build(frontend-builder): bake Playwright + chromium browser binary

CI's frontend test-e2e job was running `pnpm exec playwright install
chromium` every time — ~170MB chromium download per run, plus the
fall-through to `actions/cache` for the browser binary which only
hides the cost when the cache backend is healthy.

Bake it into the image instead:
- New ARG PLAYWRIGHT_VERSION=1.59.1 (must match KollectAI-ETL's
  frontend/svelte/package.json @playwright/test pin)
- New ENV PLAYWRIGHT_BROWSERS_PATH=/ms-playwright (constant location
  Playwright respects across pnpm/npm invocations)
- New RUN: `npx --yes "playwright@${PLAYWRIGHT_VERSION}" install chromium`

System libs (libnss3, libgbm1, libasound2, etc.) were already
pre-installed at the top of the file, so we skip --with-deps. Verify
step now also lists $PLAYWRIGHT_BROWSERS_PATH contents to fail-fast
if a future bump leaves the dir empty.

KollectAI-ETL's frontend.yml drops both `Cache Playwright browsers`
and `Install Playwright browsers` steps in the matching commit on
that side. Net: image build adds ~170MB but every CI test-e2e run
saves ~30-60s (download time + cache I/O).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

ci/frontend-builder/Dockerfile

@@ -4,7 +4,7 @@
 # protobuf TypeScript code generation.
 # Contains: Node.js, pnpm, buf CLI, @bufbuild/protoc-gen-es plugin
 # (global so buf 'local: protoc-gen-es' resolves via PATH), Playwright
-# system deps, ORAS CLI, common build tools.
+# (chromium browser binary + system deps), ORAS CLI, common build tools.
 #
 # Build:
 #   docker build -t 192.168.1.72/kollect-tools/ci/frontend-builder:latest ci/frontend-builder/
@@ -24,14 +24,19 @@ ARG BUF_VERSION=1.55.0
 # but we still bake it for ad-hoc use inside the container.
 ARG PROTOC_GEN_ES_VERSION=2.12.0
 ARG ORAS_VERSION=1.2.2
+# Pin Playwright in lockstep with frontend/svelte/package.json's
+# @playwright/test version. If the project uses a different patch level,
+# Playwright re-downloads the right browser at runtime; matching here
+# means CI hits the prebaked browser cache and skips the download.
+ARG PLAYWRIGHT_VERSION=1.59.1
+
+# Install Playwright browsers under a known global path so they survive
+# across containers and so `pnpm exec playwright install` reuses them.
+ENV PLAYWRIGHT_BROWSERS_PATH=/ms-playwright
 
 # ─────────────────────────────────────────────────────────────────────
-# System dependencies
+# System dependencies (Playwright chromium runtime libs included so the
-#
+# browser launches without `playwright install --with-deps`)
-# The Playwright system libs (libnss3 ... libasound2) are pre-installed
-# so test-e2e jobs can skip `playwright install --with-deps` and just
-# run `playwright install chromium` (browser binary still cached at
-# ~/.cache/ms-playwright in CI). Saves ~30s per E2E run.
 # ─────────────────────────────────────────────────────────────────────
 RUN apt-get update && apt-get install -y --no-install-recommends \
         ca-certificates \
@@ -82,6 +87,17 @@ RUN npm install -g "@bufbuild/protoc-gen-es@${PROTOC_GEN_ES_VERSION}"
 RUN curl -fsSL "https://github.com/oras-project/oras/releases/download/v${ORAS_VERSION}/oras_${ORAS_VERSION}_linux_amd64.tar.gz" \
     | tar -xz -C /usr/local/bin oras
 
+# ─────────────────────────────────────────────────────────────────────
+# Playwright + chromium browser binary
+#
+# Browsers go to /ms-playwright (PLAYWRIGHT_BROWSERS_PATH set above) so
+# CI's `pnpm exec playwright install chromium` finds the prebaked binary
+# and skips the ~170MB download. System libs are already installed at
+# the top of the file, so we use bare `playwright install chromium`
+# (no --with-deps).
+# ─────────────────────────────────────────────────────────────────────
+RUN npx --yes "playwright@${PLAYWRIGHT_VERSION}" install chromium
+
 WORKDIR /workspace
 
 # Verify installation
@@ -90,4 +106,5 @@ RUN node --version \
     && buf --version \
     && protoc-gen-es --version \
     && oras version \
-    && jq --version
+    && jq --version \
+    && ls "${PLAYWRIGHT_BROWSERS_PATH}"

ci/frontend-builder/README.md

@@ -8,7 +8,8 @@ Pre-baked build environment for KollectAI-ETL frontend (SvelteKit) CI jobs and p
 - pnpm 10 (via corepack)
 - [buf](https://buf.build) CLI — for `buf lint` and `buf generate`
 - [`@bufbuild/protoc-gen-es`](https://www.npmjs.com/package/@bufbuild/protoc-gen-es) — installed globally so `buf` v2 `local: protoc-gen-es` resolves via PATH (no BSR remote-plugin calls)
-- Playwright chromium runtime libraries pre-installed (`libnss3`, `libgbm1`, `libasound2`, etc.) — so `playwright install chromium` works without `--with-deps` apt fetches
+- Playwright chromium runtime libraries pre-installed (`libnss3`, `libgbm1`, `libasound2`, etc.)
+- **Playwright + chromium browser binary** prebaked at `/ms-playwright` (`PLAYWRIGHT_BROWSERS_PATH=/ms-playwright`) — CI's `pnpm exec playwright install chromium` finds the prebaked binary and skips the ~170MB download every run. Pin must match `frontend/svelte/package.json`'s `@playwright/test` version
 - ORAS CLI — for uploading test reports / audit artifacts to Harbor
 - `git`, `jq`, `curl`, `unzip`
 
@@ -27,6 +28,7 @@ docker push 192.168.1.72/kollect-tools/ci/frontend-builder:latest
 | `PNPM_VERSION` | `10.15.0` | pnpm version (corepack-activated) |
 | `BUF_VERSION` | `1.55.0` | buf CLI version |
 | `PROTOC_GEN_ES_VERSION` | `2.12.0` | `@bufbuild/protoc-gen-es` version (ad-hoc use only — KollectAI-ETL CI uses the version pinned in `proto/pnpm-lock.yaml`) |
+| `PLAYWRIGHT_VERSION` | `1.59.1` | Playwright version. Must match `frontend/svelte/package.json` `@playwright/test`; mismatch causes runtime browser re-download |
 | `ORAS_VERSION` | `1.2.2` | ORAS CLI version |
 
 ## Usage in CI
@@ -53,14 +55,16 @@ For protobuf TS codegen (`buf.gen.yaml` declares `local: protoc-gen-es`):
   run: buf generate
 ```
 
-For Playwright E2E (drop `--with-deps` because system libs are pre-installed):
+For Playwright E2E — the chromium binary is **prebaked**, so CI doesn't need to install it. Just run the tests directly:
 
 ```yaml
-- name: Install Playwright browsers
+- name: E2E tests
   working-directory: frontend/svelte
-  run: pnpm exec playwright install chromium
+  run: pnpm test:e2e
 ```
 
+If a CI step does run `pnpm exec playwright install chromium`, it'll detect the prebaked binary at `$PLAYWRIGHT_BROWSERS_PATH` and exit immediately (no download). System libs are pre-installed, so `--with-deps` is also unnecessary.
+
 ## Maintenance
 
 Rebuild on dependency bumps: