From df1ec1879d8afd2968562acd7d7f4cd658cc8631 Mon Sep 17 00:00:00 2001 From: Viktor Barzin Date: Mon, 22 Jun 2026 21:01:17 +0000 Subject: [PATCH] chrome-service: build a real-Chrome browser image (H.264/AAC codecs) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add an infra-owned image (Playwright base + google-chrome-stable) + its GHA build workflow. The bundled Chromium ships proprietary codecs compiled out, so H.264/AAC video (Instagram Reels, X, most .mp4) fails in the noVNC view with MEDIA_ERR_SRC_NOT_SUPPORTED; only real Google Chrome carries those codecs (libffmpeg swap + Chrome-for-Testing both ruled out). This commit only builds the image (→ ghcr.io/viktorbarzin/chrome-service-browser); a follow-up flips main.tf's launch to it once the image exists + is public. Co-Authored-By: Claude Opus 4.8 --- .../build-chrome-service-browser.yml | 39 +++++++++++++++++++ stacks/chrome-service/files/chrome/Dockerfile | 27 +++++++++++++ 2 files changed, 66 insertions(+) create mode 100644 .github/workflows/build-chrome-service-browser.yml create mode 100644 stacks/chrome-service/files/chrome/Dockerfile diff --git a/.github/workflows/build-chrome-service-browser.yml b/.github/workflows/build-chrome-service-browser.yml new file mode 100644 index 00000000..9d2129c8 --- /dev/null +++ b/.github/workflows/build-chrome-service-browser.yml @@ -0,0 +1,39 @@ +name: Build chrome-service-browser + +# ADR-0002: infra-owned image built off-infra on GHA → ghcr. Playwright base + +# real Google Chrome (proprietary H.264/AAC codecs) for the chrome-service +# browser container, so the noVNC view can play H.264 video (Reels). Rebuilds +# are rare → dispatch + path trigger. NOTE: after the first push, set the ghcr +# package `chrome-service-browser` to PUBLIC (same as chrome-service-novnc) so +# the pod pulls it without credentials. +on: + push: + branches: [master] + paths: + - 'stacks/chrome-service/files/chrome/**' + workflow_dispatch: {} + +permissions: + contents: read + packages: write + +jobs: + build: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: docker/setup-buildx-action@v3 + - uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + - uses: docker/build-push-action@v6 + with: + context: stacks/chrome-service/files/chrome + platforms: linux/amd64 + provenance: false + push: true + tags: | + ghcr.io/viktorbarzin/chrome-service-browser:latest + ghcr.io/viktorbarzin/chrome-service-browser:${{ github.sha }} diff --git a/stacks/chrome-service/files/chrome/Dockerfile b/stacks/chrome-service/files/chrome/Dockerfile new file mode 100644 index 00000000..383912fd --- /dev/null +++ b/stacks/chrome-service/files/chrome/Dockerfile @@ -0,0 +1,27 @@ +# chrome-service browser image (ADR-0002, infra-owned, built off-infra on GHA). +# +# The Playwright base provides Xvfb + every browser runtime dep + fonts. On top +# we install REAL Google Chrome for its licensed proprietary codecs (H.264/AAC): +# the bundled open-source Chromium ships with those codecs COMPILED OUT, so +# H.264/AAC video (Instagram Reels, X, most .mp4) fails in the noVNC view with +# MEDIA_ERR_SRC_NOT_SUPPORTED. Swapping libffmpeg.so does NOT help (Playwright's +# Chromium has the codecs compiled out, not just the lib stripped), and Chrome +# for Testing is also codec-less — only google-chrome-stable carries them. +# +# main.tf launches /opt/google/chrome/chrome instead of the bundled +# /ms-playwright/chromium-*/chrome. connect_over_cdp callers (tripit fare scrape, +# homelab browser, snapshot-harvester) attach to whatever Chrome runs here. +FROM mcr.microsoft.com/playwright:v1.48.0-noble + +RUN apt-get update \ + && apt-get install -y --no-install-recommends wget gnupg ca-certificates \ + && wget -qO- https://dl.google.com/linux/linux_signing_key.pub \ + | gpg --dearmor -o /usr/share/keyrings/google-chrome.gpg \ + && echo "deb [arch=amd64 signed-by=/usr/share/keyrings/google-chrome.gpg] https://dl.google.com/linux/chrome/deb/ stable main" \ + > /etc/apt/sources.list.d/google-chrome.list \ + && apt-get update \ + && apt-get install -y --no-install-recommends google-chrome-stable \ + && rm -rf /var/lib/apt/lists/* + +# Fail the build if Chrome isn't runnable / the path moved. +RUN /opt/google/chrome/chrome --version