From afc14c614a029961ad5a12b29072145f6e2c33cf Mon Sep 17 00:00:00 2001
From: sjmiller609 <7516283+sjmiller609@users.noreply.github.com>
Date: Mon, 11 May 2026 19:16:23 +0000
Subject: [PATCH 1/4] fix(images): pair chrome + chromedriver via
 chrome-for-testing

Both chromium-headful and chromium-headless previously installed chromium
from the rolling ppa:xtradeb/apps PPA while pinning chromedriver to a
hardcoded version. Once the PPA upgraded chromium past the pinned
chromedriver major, every WebDriver/BiDi e2e test failed with
"ChromeDriver only supports Chrome version N, Current browser version is N+M".

Install both binaries from chrome-for-testing at one shared CHROME_VERSION
so they cannot drift apart, and rename the chrome binary to "chromium" so
the existing pgrep/pkill -x chromium calls in chromium-launcher continue
to match.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 images/chromium-headful/Dockerfile        | 34 +++++++++++++----------
 images/chromium-headless/image/Dockerfile | 23 +++++++--------
 2 files changed, 32 insertions(+), 25 deletions(-)

diff --git a/images/chromium-headful/Dockerfile b/images/chromium-headful/Dockerfile
index 84ecfd9d..37b820fe 100644
--- a/images/chromium-headful/Dockerfile
+++ b/images/chromium-headful/Dockerfile
@@ -279,24 +279,30 @@ RUN --mount=type=cache,target=/var/cache/apt,sharing=locked,id=$CACHEIDPREFIX-ap
     chown $USERNAME /var/log/neko/ /tmp/runtime-$USERNAME; \
     chown -R $USERNAME:$USERNAME /home/$USERNAME;
 
-# install chromium and sqlite3 for debugging the cookies file
+# sqlite3 for debugging the cookies file; runtime libs are chrome-for-testing's listed deb.deps.
 RUN --mount=type=cache,target=/var/cache/apt,sharing=locked,id=$CACHEIDPREFIX-apt-cache \
     --mount=type=cache,target=/var/lib/apt,sharing=locked,id=$CACHEIDPREFIX-apt-lib \
-    add-apt-repository -y ppa:xtradeb/apps;
-RUN --mount=type=cache,target=/var/cache/apt,sharing=locked,id=$CACHEIDPREFIX-apt-cache \
-    --mount=type=cache,target=/var/lib/apt,sharing=locked,id=$CACHEIDPREFIX-apt-lib \
-    apt update -y && \
-    apt -y install chromium && \
-    apt --no-install-recommends -y install sqlite3;
-
-# Chromedriver and Chromium are not necessarily the same version.
-ARG CHROMEDRIVER_VERSION=146.0.7680.165
+    apt-get update -y && \
+    apt-get --no-install-recommends -y install \
+        sqlite3 \
+        libasound2 libatk-bridge2.0-0 libatk1.0-0 libatspi2.0-0 \
+        libcups2 libdbus-1-3 libdrm2 libgbm1 libglib2.0-0 libgtk-3-0 \
+        libnspr4 libnss3 libpango-1.0-0 libxcomposite1 libxdamage1 \
+        libxext6 libxfixes3 libxkbcommon0;
+
+# Install Chrome + ChromeDriver as a matched pair from chrome-for-testing so they cannot drift apart.
+ARG CHROME_VERSION=148.0.7778.97
 RUN set -eux; \
-    curl -fsSL "https://storage.googleapis.com/chrome-for-testing-public/${CHROMEDRIVER_VERSION}/linux64/chromedriver-linux64.zip" -o /tmp/cd.zip; \
-    unzip /tmp/cd.zip -d /tmp; \
+    curl -fsSL "https://storage.googleapis.com/chrome-for-testing-public/${CHROME_VERSION}/linux64/chrome-linux64.zip" -o /tmp/chrome.zip; \
+    curl -fsSL "https://storage.googleapis.com/chrome-for-testing-public/${CHROME_VERSION}/linux64/chromedriver-linux64.zip" -o /tmp/cd.zip; \
+    unzip -q /tmp/chrome.zip -d /opt; \
+    unzip -q /tmp/cd.zip -d /tmp; \
+    mv /opt/chrome-linux64 /opt/chrome-for-testing; \
+    mv /opt/chrome-for-testing/chrome /opt/chrome-for-testing/chromium; \
+    ln -sf /opt/chrome-for-testing/chromium /usr/bin/chromium; \
     mv /tmp/chromedriver-linux64/chromedriver /usr/local/bin/chromedriver; \
-    chmod +x /usr/local/bin/chromedriver; \
-    rm -rf /tmp/cd.zip /tmp/chromedriver-linux64
+    chmod +x /usr/local/bin/chromedriver /opt/chrome-for-testing/chromium; \
+    rm -rf /tmp/chrome.zip /tmp/cd.zip /tmp/chromedriver-linux64
 
