ if env.version != "tip" then ( -}}
		ca-certificates \
		gnupg \
# busybox's "tar" doesn't handle directory mtime correctly, so our SOURCE_DATE_EPOCH lookup doesn't work (the mtime of "/usr/local/go" always ends up being the extraction timestamp)
		tar \
{{ ) else ( -}}
		bash \
		git \
{{ ) end -}}
	; \
	arch="$(apk --print-arch)"; \
{{ ) else ( -}}
	arch="$(dpkg --print-architecture)"; arch="${arch##*-}"; \
{{ ) end -}}
{{ if env.version != "tip" then ( -}}
	url=; \
{{ ) else "" end -}}
	case "$arch" in \
{{
	[
		.arches | to_entries[]
		| select(.value.supported)
		| .key as $bashbrewArch
		| (
			os_arches
			| .[$bashbrewArch] // empty
		) as $osArch
		| .value
		| (
-}}
		{{ $osArch | @sh }}) \
{{ if env.version != "tip" then ( -}}
			url={{ .url | @sh }}; \
			sha256={{ .sha256 | @sh }}; \
{{ ) else ( -}}
			export {{ .env | to_entries | sort_by(.key) | map(.key + "=" + (.value | @sh)) | join(" ") }}; \
{{ ) end -}}
			;; \
{{
		)
	] | add
-}}
		*) echo >&2 "error: unsupported architecture '$arch' (likely packaging update needed)"; exit 1 ;; \
	esac; \
	\
{{ if env.version != "tip" then ( -}}
	wget -O go.tgz.asc "$url.asc"; \
	wget -O go.tgz "$url"{{ if is_alpine then "" else " --progress=dot:giga" end }}; \
	echo "$sha256 *go.tgz" | sha256sum -c -; \
	\
# https://github.com/golang/go/issues/14739#issuecomment-324767697
	GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \
# https://www.google.com/linuxrepositories/
	gpg --batch --keyserver keyserver.ubuntu.com --recv-keys 'EB4C 1BFD 4F04 2F6D DDCC  EC91 7721 F63B D38B 4796'; \
# let's also fetch the specific subkey of that key explicitly that we expect "go.tgz.asc" to be signed by, just to make sure we definitely have it
	gpg --batch --keyserver keyserver.ubuntu.com --recv-keys '2F52 8D36 D67B 69ED F998  D857 78BD 6547 3CB3 BD13'; \
	gpg --batch --verify go.tgz.asc go.tgz; \
	gpgconf --kill all; \
	rm -rf "$GNUPGHOME" go.tgz.asc; \
	\
	tar -C /usr/local -xzf go.tgz; \
	rm go.tgz; \
	\
# save the timestamp from the tarball so we can restore it for reproducibility, if necessary (see below)
	SOURCE_DATE_EPOCH="$(stat -c '%Y' /usr/local/go)"; \
{{ ) else ( -}}
# before we get too far, let's validate that our "bootstrap" Go works
	export GOROOT_BOOTSTRAP=/usr/local/goroot-bootstrap; \
	"$GOROOT_BOOTSTRAP/bin/go" version; \
	\
	git init --quiet /usr/local/go; \
	git -C /usr/local/go fetch --depth 1 https://github.com/golang/go.git "$GOLANG_COMMIT:"; \
	git -C /usr/local/go checkout --quiet FETCH_HEAD; \
	\
# save the Git timestamp so we can use it for reproducibility
	SOURCE_DATE_EPOCH="$(git -C /usr/local/go log -1 --format='format:%ct' HEAD)"; \
{{ ) end -}}
	export SOURCE_DATE_EPOCH; \
	touchy="$(date -d "@$SOURCE_DATE_EPOCH" '+%Y%m%d%H%M.%S')"; \
# for logging validation/edification
	date --date "@$SOURCE_DATE_EPOCH" --rfc-2822; \
# sanity check (detected value should be older than our wall clock)
	[ "$SOURCE_DATE_EPOCH" -lt "$now" ]; \
	\
{{ if env.version == "tip" then ( -}}
	( \
		export \
			GOCACHE='/tmp/gocache' \
# set GOHOST* to make sure explicitly 32bit builds on 64bit infra work correctly
			GOHOSTOS="$GOOS" \
			GOHOSTARCH="$GOARCH" \
		; \
		\
		cd /usr/local/go/src; \
