chrome-service: build a real-Chrome browser image (H.264/AAC codecs)

Add an infra-owned image (Playwright base + google-chrome-stable) + its GHA
build workflow. The bundled Chromium ships proprietary codecs compiled out, so
H.264/AAC video (Instagram Reels, X, most .mp4) fails in the noVNC view with
MEDIA_ERR_SRC_NOT_SUPPORTED; only real Google Chrome carries those codecs
(libffmpeg swap + Chrome-for-Testing both ruled out). This commit only builds
the image (→ ghcr.io/viktorbarzin/chrome-service-browser); a follow-up flips
main.tf's launch to it once the image exists + is public.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

.github/workflows/build-chrome-service-browser.yml

@@ -0,0 +1,39 @@
+name: Build chrome-service-browser
+
+# ADR-0002: infra-owned image built off-infra on GHA → ghcr. Playwright base +
+# real Google Chrome (proprietary H.264/AAC codecs) for the chrome-service
+# browser container, so the noVNC view can play H.264 video (Reels). Rebuilds
+# are rare → dispatch + path trigger. NOTE: after the first push, set the ghcr
+# package `chrome-service-browser` to PUBLIC (same as chrome-service-novnc) so
+# the pod pulls it without credentials.
+on:
+  push:
+    branches: [master]
+    paths:
+      - 'stacks/chrome-service/files/chrome/**'
+  workflow_dispatch: {}
+
+permissions:
+  contents: read
+  packages: write
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: docker/setup-buildx-action@v3
+      - uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - uses: docker/build-push-action@v6
+        with:
+          context: stacks/chrome-service/files/chrome
+          platforms: linux/amd64
+          provenance: false
+          push: true
+          tags: |
+            ghcr.io/viktorbarzin/chrome-service-browser:latest
+            ghcr.io/viktorbarzin/chrome-service-browser:${{ github.sha }}

stacks/chrome-service/files/chrome/Dockerfile

@@ -0,0 +1,27 @@
+# chrome-service browser image (ADR-0002, infra-owned, built off-infra on GHA).
+#
+# The Playwright base provides Xvfb + every browser runtime dep + fonts. On top
+# we install REAL Google Chrome for its licensed proprietary codecs (H.264/AAC):
+# the bundled open-source Chromium ships with those codecs COMPILED OUT, so
+# H.264/AAC video (Instagram Reels, X, most .mp4) fails in the noVNC view with
+# MEDIA_ERR_SRC_NOT_SUPPORTED. Swapping libffmpeg.so does NOT help (Playwright's
+# Chromium has the codecs compiled out, not just the lib stripped), and Chrome
+# for Testing is also codec-less — only google-chrome-stable carries them.
+#
+# main.tf launches /opt/google/chrome/chrome instead of the bundled
+# /ms-playwright/chromium-*/chrome. connect_over_cdp callers (tripit fare scrape,
+# homelab browser, snapshot-harvester) attach to whatever Chrome runs here.
+FROM mcr.microsoft.com/playwright:v1.48.0-noble
+
+RUN apt-get update \
+ && apt-get install -y --no-install-recommends wget gnupg ca-certificates \
+ && wget -qO- https://dl.google.com/linux/linux_signing_key.pub \
+      | gpg --dearmor -o /usr/share/keyrings/google-chrome.gpg \
+ && echo "deb [arch=amd64 signed-by=/usr/share/keyrings/google-chrome.gpg] https://dl.google.com/linux/chrome/deb/ stable main" \
+      > /etc/apt/sources.list.d/google-chrome.list \
+ && apt-get update \
+ && apt-get install -y --no-install-recommends google-chrome-stable \
+ && rm -rf /var/lib/apt/lists/*
+
+# Fail the build if Chrome isn't runnable / the path moved.
+RUN /opt/google/chrome/chrome --version