ops/devops: add console runner image CI build

ops/devops/console/README.md

@@ -1,6 +1,6 @@
 # Console CI runner (offline-friendly)
 
-Status: runner spec + CI now wired to PRs; runner image scaffold now available with baked npm + Playwright cache.
+Status: runner spec + CI now wired to PRs; runner image scaffold + CI build workflow now available with baked npm + Playwright cache.
 
 ## Runner profile
 - OS: Ubuntu 22.04 LTS (x86_64) with Docker available for Playwright deps if needed.
@@ -29,6 +29,8 @@ Status: runner spec + CI now wired to PRs; runner image scaffold now available w
 - Build locally: `IMAGE_TAG=stellaops/console-runner:offline OUTPUT_TAR=ops/devops/artifacts/console-runner/console-runner.tar ops/devops/console/build-runner-image.sh`
   - `OUTPUT_TAR` optional; when set, the script saves the image for airgap transport.
 - Runner expectations: `NPM_CONFIG_CACHE=~/.npm`, `PLAYWRIGHT_BROWSERS_PATH=~/.cache/ms-playwright` (paths already baked). Register the runner with a label (e.g., `console-ci`) and point `.gitea/workflows/console-ci.yml` at that runner pool.
+- CI build helper: `ops/devops/console/build-runner-image-ci.sh` wraps the build, sets a run-scoped tag, emits metadata JSON, and saves a tarball under `ops/devops/artifacts/console-runner/`.
+- CI workflow: `.gitea/workflows/console-runner-image.yml` (manual + path-trigger) builds the runner image and uploads the tarball + metadata as an artifact named `console-runner-image-<run_id>`.
 
 ### Seeding Playwright cache (one-time per runner image, host-based option)
 ```bash
@@ -39,3 +41,4 @@ ops/devops/console/seed_playwright.sh
 ## How to run
 - PR-triggered via `.gitea/workflows/console-ci.yml`; restrict runners to images with baked Playwright cache.
 - Manual `workflow_dispatch` remains available for dry runs or cache updates.
+- To refresh the runner image, run the `console-runner-image` workflow or execute `ops/devops/console/build-runner-image-ci.sh` locally to generate a tarball and metadata for distribution.

ops/devops/console/build-runner-image-ci.sh

@@ -0,0 +1,44 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# CI-friendly wrapper to build the console runner image with baked npm/Playwright caches
+# and emit a tarball + metadata for offline distribution.
+#
+# Inputs (env):
+#   RUN_ID           : unique run identifier (default: $GITHUB_RUN_ID or UTC timestamp)
+#   IMAGE_TAG        : optional override of image tag (default: stellaops/console-runner:offline-$RUN_ID)
+#   OUTPUT_TAR       : optional override of tarball path (default: ops/devops/artifacts/console-runner/console-runner-$RUN_ID.tar)
+#   APP_DIR          : optional override of app directory (default: src/Web/StellaOps.Web)
+
+ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
+RUN_ID="${RUN_ID:-${GITHUB_RUN_ID:-$(date -u +%Y%m%dT%H%M%SZ)}}"
+APP_DIR="${APP_DIR:-src/Web/StellaOps.Web}"
+IMAGE_TAG="${IMAGE_TAG:-stellaops/console-runner:offline-$RUN_ID}"
+OUTPUT_TAR="${OUTPUT_TAR:-$ROOT/ops/devops/artifacts/console-runner/console-runner-$RUN_ID.tar}"
+META_DIR="$(dirname "$OUTPUT_TAR")"
+META_JSON="$META_DIR/console-runner-$RUN_ID.json"
+
+mkdir -p "$META_DIR"
+
+IMAGE_TAG="$IMAGE_TAG" OUTPUT_TAR="$OUTPUT_TAR" APP_DIR="$APP_DIR" "$ROOT/ops/devops/console/build-runner-image.sh"
+
+digest="$(docker image inspect --format='{{index .RepoDigests 0}}' "$IMAGE_TAG" || true)"
+id="$(docker image inspect --format='{{.Id}}' "$IMAGE_TAG" || true)"
+
+cat > "$META_JSON" <<EOF
+{
+  "run_id": "$RUN_ID",
+  "image_tag": "$IMAGE_TAG",
+  "image_id": "$id",
+  "repo_digest": "$digest",
+  "output_tar": "$(python - <<PY
+import os, sys
+print(os.path.relpath("$OUTPUT_TAR","$ROOT"))
+PY
+)"
+}
+EOF
+
+echo "Built $IMAGE_TAG"
+echo "Saved tarball: $OUTPUT_TAR"
+echo "Metadata: $META_JSON"