ops/devops: add console runner image CI build

.gitea/workflows/console-runner-image.yml

@@ -0,0 +1,32 @@
+name: console-runner-image
+
+on:
+  workflow_dispatch:
+  push:
+    paths:
+      - 'ops/devops/console/**'
+      - '.gitea/workflows/console-runner-image.yml'
+
+jobs:
+  build-runner-image:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Build runner image tarball (baked caches)
+        env:
+          RUN_ID: ${{ github.run_id }}
+        run: |
+          set -euo pipefail
+          chmod +x ops/devops/console/build-runner-image.sh ops/devops/console/build-runner-image-ci.sh
+          ops/devops/console/build-runner-image-ci.sh
+
+      - name: Upload runner image artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: console-runner-image-${{ github.run_id }}
+          path: ops/devops/artifacts/console-runner/
+          retention-days: 14

docs/implplan/SPRINT_0504_0001_0001_ops_devops_ii.md

@@ -41,6 +41,7 @@
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
+| 2025-12-07 | Added console runner CI build workflow (`.gitea/workflows/console-runner-image.yml`) and CI wrapper (`ops/devops/console/build-runner-image-ci.sh`) to publish baked runner tarball + metadata. | DevOps Guild |
 | 2025-12-07 | Added console runner Dockerfile + build helper to bake npm/Playwright caches; README updated with runner image usage. | DevOps Guild |
 | 2025-12-07 | Added console offline runner spec (`ops/devops/console/README.md`) and manual-only CI skeleton (`.gitea/workflows/console-ci.yml`); moved DEVOPS-CONSOLE-23-001 to DOING pending runner cache bake/approval. | DevOps Guild |
 | 2025-12-07 | Added Playwright cache seeding helper (`ops/devops/console/seed_playwright.sh`) to bake Chromium into offline runners; enabled PR triggers in `.gitea/workflows/console-ci.yml` (runner must include seeded cache). | DevOps Guild |

ops/devops/console/README.md

@@ -1,6 +1,6 @@
 # Console CI runner (offline-friendly)
 
-Status: runner spec + CI now wired to PRs; runner image scaffold now available with baked npm + Playwright cache.
+Status: runner spec + CI now wired to PRs; runner image scaffold + CI build workflow now available with baked npm + Playwright cache.
 
 ## Runner profile
 - OS: Ubuntu 22.04 LTS (x86_64) with Docker available for Playwright deps if needed.
@@ -29,6 +29,8 @@ Status: runner spec + CI now wired to PRs; runner image scaffold now available w
 - Build locally: `IMAGE_TAG=stellaops/console-runner:offline OUTPUT_TAR=ops/devops/artifacts/console-runner/console-runner.tar ops/devops/console/build-runner-image.sh`
   - `OUTPUT_TAR` optional; when set, the script saves the image for airgap transport.
 - Runner expectations: `NPM_CONFIG_CACHE=~/.npm`, `PLAYWRIGHT_BROWSERS_PATH=~/.cache/ms-playwright` (paths already baked). Register the runner with a label (e.g., `console-ci`) and point `.gitea/workflows/console-ci.yml` at that runner pool.
+- CI build helper: `ops/devops/console/build-runner-image-ci.sh` wraps the build, sets a run-scoped tag, emits metadata JSON, and saves a tarball under `ops/devops/artifacts/console-runner/`.
+- CI workflow: `.gitea/workflows/console-runner-image.yml` (manual + path-trigger) builds the runner image and uploads the tarball + metadata as an artifact named `console-runner-image-<run_id>`.
 
 ### Seeding Playwright cache (one-time per runner image, host-based option)
 ```bash
@@ -39,3 +41,4 @@ ops/devops/console/seed_playwright.sh
 ## How to run
 - PR-triggered via `.gitea/workflows/console-ci.yml`; restrict runners to images with baked Playwright cache.
 - Manual `workflow_dispatch` remains available for dry runs or cache updates.
+- To refresh the runner image, run the `console-runner-image` workflow or execute `ops/devops/console/build-runner-image-ci.sh` locally to generate a tarball and metadata for distribution.

ops/devops/console/build-runner-image-ci.sh

@@ -0,0 +1,44 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# CI-friendly wrapper to build the console runner image with baked npm/Playwright caches
+# and emit a tarball + metadata for offline distribution.
+#
+# Inputs (env):
+#   RUN_ID           : unique run identifier (default: $GITHUB_RUN_ID or UTC timestamp)
+#   IMAGE_TAG        : optional override of image tag (default: stellaops/console-runner:offline-$RUN_ID)
+#   OUTPUT_TAR       : optional override of tarball path (default: ops/devops/artifacts/console-runner/console-runner-$RUN_ID.tar)
+#   APP_DIR          : optional override of app directory (default: src/Web/StellaOps.Web)
+
+ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
+RUN_ID="${RUN_ID:-${GITHUB_RUN_ID:-$(date -u +%Y%m%dT%H%M%SZ)}}"
+APP_DIR="${APP_DIR:-src/Web/StellaOps.Web}"
+IMAGE_TAG="${IMAGE_TAG:-stellaops/console-runner:offline-$RUN_ID}"
+OUTPUT_TAR="${OUTPUT_TAR:-$ROOT/ops/devops/artifacts/console-runner/console-runner-$RUN_ID.tar}"
+META_DIR="$(dirname "$OUTPUT_TAR")"
+META_JSON="$META_DIR/console-runner-$RUN_ID.json"
+
+mkdir -p "$META_DIR"
+
+IMAGE_TAG="$IMAGE_TAG" OUTPUT_TAR="$OUTPUT_TAR" APP_DIR="$APP_DIR" "$ROOT/ops/devops/console/build-runner-image.sh"
+
+digest="$(docker image inspect --format='{{index .RepoDigests 0}}' "$IMAGE_TAG" || true)"
+id="$(docker image inspect --format='{{.Id}}' "$IMAGE_TAG" || true)"
+
+cat > "$META_JSON" <<EOF
+{
+  "run_id": "$RUN_ID",
+  "image_tag": "$IMAGE_TAG",
+  "image_id": "$id",
+  "repo_digest": "$digest",
+  "output_tar": "$(python - <<PY
+import os, sys
+print(os.path.relpath("$OUTPUT_TAR","$ROOT"))
+PY
+)"
+}
+EOF
+
+echo "Built $IMAGE_TAG"
+echo "Saved tarball: $OUTPUT_TAR"
+echo "Metadata: $META_JSON"