 # Copy Chromium policy configuration
 RUN mkdir -p /etc/chromium/policies/managed
diff --git a/images/chromium-headless/image/Dockerfile b/images/chromium-headless/image/Dockerfile
index aa7d17ea..bef86792 100644
--- a/images/chromium-headless/image/Dockerfile
+++ b/images/chromium-headless/image/Dockerfile
@@ -146,24 +146,25 @@ RUN --mount=type=cache,target=/var/cache/apt,sharing=locked,id=$CACHEIDPREFIX-ap
     supervisor; \
     fc-cache -f
 
-# install chromium and sqlite3 for debugging the cookies file
-RUN --mount=type=cache,target=/var/cache/apt,sharing=locked,id=$CACHEIDPREFIX-apt-cache \
-    --mount=type=cache,target=/var/lib/apt,sharing=locked,id=$CACHEIDPREFIX-apt-lib \
-    add-apt-repository -y ppa:xtradeb/apps
+# sqlite3 for debugging the cookies file; unzip for the chrome-for-testing archives below.
 RUN --mount=type=cache,target=/var/cache/apt,sharing=locked,id=$CACHEIDPREFIX-apt-cache \
     --mount=type=cache,target=/var/lib/apt,sharing=locked,id=$CACHEIDPREFIX-apt-lib \
     apt-get update -y && \
-    apt-get -y install chromium && \
     apt-get --no-install-recommends -y install sqlite3 unzip;
 
-# Chromedriver and Chromium are not necessarily the same version.
-ARG CHROMEDRIVER_VERSION=146.0.7680.165
+# Install Chrome + ChromeDriver as a matched pair from chrome-for-testing so they cannot drift apart.
+ARG CHROME_VERSION=148.0.7778.97
 RUN set -eux; \
-    curl -fsSL "https://storage.googleapis.com/chrome-for-testing-public/${CHROMEDRIVER_VERSION}/linux64/chromedriver-linux64.zip" -o /tmp/cd.zip; \
-    unzip /tmp/cd.zip -d /tmp; \
+    curl -fsSL "https://storage.googleapis.com/chrome-for-testing-public/${CHROME_VERSION}/linux64/chrome-linux64.zip" -o /tmp/chrome.zip; \
+    curl -fsSL "https://storage.googleapis.com/chrome-for-testing-public/${CHROME_VERSION}/linux64/chromedriver-linux64.zip" -o /tmp/cd.zip; \
+    unzip -q /tmp/chrome.zip -d /opt; \
+    unzip -q /tmp/cd.zip -d /tmp; \
+    mv /opt/chrome-linux64 /opt/chrome-for-testing; \
+    mv /opt/chrome-for-testing/chrome /opt/chrome-for-testing/chromium; \
+    ln -sf /opt/chrome-for-testing/chromium /usr/bin/chromium; \
     mv /tmp/chromedriver-linux64/chromedriver /usr/local/bin/chromedriver; \
-    chmod +x /usr/local/bin/chromedriver; \
-    rm -rf /tmp/cd.zip /tmp/chromedriver-linux64
+    chmod +x /usr/local/bin/chromedriver /opt/chrome-for-testing/chromium; \
+    rm -rf /tmp/chrome.zip /tmp/cd.zip /tmp/chromedriver-linux64
 
 # Copy Chromium policy configuration
 RUN mkdir -p /etc/chromium/policies/managed

From 03245581782564ece2ed0e1253f1cac8f51552af Mon Sep 17 00:00:00 2001
From: sjmiller609 <7516283+sjmiller609@users.noreply.github.com>
Date: Mon, 11 May 2026 19:28:36 +0000
Subject: [PATCH 2/4] fix(images): symlink chrome-for-testing policy dir to
 /etc/chromium

Chrome for Testing reads enterprise policies from
/etc/opt/chrome_for_testing/policies/managed, but kernel-images-api and
the shared policy.json write to /etc/chromium/policies/managed. Without
a bridge, ExtensionInstallForcelist policies never reach the browser and
TestEnterpriseExtensionInstallation fails.