		./make.bash; \
		\
# remove a few intermediate / bootstrapping files the official binary release tarballs do not contain (and ".git" that is hard to make reproducible)
		rm -rf \
			/usr/local/go/.git* \
			/usr/local/go/pkg/*/cmd \
			/usr/local/go/pkg/bootstrap \
			/usr/local/go/pkg/obj \
			/usr/local/go/pkg/tool/*/api \
			/usr/local/go/pkg/tool/*/go_bootstrap \
			/usr/local/go/src/cmd/dist/dist \
			"$GOCACHE" \
		; \
		\
# clamp timestamps for reproducibility (allows "COPY --link" to be more clever/useful)
		touch -t "$touchy" /usr/local/.go-date-stamp; \
		find /usr/local/go -depth -newer /usr/local/.go-date-stamp -exec touch -ht "$touchy" '{}' +; \
		rm /usr/local/.go-date-stamp; \
	); \
	\
{{ ) elif .arches["arm32v7"].url // "" | contains("armv6") then ( -}}
	if [ "$arch" = {{ os_arches["arm32v7"] | @sh }} ]; then \
		[ -s /usr/local/go/go.env ]; \
		before="$(go env GOARM)"; [ "$before" != {{ .arches["arm32v7"].env["GOARM"] | @sh }} ]; \
		{ \
			echo; \
			echo '# https://github.com/docker-library/golang/issues/494'; \
			echo {{ "GOARM=\(.arches["arm32v7"].env["GOARM"])" | @sh }}; \
		} >> /usr/local/go/go.env; \
		after="$(go env GOARM)"; [ "$after" = {{ .arches["arm32v7"].env["GOARM"] | @sh }} ]; \
# (re-)clamp timestamp for reproducibility (allows "COPY --link" to be more clever/useful)
		touch -t "$touchy" /usr/local/go/go.env /usr/local/go; \
	fi; \
	\
{{ ) else "" end -}}
# ideally at this point, we would just "COPY --link ... /usr/local/go/ /usr/local/go/" but BuildKit insists on creating the parent directories (perhaps related to https://github.com/opencontainers/image-spec/pull/970), and does so with unreproducible timestamps, so we instead create a whole new "directory tree" that we can "COPY --link" to accomplish what we want
	mkdir /target /target/usr /target/usr/local; \
	mv -vT /usr/local/go /target/usr/local/go; \
	ln -svfT /target/usr/local/go /usr/local/go; \
	touch -t "$touchy" /target/usr/local /target/usr /target; \
	\
{{ if is_alpine then ( -}}
	apk del --no-network .fetch-deps; \
	\
{{ ) else "" end -}}
# smoke test
	go version; \
# make sure our reproducibile timestamp is probably still correct (best-effort inline reproducibility test)
	epoch="$(stat -c '%Y' /target/usr/local/go)"; \
	[ "$SOURCE_DATE_EPOCH" = "$epoch" ]; \
	find /target -newer /target/usr/local/go -exec sh -c 'ls -ld "$@" && exit "$#"' -- '{}' +

{{ if is_alpine then ( -}}
FROM alpine:{{ alpine_version }}

RUN apk add --no-cache ca-certificates
{{ ) else ( -}}
FROM buildpack-deps:{{ env.variant }}-scm

# install cgo-related dependencies
RUN set -eux; \
	apt-get update; \
	apt-get install -y --no-install-recommends \
		g++ \
		gcc \
		libc6-dev \
		make \
		pkg-config \
	; \
	rm -rf /var/lib/apt/lists/*
{{ ) end -}}

{{ if env.version != "tip" then ( -}}
ENV GOLANG_VERSION {{ .version }}

{{ ) else "" end -}}
# don't auto-upgrade the gotoolchain
# https://github.com/docker-library/golang/issues/472
ENV GOTOOLCHAIN=local

ENV GOPATH /go
ENV PATH $GOPATH/bin:/usr/local/go/bin:$PATH
# (see notes above about "COPY --link")
COPY --from=build --link /target/ /
RUN mkdir -p "$GOPATH/src" "$GOPATH/bin" && chmod -R 1777 "$GOPATH"
WORKDIR $GOPATH