Issues running Decidim under Ubuntu 22.04 + update GitHub actions to `ubuntu-latest`

[ahukkanen]

Describe the bug
Decidim does not currently work perfectly under OpenSSL 3.0. This causes some issues also when running the CI pipelines.

These issues should be fixed for the next release 0.28.

As a remediation to this issue we are locking the pipelines (other than elections) to ubuntu-20.04 at #10142 for the time being.

To Reproduce
Run the actions under ubuntu-latest and see errors related to PDF generation, ImageMagick and the Webpush.

Expected behavior
The pipelines should pass under ubuntu-latest.

Screenshots
N/A

Stacktrace

MiniMagick / ImageMagick:

  1) Decidim::UserGroup validations when the file is a malicious image is expected not to be valid
     Failure/Error: record.errors.add attribute, I18n.t("carrierwave.errors.file_resolution_too_large") if image.dimensions.any? { |dimension| dimension > uploader.max_image_height_or_width }

     MiniMagick::Error:
       `identify -format %m %w %h %b /tmp/mini_magick20221207-3729-zj7zzi[0]` failed with error:
       identify-im6.q16: width or height exceeds limit `/tmp/mini_magick20221207-3729-zj7zzi' @ error/cache.c/OpenPixelCache/3909.
     # ./app/validators/uploader_image_dimensions_validator.rb:31:in `validate_image_size'
     # ./app/validators/uploader_image_dimensions_validator.rb:23:in `block in validate_each'
     # ./app/validators/uploader_image_dimensions_validator.rb:22:in `each'
     # ./app/validators/uploader_image_dimensions_validator.rb:22:in `validate_each'
     # ./spec/models/decidim/user_group_spec.rb:88:in `block (4 levels) in <module:Decidim>'

Webpush:

  2) Executing Decidim Generators tasks rake decidim:generate_vapid_keys when executing task shows the VAPID public and private keys
     Failure/Error: vapid_key = Webpush.generate_key

     OpenSSL::PKey::PKeyError:
       pkeys are immutable on OpenSSL 3.0
     # ./lib/tasks/decidim_pwa_tasks.rake:9:in `block (3 levels) in <top (required)>'
     # ./spec/tasks/decidim_tasks_pwa_spec.rb:9:in `block (4 levels) in <top (required)>'

PDF generation:

  2) Decidim::Conferences::Admin::SendConferenceDiplomaMailer includes the meeting's details in a ics file
     Failure/Error:
       diploma = WickedPdf.new.pdf_from_string(
         render_to_string(pdf: "conference-diploma",
                          template: "decidim/conferences/admin/send_conference_diploma_mailer/diploma_user",
                          layout: "decidim/diploma"),
         orientation: "Landscape"
       )