Symlink the chrome-for-testing path to the existing /etc/chromium path
so policies flow through unchanged. No Go-side changes required.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 images/chromium-headful/Dockerfile        | 6 ++++--
 images/chromium-headless/image/Dockerfile | 6 ++++--
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/images/chromium-headful/Dockerfile b/images/chromium-headful/Dockerfile
index 37b820fe..27c3d359 100644
--- a/images/chromium-headful/Dockerfile
+++ b/images/chromium-headful/Dockerfile
@@ -304,8 +304,10 @@ RUN set -eux; \
     chmod +x /usr/local/bin/chromedriver /opt/chrome-for-testing/chromium; \
     rm -rf /tmp/chrome.zip /tmp/cd.zip /tmp/chromedriver-linux64
 
-# Copy Chromium policy configuration
-RUN mkdir -p /etc/chromium/policies/managed
+# Chrome for Testing reads managed policies from /etc/opt/chrome_for_testing/policies, but
+# the server writes them to /etc/chromium/policies. Symlink so writes flow to the real path.
+RUN mkdir -p /etc/chromium/policies/managed /etc/opt/chrome_for_testing && \
+    ln -sfn /etc/chromium/policies /etc/opt/chrome_for_testing/policies
 COPY shared/chromium-policies/managed/policy.json /etc/chromium/policies/managed/policy.json
 
 # install Node.js 22.x by copying from the node:22-bullseye-slim stage
diff --git a/images/chromium-headless/image/Dockerfile b/images/chromium-headless/image/Dockerfile
index bef86792..6d2c0fc4 100644
--- a/images/chromium-headless/image/Dockerfile
+++ b/images/chromium-headless/image/Dockerfile
@@ -166,8 +166,10 @@ RUN set -eux; \
     chmod +x /usr/local/bin/chromedriver /opt/chrome-for-testing/chromium; \
     rm -rf /tmp/chrome.zip /tmp/cd.zip /tmp/chromedriver-linux64
 
-# Copy Chromium policy configuration
-RUN mkdir -p /etc/chromium/policies/managed
+# Chrome for Testing reads managed policies from /etc/opt/chrome_for_testing/policies, but
+# the server writes them to /etc/chromium/policies. Symlink so writes flow to the real path.
+RUN mkdir -p /etc/chromium/policies/managed /etc/opt/chrome_for_testing && \
+    ln -sfn /etc/chromium/policies /etc/opt/chrome_for_testing/policies
 COPY shared/chromium-policies/managed/policy.json /etc/chromium/policies/managed/policy.json
 
 # Install FFmpeg (latest static build) for the recording server

From a2959e0b0e493663dd54ef366abf4f6abe393e06 Mon Sep 17 00:00:00 2001
From: sjmiller609 <7516283+sjmiller609@users.noreply.github.com>
Date: Mon, 11 May 2026 19:40:46 +0000
Subject: [PATCH 3/4] fix(images): add x11-xserver-utils to headless image

The apt-installed chromium previously pulled in x11-xserver-utils
(which provides the xrandr binary) transitively. Now that chrome comes
from chrome-for-testing, that dep has to be requested explicitly or
PATCH /display and the resolution-aware tests fail with
"failed to get current display resolution".

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 images/chromium-headless/image/Dockerfile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/images/chromium-headless/image/Dockerfile b/images/chromium-headless/image/Dockerfile
index 6d2c0fc4..df622cfc 100644
--- a/images/chromium-headless/image/Dockerfile
+++ b/images/chromium-headless/image/Dockerfile
@@ -136,6 +136,7 @@ RUN --mount=type=cache,target=/var/cache/apt,sharing=locked,id=$CACHEIDPREFIX-ap
     dbus-x11 \
     xvfb \
     x11-utils \
+    x11-xserver-utils \
     xclip \
     xdotool \
     fontconfig \

From 9e0d2647d1680446bf409d3b0867c7e0502805b6 Mon Sep 17 00:00:00 2001
From: sjmiller609 <7516283+sjmiller609@users.noreply.github.com>
Date: Mon, 11 May 2026 21:01:20 +0000
Subject: [PATCH 4/4] match headful's explicit chrome runtime deps in headless
 image
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Add libdbus-1-3, libglib2.0-0, libgtk-3-0, libxext6 — listed in
chrome-for-testing's deb.deps but only present transitively in
the headless image. Mirrors the headful image's explicit set so
neither relies on transitive providers.
---
 images/chromium-headless/image/Dockerfile | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/images/chromium-headless/image/Dockerfile b/images/chromium-headless/image/Dockerfile
index df622cfc..76439f15 100644
--- a/images/chromium-headless/image/Dockerfile
+++ b/images/chromium-headless/image/Dockerfile
@@ -124,7 +124,10 @@ RUN --mount=type=cache,target=/var/cache/apt,sharing=locked,id=$CACHEIDPREFIX-ap
     libxfixes3 \
     libxrandr2 \
     libgbm1 \
-    libnss3; \
+    libdbus-1-3 \
+    libglib2.0-0 \
+    libgtk-3-0 \
+    libxext6; \
     apt-get -yqq --no-install-recommends install \
     ca-certificates \
     curl \