feat(ci-latex): bake nodejs + npm + Chromium runtime libs into the image

Andrew Dunnrequested to merge
ci-latex-node-chromium-deps into main

Summary

Bake Node.js + npm + the Chromium runtime closure into the ci-latex image so downstream consumers that combine LaTeX rendering with HTML preview capture (Playwright Chromium) don't need to re-install the same package set in every pipeline.

The load-bearing consumer today is the public-sector reference's capture-template-previews job, which renders a paper template via tectonic + screenshots lab + docs templates via Playwright Chromium in one job. After this MR lands and :latest rebuilds, that job's before_script collapses to nothing.

Why these packages

  • nodejs + npm: Fedora 44 ships Node 22. The paper component itself doesn't need Node, but every consumer that pairs PDF + HTML capture does.
  • Chromium runtime libs: Playwright's --with-deps flag only knows apt-get and exits 127 on Fedora. The closure baked here was validated against Playwright Chromium 148.x in reference!1 (merged) -- with these baked, npx playwright install chromium (no --with-deps) succeeds:
    • nss, nspr, atk, at-spi2-atk, cups-libs
    • libdrm, mesa-libgbm, libxkbcommon, alsa-lib
    • pango, cairo
    • libXcomposite, libXdamage, libXfixes, libXrandr, libXScrnSaver, libXtst, libxshmfence
  • npm config set prefix /usr/local: stable system path for global installs.

Drive-by fixes

  • File header said Fedora 42; FROM is Fedora 44 since 0b76586. Updated comment.
  • Smoke-test RUN now asserts node --version and npm --version too.
  • LABEL image.description mentions Node + Chromium and the Fedora 44 base.

Impact on the image

Adds ~200MB to the final image (Node 22 + Chromium runtime libs + their transitive deps). TeX Live full already dominates the layer size; this is additive at the margin.

The pre-existing paper component invocation stays identical -- the new packages don't change the LaTeX/Typst/poppler-utils surface that the paper component depends on. They just expand what's available for jobs that pull this image directly (like the reference's capture-template-previews).

Test plan

  • CI pipeline on this branch rebuilds ci-latex successfully (rules already match: containers/ci-latex.Containerfile change → build:ci-latex runs)
  • Image rebuild is signed (cosign) per the .image-build template's existing flow
  • After merge to main, :latest is published and the reference's MR !1 (merged) can drop its dnf install before_script

Merge request reports