     RuntimeError:
       Failed to execute:
       ["/home/runner/work/decidim/decidim/vendor/bundle/ruby/3.1.0/gems/wkhtmltopdf-binary-0.12.6.5/bin/wkhtmltopdf", "--orientation", "Landscape", "file:////tmp/wicked_pdf20221208-3941-rhell8.html", "/tmp/wicked_pdf_generated_file20221208-3941-frw438.pdf"]
       Error: PDF could not be generated!
        Command Error: Calling `DidYouMean::SPELL_CHECKERS.merge!(error_name => spell_checker)' has been deprecated. Please call `DidYouMean.correct_error(error_name, spell_checker)' instead.
       /home/runner/work/decidim/decidim/vendor/bundle/ruby/3.1.0/gems/wkhtmltopdf-binary-0.12.6.5/bin/wkhtmltopdf:61:in `<main>': Invalid platform, must be running on Ubuntu 16.04/18.04/20.04 CentOS 6/7/8, Debian 9/10, archlinux amd64, or intel-based Cocoa macOS (missing binary: /home/runner/work/decidim/decidim/vendor/bundle/ruby/3.1.0/gems/wkhtmltopdf-binary-0.12.6.5/bin/wkhtmltopdf_ubuntu_22.04_amd64). (RuntimeError)
     # ./app/mailers/decidim/conferences/admin/send_conference_diploma_mailer.rb:36:in `add_diploma_attachment'
     # ./app/mailers/decidim/conferences/admin/send_conference_diploma_mailer.rb:26:in `block in diploma'
     # /home/runner/work/decidim/decidim/decidim-core/app/mailers/concerns/decidim/localised_mailer.rb:19:in `block in with_user'
     # /home/runner/work/decidim/decidim/decidim-core/app/mailers/concerns/decidim/localised_mailer.rb:18:in `with_user'
     # ./app/mailers/decidim/conferences/admin/send_conference_diploma_mailer.rb:20:in `diploma'
     # <internal:kernel>:90:in `tap'
     # ./spec/mailers/decidim/conferences/admin/send_conference_diploma_mailer_spec.rb:27:in `block (2 levels) in <module:Conferences>'
     # ------------------
     # --- Caused by: ---
     # RuntimeError:
     #   PDF could not be generated!
     #    Command Error: Calling `DidYouMean::SPELL_CHECKERS.merge!(error_name => spell_checker)' has been deprecated. Please call `DidYouMean.correct_error(error_name, spell_checker)' instead.
     #   /home/runner/work/decidim/decidim/vendor/bundle/ruby/3.1.0/gems/wkhtmltopdf-binary-0.12.6.5/bin/wkhtmltopdf:61:in `<main>': Invalid platform, must be running on Ubuntu 16.04/18.04/20.04 CentOS 6/7/8, Debian 9/10, archlinux amd64, or intel-based Cocoa macOS (missing binary: /home/runner/work/decidim/decidim/vendor/bundle/ruby/3.1.0/gems/wkhtmltopdf-binary-0.12.6.5/bin/wkhtmltopdf_ubuntu_22.04_amd64). (RuntimeError)
     #   ./app/mailers/decidim/conferences/admin/send_conference_diploma_mailer.rb:36:in `add_diploma_attachment'

Extra data (please complete the following information):

• Device: (any)
• Device OS: Ubuntu 22.04
• Browser: (any)
• Decidim Version: 0.28
• Decidim installation: N/A

Additional context

• We should switch to the web-push fork of the Webpush gem (see Switch from webpush to web-push gem to support OpenSSL::V3 #10139) - Fixed by Replace webpush with web-push to support OpenSSL V3 #10207
  • Webpush gem is not being maintained anymore (see Looking for a new maintainer? zaru/webpush#107)
  • web-push does not currently support OpenSSL 3.0 (see Add support for OpenSSL 3 zaru/webpush#106)
  • We need to wait for OpenSSL 3.0 support to be shipped to web-push to fix this
• ImageMagic crashes because the provided image is too large, reason needs to be investigated - Fixed by Fix ImageMagick errors when trying to identify image dimensions #10343
  • The problem is that newer versions of ImageMagick restricts the image dimension to 8192px by default (see https://imagemagick.org/script/security-policy.php, If any one image has a width or height that exceeds 8192 pixels or if an image sequence exceeds 32 frames, an exception is thrown and processing stops.)
  • The malicious.jpg in decidim-dev is 64250x64250
  • Possible solutions:
    a) reduce the size of the image sizes at decidim-dev
    b) change the security policy settings for ImageMagic (setting the pattern for width or height to * would disable that policy completely, or we can restrict it to the maximum expected size)
  • Another issue: we also need to rescue from this issue and handle that properly in Decidim (see Switch from webpush to web-push gem to support OpenSSL::V3 #10139)
• wkhtmltopdf needs to be upgraded to 0.12.6.6 or newer (see Add support for Ubuntu 22.04 zakird/wkhtmltopdf_binary_gem#150 and the Changelog) - Fixed by Update locked wkhtmltopdf version #10171